Current challenges and the future of legal protection of personal data: under the influence of digitalization development

In the development of China’s Internet industry and digital economy, great importance is attached to the protection of personal data and seriously protects the legitimate rights and interests of citizens’ personal data. Generally speaking, with the development of technology and industry, China’s personal data protection has gone from “indirect protection” to “direct protection” and then to “comprehensive protection”. In the early years of China’s Internet industry, the indirect protection of personal data was mainly achieved through the protection of the “rights to privacy” of citizens. Since the Internet industry of the People’s Republic of China has entered a stage of rapid development, the state began to directly protect personal data in accordance with the provisions of the Chapter “Network Information Security” established in the “Cyber Security Law” of 2016, establishes several principles for the collection and use of personal data, protection requirements information security. Until November 1, 2021, the “Personal Data Protection Law of the People’s Republic of China” (PPD) was adopted to comprehensively protect personal data, reflecting the ideology of development focused on bringing the people to the center, meeting the new needs and aspirations of the people in the new era, and also proposing the creation international digital legal order “Chinese version”. The PPD further expands the scope of the object of personal data protection, comprehensively establishes the rights of individuals to process data, strengthens the obligations to protect personal data processors, creates strict rules for the protection of sensitive personal data and regulates the processing of personal data by public authorities, as well as improving the means of legal protection of personal data, all of which are important points in the legislation. The law incorporates advanced foreign experience, while emphasizing Chinese wisdom, the spirit of the times, and practicality in accordance with the reality of China.

The article is devoted to the study of the organizational and legal mechanism of personal data protection. The concept of "personal data protection" is developed in detail in domestic jurisprudence. The law regulates legal relations related to the protection and processing of personal data, with the aim of protecting the fundamental rights and freedoms of a person and a citizen, and, first of all, the right to non-interference in personal life, in connection with the processing of personal data. However, the rapid development of information technologies, the digitization of society forces us to improve the organizational and legal mechanism of personal data protection every time, to search for more effective and reliable methods and means of their protection. The actual legal basis for the protection of personal data can be found in the Constitution of Ukraine, the Criminal Code of Ukraine, the Civil Code of Ukraine, the Law of Ukraine "On the Protection of Personal Data", decisions of the Constitutional Court of Ukraine, international legal acts, consent to the mandatory use of which was given by the Verkhovna Rada of Ukraine. It is substantiated that it is the state that acts as the guarantor of the protection of a person's personal data - its task is to create an organizational and legal mechanism that would effectively protect human rights related to personal data, etc. The organizational component of the personal data protection mechanism covers the vertical of state bodies and services, which, in accordance with the powers assigned to them, carry out personal data protection activities. On the basis of the conducted research, we came to the conclusion that the organizational and legal mechanism for the protection of personal data is a set of legal norms and a complex of preventive measures carried out by relevant state bodies and services aimed at protecting personal data, stopping offenses, applying coercion to offenders and restoring violated human rights related to personal data.

The article is devoted to issues of legal protection and protection of personal data from the point of view of philosophy and ethics; approaches to the protection of personal data in judicial practice in the Russian Federation through the prism of ethics; features of the relationship of legal protection of personal data and ethics; current judicial practice in solving ethical issues in the field of protection of protection of personal data; problems of improving legislation in terms of ethics in the Russian Federation in accordance with the legislation on personal data.

<em>In the era of digital transformation, one prominent model of Fintech is Peer-to-Peer (P2P) lending, which offers alternative financing access through digital platforms. The protection of personal data in P2P lending becomes crucial as sensitive information such as financial and credit history is collected and processed by these platforms. Data protection regulations, like GDPR, play a vital role in maintaining the balance between Fintech innovation and individual privacy rights. This research aims to discuss the legal protection of personal data within the context of Peer-to-Peer (P2P) Lending in the realm of Financial Technology (Fintech) in Indonesia. The research methodology employed is normative law, using descriptive legal analysis. Data is gathered from various sources, including legal statutes, court decisions, legal literature, and government guidelines related to Fintech and personal data protection. Qualitative analysis is conducted to identify relevant legal provisions, explain their legal implications, and formulate improvement recommendations. The research findings reveal that personal data protection within Indonesian Fintech P2P Lending is governed by a range of regulations, including the Electronic Information and Transactions Law (UU ITE), the amended UU ITE, OJK regulations, and the Ministry of Communication and Informatics regulations. Moreover, the Omnibus Law on Job Creation provides a strong foundation for the protection of consumer personal data. Key principles in personal data protection encompass transparency, explicit consent, data security, limited data usage, fair and ethical business practices, individual rights over personal data, and data integration</em>

