In the aftermath of World War II, the United Nations issued a Human Rights Declaration. It declared that “No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence…” European nations used that statement as the basis for their privacy laws. 

In the 1980s, there was a need to promote transborder commerce and data flows while retaining the privacy of individuals. Although it was the beginning of the computer age, most personal details were still on paper. 

Still, many of the principles from that period translated into the digital age. These included:

• only collect data for the reason that it was intended
• collected data must be kept safe
• if data are lost, the collector will be liable

The key caveat was that each nation could tweak the rules. Harmonization was needed. The culmination of the work undertaken by the European Commission was Directive 95/46/EC on the protection of individuals with regard to the processing of personal data. Its short name is the Data Protection Directive. 

In 1995, the European Commission ratified Directive 95/46/EC to protect a citizen’s personal data—a milestone in privacy law.

Legislation continued as computers became common

In the years that followed, more directives were passed that filled holes created by the evolving computing and Internet-based industries.

Directives were enforced by each European member state (28 countries) with no governing body. And each country could tweak parts of the Directive. For instance, the minimum age to collect personal information was different in Germany than in France.

In addition, any personal data transfers outside the EU required that the non-EU country had at least the same level of data protection laws. In other words, was the receiving country’s laws “adequate”? If not, then a legal agreement was required that allowed EU regulators specific rights of actions over the non-EU company. 

Some “adequate” countries are Canada, Australia, Argentina, and Israel. Notably absent: the U.S.

The EU member states works together

In 2016, EU member states got together to harmonize data privacy laws and create a governing body. The result was 99 articles called the General Data Protection Regulation, or the GDPR. It went into effect in May 2018. 

The biggest change to the privacy world came in May 2018 when the EU General Data Protection Regulation, or the GDPR, became effective. It essentially gave the EU power to control their citizen’s data even when the data were located outside the EU. 

Now, how can an EU court or government impose their laws on companies around the world? Logistically, they can’t. Instead, pressure is put on: 1) the EU company doing business with the foreign company; or 2) on the foreign company’s local EU office.

EU regulators have specifically targeted large U.S. tech companies because most big data companies are U.S.-based. 

GDPR compliance has cost companies billions and impacts most firms worldwide that do business in the EU. 

US companies must demonstrate compliance

Each company that controls or processes EU citizen data must provide evidence that it is adhering to the GDPR—or face penalties. In addition, the Supervisory Authority has the right to physically audit that company.

The penalties for non-compliance are up to 4% of global revenue or €20M (US$24M). Ouch.

That’s why EU companies want assurance (and legal agreements) that their employee/customer data will be processed with GDPR principles such as:

• there is a legal basis for processing personal data
• data are only processed for specific purposes
• individuals may request that their data be changed or deleted
• a company data protection officer is appointed
• data transfers are only to an “adequate” country or by special agreement 

Keeping GDPR compliant requires monitoring changes of law and rulings—one of which was handed down in July 2021 by the European Court of Justice (ECJ). It ruled that, since the U.S. government could demand EU citizen data without permission, the U.S. was not deemed “adequate.” This invalidated the cross-transfer framework called EU-U.S. Privacy Shield.

The details of the ruling are complex. In the ordinary course of business, the U.S. government wouldn’t demand to see data in 99%+ of companies; the data are of no use to national security and surveillance activity.

In 2022, the chances of the U.S. Congress adopting any new digital information laws is low given the partisan politics in play. That leaves it for U.S. and EU agencies to best determine how to proceed with overseas data transfers.

Still, the fight goes on. Until the Privacy Shield program is changed, new agreements must be negotiated if data collection is likely “to result in a risk to the rights and freedoms of individuals.” Privacy officials always have plenty of work to do.

The post Are European Information Privacy Regulations Important in Your Practice? appeared first on Doxy.me.

Of course, that made sense. It’s better to shut off the water main rather than witness a leak turn into a flood. Still, we couldn’t predict the profound changes that were to come.

Unprecedented Events Cause Far-reaching Changes

Substantial event-driven changes to our society seem to happen at least once a generation. The last one in the U.S. was in 2001.

On 9/11, the U.S. government had no choice but to react quickly and dramatically. Fear and uncertainty led to all U.S. flights being canceled. Stock markets closed for a week. Major cities were placed on high alert. The economic impact was felt worldwide. 

After 9/11, security-related changes became permanent at airports, office buildings, and theme parks. Even a year later, people were still afraid to work in skyscrapers or to fly; images of jets crashing into buildings are hard to forget. According to the U.S. Dept. of Transportation, it took four years, until July 2004, for passenger levels to surpass those in August 2001. More families took road trips and visited national parks (park attendance decreased from 1999 to 2001, and then increased in 2002 and 2003). Sound familiar?

The Early Impact of Lockdowns

It was difficult to immediately know the long-term impact of COVID lockdowns—closed schools and businesses, limited outdoor activities—when there was a bigger need to save lives by attempting to control the virus from spreading. 

Gathering and making sense of information doesn’t happen instantly. Italy was the initial pandemic epicenter in early 2020 and shut down on March 9. Two days later, the World Health Organization declared a pandemic and infections were already rampant. Italy had 197 deaths that day. Just 16 days later, it had 922 daily deaths.

