What it covers: Published in July 2010, this Mexican law requires organizations to have a lawful basis--such as consent or legal obligation--for collecting, processing, using and disclosing personally identifiable information. While there is no requirement to notify processing activities to a government body, as in many European countries, companies handling personal data must furnish notice to the affected persons. Individuals must also be notified in the event of a security breach.
Link to the law (Spanish language): http://www.dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010
Who it will impact: Mexican businesses, as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico.
Requirements/provisions: In addition to addressing data retention, the law also incorporates eight general principles that data controllers must follow in handling personal data:
* Purpose Limitation
Source: Information Law Group
European Union Data Protection Directive
What it covers: This 1995 European directive sets strict limits on the collection and use of personal data and demands that each member state set up an independent national body responsible for the protection of this data.
Link to the law: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:008:0001:0022:EN:PDF
Additional legislative documents and case law: http://ec.europa.eu/justice/policies/privacy/law/index_en.htm
Who it impacts: European businesses, as well as non-European companies to which data is exported (see Safe Harbor Act, below).
Requirements/provisions: The directive incorporates seven governing principles:
1. Notice: Data subjects should be given notice when their data is being collected.
2. Purpose: Data should only be used for the purpose stated.
3. Consent: Data should not be disclosed without the subject's consent.
4. Security: Collected data should be kept secure from any potential abuses.
5. Disclosure: Data subjects should be informed as to who is collecting their data.
6. Access: Data subjects should be allowed to access their data and make corrections to any inaccurate data.
7. Accountability: Data subjects should have an available method to hold data collectors accountable for following these six principles above.
Source: Europa, European Union Agency for Fundamental Rights
Safe Harbor Act
What it covers: The Safe Harbor Act, which went into effect in October 1998, prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection established by the European Union Data Protection Directive (see above). The Act was intended to bridge the different privacy approaches of the U.S. and Europe, thus enabling U.S. companies to safely engage in trans-Atlantic transactions without facing interruptions or even prosecution by European authorities.
Who is affected: U.S. companies doing business in Europe.
Link to the law: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/00/865&format=HTML&aged=1&language=EN&guiLanguage=en
* Companies participating in the safe harbor will be deemed adequate, and data flows to those companies will continue.
* Member state requirements for prior approval of data transfers either will be waived or approval will be automatically granted.
* Claims brought by European citizens against U.S. companies will be heard in the U.S., subject to limited exceptions.
Source: Europa, Business Records Management
More security directories and lists on CSOonline.com:
Industry-wide events in digital and physical security, fraud prevention, business continuity planning and much more. (Post relevant events for free.)
Coming soon: The security data source directory
A handy compilation of links to research-based sources of security data.
This story, "Security laws, regulations and guidelines directory" was originally published by CSO.