Reflections Upon the Interaction between Domestic and European Personal Data Protection Legislation

Click to increase image sizeClick to decrease image size Notes 1. "As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities. This raises new issues for security." OECD Guidelines for the Security of Information Systems and Networks, July 25, 2002, at p. 7, available at www.oecd.org/dataoecd/16/22/15582260.pdf. 2. Although not the subject of this article, it is important to note that countries are also enacting cybercrime legislation to make clear that certain online activities are illegal and to assist law enforcement in efforts to prosecute cyber criminals. To that end, the Privacy and Computer Crime Committee of the American Bar Association Section of Science & Technology Law has recently undertaken a project to develop a Model Cybercrime Law for the UN International Telecommunication Union's (ITU) Cybersecurity Work Programme to Assist Developing Countries. See also the International Guide to Combating Cybercrime published by this Committee, available at http://www.abanet.org/dch/committee.cfm?com=ST202003. 3. See the Appendix for a compilation of some of the key laws and regulations governing information security. 4. See, e.g., EU Data Protection Directive and HIPAA, cited in the Appendix. 5. See, e.g., E-SIGN, UETA, and UN Convention cited in the Appendix. 6. See, e.g., Kimberly Kiefer and Randy V. Sabett, Openness of Internet Creates Potential for Corporate Information Security Liability, BNA Privacy & Security Law Report, Vol. 1, No. 25 at 788 (June 24, 2002); Alan Charles Raul, Frank R. Volpe, and Gabriel S. Meyer, Liability for Computer Glitches and Online Security Lapses, BNA Electronic Commerce Law Report, Vol. 6, No. 31 at 849 (August 8, 2001); Erin Kenneally, The Byte Stops Here: Duty and Liability for Negligent Internet Security, Computer Security Journal, Vol. XVI, No. 2, 2000. 7. See, e.g., Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007); Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006); and Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005) (all affirming a negligence cause of action). See also, In Re TJX Companies Retail Security Breach Litigation, 2007 U.S. Dist. Lexis 77236 (D. Mass. October 12, 2007) (rejecting a negligence claim due to the economic loss doctrine, but allowing a negligent misrepresentation claim to proceed). 8. See, e.g., American Express v. Vinhnee, 2005 Bankr. Lexis 2602 (9th Cir. Bk. App. Panel, 2005); Lorraine v. Markel, 2007 U.S. Dist. Lexis 33020 (D. MD. May 4, 2007). 9. Available at www.pcisecuritystandards.org. 10. Available at www.cabforum.org. 11. ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005) (hereinafter "ISO/IEC 27001"), available for purchase at http://www.standards-online.net/InformationSecurityStandard.htm. 12. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "EU Data Protection Directive"). 13. See statutes listed in the Appendix. 14. See statutes listed in the Appendix. 15. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 U.S.C. 1320d-2 and 1320d-4, (providing that "each person … who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards: (A) to ensure the integrity and confidentiality of the information; (B) to protect against any reasonably anticipated: (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and (C) otherwise to ensure compliance with this part by the officers and employees of such person," at 42 U.S.C. 1320d-2(d)(2). 16. Gramm-Leach-Bliley Financial Services Modernization Act ("GLB"), Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), at §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, providing that "[E]ach financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 17. See, Gramm-Leach-Bliley Act ("GLB"), Public Law 106-102, §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, and implementing regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC). 18. Final HIPAA Security Regulations, 45 C.F.R. Part 164. 19. There have also been efforts in the United States to pursue comprehensive federal privacy similar to the approach taken by many other countries. See e.g., Microsoft position paper at www.microsoft.com/presspass/download/features/2005/PrivacyLegislationCallWP.doc. Although it remains to be seen whether that approach will ultimately be adopted, it is clear that the combination of U.S. state and federal law has, in effect, imposed a comprehensive obligation of security with respect to all personal information held by all companies. 20. See, e.g., FTC enforcement actions regarding In the Matter of Sunbelt Lending Services, Inc.; In the Matter of Petco Animal Supplies, Inc.; In the Matter of MTS, Inc., d/b/a Tower records/Books/Video; In the matter of Guess?, Inc.; FTC V. Microsoft; and In the Matter of Eli Lilly and Company cited in the Appendix. 