Information Protection Law and Privacy

¶ … protect the privacy of the individual via EU Directive for Protection of Personal Data

The internet revolutionized the human life as we know it. It established a culture of liberty aided by not just ingenuousness but also standardized protocols. This was achieved by transmitting the essential products for business-related growth, adopting a model of governance with no formal existence of regulations along with free availability of abundant software packages. This internet revolution can't be underestimated as it has its pros and cons, which also comes under discussion in this paper. With the surging popularity of internet, there happen to be a plethora of new dilemmas knocking at the door. There are tons of merits of Internet for that matter while its demerits have been ignored and hidden along the sidelines. These issues have materialized in the preceding decade and the demand is urgent to solidify a legislation which is tasked in dealing with social and lawful issues connected to the internet (Gellert and Gutwirth, 2013). Keeping in mind public security, laws need to be drafted which not only criminalizes new forms of information breaches but also presents regulations that make companies and organizations place measures that prevent breaches to take place in the first place (Brown, 2012).

The time when professional hackers hacked their way into government agencies and big shot corporations for their personal gains have taken a back seat. Times have changed now and the responsiveness of the common populace in this matter is highly important. Most people think that internet has become a safe medium for their personal info-transmission provided relevant assurances are given, which is a highly inaccurate and imprecise (Gellert and Gutwirth, 2013). This is because cybercrime has now become highly prevalent and is ingrained in societies where IT and Internet has found solid ground (Yar, 2006).

The illegal activity has captured the attention of computer technology. Sensitive and confidential information, for case in point, competitive edge of firms are filed electronically. In these cases, the information system's security can indicate the market standing of a company, its market share and financial solvency. Information is highly usable for companies and people who can exploit it irrespective of other person's loss. The online white collar criminal gangs and hackers can certainly utilize this private information. It's common knowledge now that information system of a company is its strongest and weakest link. These days it's safe to assume that small companies / medium companies / big companies employ internet for their marketing. They are targeting the common frame of mind. The highly seasoned and well protected software can't offer security if certain fundamental values aren't followed by the book (Gellert and Gutwirth, 2013).

Citizen's Privacy for government organizations and data security for private firms, both are two sides of the same coin (Asinari and Poullet, 2004). Laws need to be defined which would articulate not only what needs to be done but also how things have to be carried out. Guidance and guidelines for best practices need to be presented to both companies and governments (Andrew, 2011). Some of these rules have been stated within EU Directive for Protection of Personal Data (from this point onwards PPD) enacted in 1995 (Mikkonen, 2014):

1: The private information will be taken for one/two objectives, not more than that. It will be treated for the said purposes only.

2: The private information ought to be updated and accurate.

3: Private information will be processed lawfully and suitably.

4: The personal information ought to be provided only to the point it is necessary; irrelevant information demands are unlawful.

5: Private information won't be kept longer as long as the required objective has been achieved. No hidden motives ought to be involved.

6: Private information will be processed for the purposes necessary with due consideration of the rights info-subject's basic rights.

7: Technical as well as organizational steps must be taken so as to avert illegal info-theft and confidential information. Safety precautions must be taken regarding info-theft, info-loss and any kind of harm to sensitive information.

8: No transmission of confidential / personal information is allowed exceeding the European Economic Area. In any case otherwise, the nation or the province should be having appropriate safety measures so as to safeguard user information while processing the subject's private information (Mikkonen, 2014).

The policies for PPD have been quite imperative yet subjective, because each and every firm has a distinct set of requirements to fulfill and gather information so as to offer cutthroat services. There are so many forms of information that can be compiled and gathered. On one hand, standardized security packages have been extremely pricey to buy and implement, there might be potential lawsuits in the event things go south resulting in huge amount of monetary losses (Mikkonen, 2014). Therefore, the need for a solid and reliable data protection and privacy policy for the whole of the EU is imperative (Council of the European Union, 2010). Pertinent laws need to b drafted that keep the privacy of the individual in mind; reliable technology tools that needs to be applied to protect data; and along with the integrity of the community's social life (Nissenbaum, 2010).