In other words, Italy’s lockdown may have come too late for the greatest effect. And, as we’re just now beginning to understand, lockdowns and restrictions had unintended consequences such as delayed surgeries and preventative exams—and an increase in the so-called “broken heart syndrome.”

Initial Reactions Become Typical Behavior

At the beginning of the pandemic, many people locked themselves in their homes, had groceries delivered, and rarely went outside. Non-emergency medical procedures nearly came to a halt. As time went on, it became apparent that the majority of those dying were elderly and/or with underlying health conditions. The average person may become sick, but unlikely to die. Also, as time went on, better treatments were developed that saved lives.

As the fear of death lessened, we slowly went back to our “normal” routines—dining indoors, traveling by plane, and attending big events—but we didn’t completely give up our lockdown adaptations such as food delivery and watching movies online.

We All Adopt New Patterns of Behavior

Each person assesses their own risk. During the past two years, fear and uncertainty impacted our daily lives with images of shuttered cities and overflowing hospitals. We analyzed (whether we knew it or not) the benefits of outdoor dining and take-away meals, mask wearing, adopting a pet, online shopping instead of visiting the mall, and using telehealth versus an in-person doctor/therapist visit. 

Regarding the last point: we might prefer to meet healthcare professionals face-to-face, yet there was a convenience and safety to using telehealth that made it a high-growth industry during the past two years. And while telehealth was necessary the past two years, it has now become an accepted way of receiving health care going forward. 

As we saw with the aftermath of 9/11, human perceptions and reactions don’t change overnight. We adapt to new ways during a crisis. And some of those new ways are likely to stay with us a long time.

Doxy.me existed before the pandemic, but it didn’t gain widespread adoption until lockdowns happened. Healthcare technology and policy are infamous for their slow pace of uptake and support. Will it take another medical disaster before more big changes happen, or will we recognize the faults in the current system? Will the next big discovery in health tech be embraced immediately, or will we continue to delay improvements until they become a necessity?

The post Some Ways COVID-19 Changed Our Behavior Forever appeared first on Doxy.me.

Privacy In The News

• There is some progress regarding a U.S. federal privacy law with numerous pending bills related to an individual’s right of action and surveillance advertising. Unfortunately, there is no consensus on when—or if—these bills will pass.
• More states, such as Vermont, are introducing their own privacy bills. This means more challenges for businesses that operate in various states. Tracking differences in laws takes time and is subject to legal interpretation.
• In “big data” news, both Facebook and Google have had unfavorable court rulings related to their deceptive collection of personal data.
• The U.S. National Institute of Standards and Technology released new guidance for performing assessments of privacy and security controls within systems and organizations. This will assist companies large and small in better securing their systems.

Back up, Back up, Back up Your Important Data

There are many things we take for granted in a modern society, such as a safe home, a safe work environment, and quick emergency response. Yet, in 2021, depending on where you lived and the choices you made, those expectations were disrupted. Hurricanes, floods, fires and most recently, tornadoes caused considerable damage, injuries, and death—and we can’t easily blame anyone. Those were natural disasters.

Natural disasters don’t just impact homes. They impact businesses as well. And while we like to think that our personal and health data are well protected, quite a bit of information still exists on paper—and not always backed up properly.

Besides the mental and physical toll, it can be tough to piece back together one’s life. Missing records, unknown account numbers…you may need to reveal many personal details to receive assistance.

Consider backing up your personal docs (and photos) to locations outside your home. Online services are cheap. External hard drives are super cheap ($100 for 2TB) and easy to grab in the event of an emergency.

Natural Disasters, Criminals, and Privacy

After every natural disaster, criminals prey on those impacted. They steal identities, promise to send money once bank account details are provided, and even threaten legal action if personal data aren’t revealed.

Man-made disasters, including potential military conflicts, also upend people’s lives in unimaginable ways. We are seeing this in Ukraine as well as other countries.

In a disaster, we can replace lost or damaged physical items. We can’t, however, replace our identities. Data Privacy Day (observed every year on January 28th) was established in 1981, long before smartphones and tracking devices; long before companies collected massive amounts of data on individuals. The basic concept still remains true: privacy is a basic human right that should be respected and not exploited by others.

The post Data Privacy and Telehealth: Are you safe in a natural disaster? appeared first on Doxy.me.

If we could, it would be best to roll back the calendar and begin using the Internet before personal data was collected without one’s knowledge. But of course that’s impossible. Our options are few: we can ask specific websites to remove our data, and we can be cautious when we give our personal info to new websites. Neither of these is easy. Most internet transactions require a valid mailing address and valid credit card number. 

For European Union citizens, the “right to be forgotten” is a requirement of the GDPR. In the U.S., California has a similar law. However, the burden is on you to request your info be permanently deleted. Deleting personal data is important for these key reasons:

1. 1. Bad actors often steal, sell, or use your information in ways that could impact you in the future
2. 2. Aggregating data from various sources can create a profile about your spending, eating, and travel choices—stopping at a specific coffee shop each morning, buying diapers, and visiting Los Angeles every month.

New browsing services allow visits and purchases to occur without the website knowing your true identity. It’s similar to physically visiting a store and paying in cash. Apple Pay/iCloud+ is one example. Google has a similar service. 

Finally, if you don’t frequent a particular website anymore, you should consider deleting your account. You may consider that a nuclear option, but it may be the most powerful tool we have to protect our personal information.

The post Managing Your Personal Information appeared first on Doxy.me.