Apart from increasing relevance, it's quite imperative to keep in mind that social and philosophical reasons for the rights of internet security and privacy have been hard to attain as they are changing constantly with the alteration in laws. Privacy is a complex issue which has many different as well as distinct meanings. The usage of legislation is sometimes quite flawed in principle. The confusion and intricacies generally result in public's error in perception and judgment (Hallinana et al., 2012).

Section 2: The needs of the state or of public interest and the Erosion of this Right

The boundary between snooping and safeguarding has been completely discolored. The case is severe in case of internet where the freedom of the user is unprecedented resulting in completely disorder; and security has reached a point of vulnerability. Privacy is a basic human right however off late it has struck a deadlock with liberal democratic systems to protect them. In order to avert and thwart future attacks from hackers, the security agencies have got to gather tons of information from the internet and analyze it for possible patterns, relationship, potential suspects as well as linkages. The breach of privacy can be completely rationalized by working for a higher purpose (Aquilina, 2010). The common populace should be able to trust their governments however there are uncertainties when secrecy hides information for other purposes as well. During the preceding century, when the digitalization transpired, many companies launched a fought hard against illegal sharing of pirated content on the internet such as movies, TV shows and music. The law, if implemented might have affected the internet users all across the world. The traces of the campaign still remain for abandoning the neutral position taken in case of Internet privacy. European legislation is currently concentrating on developing legislation on this. There might been be monitoring systems installed where user's services will be noted for which an infrastructure can be easily developed (Guarino, 2013).

The citizens have fundamental rights to be aware of their rights along with government responsibilities. For instance, Russian and Chinese governments have total control on their Internet space. They are also attempting to convert to and shift away from the presently prevailing stakeholder's model. Opponents of privacy law argue that the internet usage has enhanced obsene pornography and other vices in the society and they are increasing day by day which requires strict monitoring. Concurrently, internet gambling needs to be taken off the internet as well (Gellert and Gutwirth, 2013). With information on people' banking records defaulters and frauds can be caught as well. Financial transaction can be kept track of as tax evasion is a frequent crime all over the European Union strip. In one EU member state, without anyone's permission over 200 data-files had been scooped up and mined thoroughly so as to gather information and keep records. This was done so that the government has the necessary information about their population which helps a lot in such cases. These instances and events have been put forward by the opponents of privacy law and have become reason to use someone's confidential information (Guarino, 2013).

Section 3: How does the current PPD Act achieve balance between state's responsibility and individual privacy?

Prior to indulging in the debate of whether the current PPD maintains a balance between personal privacy and government's duty of national security upholding, the job description of security managers is important to ponder first. Their methods of protecting and processing information should be taken in consideration as well. What is the function of an Information Security (IS) manager? Or what role does an information security department or unit play in an organization? The IS managers and IS departments consist of individuals and team of people which are tasked with mapping out the aim of information dispensation in both private as well as public sector. The medical professional has control over all the medical information of their clientele; a company has all the information about its clientele and workforce. A sports gym has all the information of its associates while a library has all the information on its frequent visitors (Sotto et al., 2010).

The IS managers and IS departments should administer a number of principles, which increase the validity and reliability of their governance. The governance principles should show the good values the company or the government organization has and its wondrous workflow within this globalized and interconnected environment (Bennett and Raab, 2006). The IS managers and IS departments must stick with the rules of information processing indicated by Member states where they are established, even in case when information belongs to someone else living abroad. In case when IS managers and IS departments aren't formed, they need to work with the European Union Members laws, if information processing apparatus is situated in a European community. According to the regulations and laws of European Union should be processed legally and fairly. The sole purpose of usage must be legal and clearly defined. Apart from that, after the project has been completed it shouldn't violate the rules; the information must be precise and current. The IS managers and IS departments must have authority to remove false information, correct the information and block unnecessary information when necessary (Poullet, 2006).

The digital territories need to be safeguarded both in the public and the private sector. Considering the magnitude and diversity of information, levels and stages need to created and information too should have its own hierarchy of importance (Barbara and Maghiros, 2007). For instance, information which compromises the identity of people shouldn't be kept for longer periods of time. These levels, stages and hierarchies are vital in this new information age where privacy has been given a whole new meaning (Schwartz and Treanor, 2003).

According to the present EU directive, every Member State should give approval to the decision-making board to observe the proper execution of Directive. The administrative group/agency needs to maintain a register with information updated in it from time to time. The common population needs to have access to concerned authorities and their job description. Before processing information, the security managers should update the supervisory authority of their job. The EU Members can request for immunity from certain kinds of information processing or may order simplification due to risks aligned. Simplification and immunity can be given in case national law isn't broken or obstructed. The IS managers and IS departments have independent officers hired for information security purposes. The EU members will need to be checked before by the supervisory authority prior to information processing tasks take place which involve some risks as well. Some processing functions have certain risks which the member states can decide themselves (Sotto et al., 2010).

Section 4: Is the balance effective

If there wasn't any PPD Act in effect to this day, for controlling the amount of information gathered by firms, there would have been severe danger of losing the information and breach of piracy of users resulting in multiple crimes being committed on a routine basis. The present PPD law isn't perfect and may not be well balanced as well, but it can be perfected and made more potent. The right to take back the relevant information as well as its removal at will is a given here. Apart from that, people who use this private information for wrongful purposes should be dealt with accordingly. One can also ask the question that if we steal confidential information from people it can show the loopholes in our security system as well as its failures. However, while security systems can be upgraded the law too needs to change and adapt to changing ways of the infiltrators and hackers.

Common information thefts occur when companies require competitive advantage. But the good news is that these crimes can be easily tracked and punished. The computer experts can easily trace a hard drives and USBs for that matter resulting in catching some random employee of the firm. In order to support this claim, one researcher gave this instance of a company who hired trading agents with excellent results. After a brief examination with the help of IT professionals resulted in capture of one administrator, who sold the information to give competitive advantage to the rival firm. Since the present PPD law considers all considered this to be a criminal act, the individual was prosecuted and imprisoned.

Earlier cases and current PPD Act has compelled the firms to instill more security procedures. So as to fulfill the requirements of this particular law, they are to guarantee that client information is kept strictly confidential, because in any event they fail to do so will result in subsequent lawsuit and criminal prosecution. A prime example in this case is Ebay.com, which has warned its huge client of spam emails. According to one firm, they say if emails are sent to buyers/purchasers from their site asking them to submit their account information, they ought to be careful. These emails are spoof and phishing emails. The users who make these emails and act as personal from the firm are in need of critical financial information, which includes credit card information, passwords and personal banking details.

Emergencies are another emotional subject. There are situations where the staff (fireman, police and hospital) has to reveal confidential information due to the gravity of the situation. Confidential information can be made used of if one's life is at risk. Almost all religious viewpoints can be overridden in case of blood transfer. The impact of PPD Act is commendable in England only apart from some other European Nations (Warso, 2013). Some random student studying in a European University was incarcerated back in 2006, when he was found guilty of stealing nearly 20 hard drives containing critical information that belonged to the office of foreign affairs. He subsequently, traded them with a newspaper. The newspaper went on to leak all pertinent information (Katherine, 2013). Subsequently, another media outlet leaked a long list of identities of secret agents and informants on the internet for everyone to see. The list was an instant hit on the Internet (Craig, 2014). Current EU laws need to be amended to balance state secrets and individual privacy so that future disasters can be averted.

The usages of surveillance tools as well as information exchange are critical tools for fighting the war against terrorism, cyber-crime as well as organized crime. They are employed by both public as well as private institutions to predict future threats and risks apart from preventing such crimes and disorderly actions. But human rights issues materialize due to storage, collection and exchange of personalized information. Sticking a balance between the 2 is a labyrinth required sustained efforts and paradigm shifts with the changing times and technologies (Dong-Joo and Youngsok Bang, 2011). The accountability tools make use of information security tools such as:

information mineralization

Purpose limitation

Proportionality

Subsidiary

Obedience by private firms

Subsidiary

info-subject rights

Acceptable Safeguarding

When viewed in the backdrop of safeguarding as well as security, it can be quite a task to undertake, as the public companies really avoid being liable to these compulsions. Therefore, companies as well as governments present in European Union need to decide on an accountability level, which takes their privacy duties in consideration as well (Dong-Joo and Youngsok Bang, 2011).

Section 4: How can the security manager assume responsibility and ensure that s/he makes the 'right' decision is all the circumstances?

The security managers should make certain that private and confidential is made use of only in case the person has provided his/her permission or the company has acquired informed consent. his/her information can be processed or made use of when he/she has been informed of the reason behind it / aims and motivations. Information dispersion is important for validating the contract engaging the person / or in some other case asking the candidate to enter in a deal, information usage for invoice applications, information processing for job application as well as information processing for loan application (Wong, 2012).

By legal obligation, information processing is certainly needed. Information security is important for safeguarding an interest the person thinks is important for him. Let's take an instance where the person was in a car crash and in state of unconsciousness; the medical team is permitted to take blood samples so as to secure the person's life (the medical team doesn't need a permission however). In the same way, information processing is important for carrying out tasks connected with public interests and procedures needed to be executed by government institutions (tax institutions, government along with police officers). Information processing is possible when the 3RD party is interested for wide range of purposes. But first the informed consent or permission of the person in question needs to be addressed; it can't override the basic right of a human being. Hence this clause institutes a compromise amid the person of interest and the commercial agenda of the party with respect to information privacy. The balance is overseen by the information controllers working with information security agencies; the judges too have the upper hand. Their ruling can be brought into this matter of grave concern. The Supreme Court has supreme verdicts in these matters, its ruling supersedes over all agencies (Wong, 2012).

Apart from that, very harsh rules are applied in case of dispersing confidential information; information which includes (Wong, 2012):

Ethnicity

Political views

Racial origin

Religious preferences

Philosophical ideals

Sexual origin

Health information

This kind of information can be processed without prior permission. Derogation isn't tolerated in the most extreme of conditions. The conditions include the person's permission to take / process confidential information, information processing under the employment law, wherein, the consent is not possible (blood test of the car crash survivor). Information processing has been announced publicly by the said person or information dispersion of the trade association members, churches and political parties. The EU members can give their exclusion taking into consideration the public interest (Himma, 2008).

The question here arises whether the current PPD law applicable to information transfers on internet? It's not morally and ethically correct to exclude information transfer over the internet from legal justification under the PPD directive. On the other hand, the large amount of private and confidential information going over the internet all across the globe regardless of the boundaries needs specific consideration. The security managers should know that PPD directive is basically neutral (Bambauer, 2013). The provisions are applicable regardless of the methods of gathering information of the person in question. For instance, directive is applicable to secret information collection of confidential information via the internet (cookies show the user's interests on the internet). The security managers should also be aware that in any case otherwise, if the user has given his confidential information to the concerned agency, it's called visible form of gathering information. The person has full right to know the rationale and risks included in this task (Eijkman et al., 2012). It depends on the user's consent whether they want to dish out their private information to agencies that are gathering information. The person should have the right to hand over limited information as they please since some information is quite personal. The agency's job on their part is to dispose of the information as soon as they information process is over. Violation will occur in any case otherwise, as legal action can be taken. According to the Directive, only information needed will be taken from the person and returned back (Dwork, 2011).