21. See, e.g., FTC enforcement actions regarding In the Matter of CardSystems Solutions, Inc.; United States v. ChoicePoint, Inc.; In the Matter of DSW Inc.; and In the Matter of BJ's Wholesale Club, Inc. cited in the Appendix. 22. See list in the Appendix. 23. See, e.g., Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006) and Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). 24. 205 Mich. App. Lexis 353 at ∗16 (Mich. App. 2005). 25. 2006 U.S. Dist. Lexis 4846 at ∗9 (D. Minn. 2006). 26. Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). 27. In Re TJX Companies Retail Security Breach Litigation, 2007 U.S. Dist. Lexis 77236 (D. Mass. October 12, 2007), at pp. 28–29. 28. Ibid. 29. The Homeland Security Act of 2002 defines the term "information system" to mean "any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information, and includes—(A) computers and computer networks; (B) ancillary equipment; (C) software, firmware, and related procedures; (D) services, including support services; and (E) related resources." Homeland Security Act of 2002, Pub. L. 107-296, at Section 1001(b), amending 44 U.S.C. § 3532(b)(4). 30. See, e.g., Australia, Information Privacy Principles under the Privacy Act 1988, Principle No. 4, available at www.privacy.gov.au/publications/ipps.html; AICPA and the Canadian Institute of Chartered Accountants (CICA), Generally Accepted Privacy principles, Principle No. 8, available at http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles; APEC, Privacy principles, Principle No. 7, available at http://austlii.edu.au/∼graham/APEC/APECv10.doc; US-EU Safe Harbor Privacy Principles, available at www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm; Direct Marketing Association, Online Marketing Guidelines, available at www.the-dma.org/guidelines/onlineguidelines.shtml. 31. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "EU Data Protection Directive"). 32. EU Data Protection Directive, Preamble at Para. 46. 33. EU Data Protection Directive, Article 17(1). 34. See statutes listed in the Appendix. 35. See statutes listed in the Appendix. 36. See generally, Bruce H. Nearon, Jon Stanley, Steven W. Teppler, and Joseph Burton, Life after Sarbanes-Oxley: The Merger of Information Security and Accountability, Jurimetrics Journal, Vol. 45, 379–412 (2005). 37. American Express v. Vinhnee, 336 B.R. 437; 2005 Bankr. Lexis 2602 (9th Cir. December 16, 2006). 38. Ibid., at p. 444. 39. Ibid., at p. 445. 40. Ibid., at pp. 446–447. 41. Ibid., at p. 449. 42. See, e.g., National Association of Corporate Directors, Information Security Oversight (2007). 43. Sarbanes-Oxley Act, Section 302. 44. See, e.g., GLB Security Regulations (Federal Reserve) 12 C.F.R. 208, Appendix D-2.III(A). 45. HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(2). 46. See, FTC Decisions and Consent Decrees listed in the Appendix, including Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 27(a), p. 7; Eli Lilly Decision at II.A. 47. FISMA, 44 U.S.C. 3544(a). 48. E. Michael Power and Roland L. Trope, Sailing in Dangerous Waters: A Director's Guide to Data Governanc e , American Bar Association (2005), p. 13; Roland L. Trope, "Directors' Digital Fiduciary Duties," IEEE Security & Privacy, January/February 2005 at p. 78. 49. Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). 50. Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005), at pp. 11–13 (noting that harm was foreseeable, but Board took no action). 51. Securing Cyberspace: Business Roundtable's Framework for the Future, Business Roundtable, May 19, 2004 at pp. 1, 2; available at www.businessroundtable.org/pdf//20040518000CyberSecurityPrinciples.pdf. The Business Roundtable is an association of chief executive officers of leading U.S. corporations with a combined workforce of more than 10 million employees in the United States. See www.businessroundtable.org. 52. Information Security Governance: A Call to Action, Corporate Governance Task Force Report, National Cyber Security Partnership, April 2004, pp. 12–13, available at www.cyberpartnership.org/InfoSecGov4_04.pdf. The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet, and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies, and industry experts. Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public–private partnership was established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure. Further information is available at www.cyberpartnership.org. 53. GLB Security Regulations (OCC), 12 C.F.R. Part 30, Appendix B, Part III.A and Part III.F. 54. See, e.g., Homeland Security Act of 2002 (Federal Information Security Management Act of 2002) 44 U.S.C. Section 3542(b)(1); GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part II.B; HIPAA Security Regulations, 45 C.F.R. Section 164.306(a)(1); Microsoft Consent Decree at II, p. 4. 55. See, e.g., 44 USC 3532(b)(1), emphasis added. See also FISMA, 44 U.S.C. Section 3542(b)(1). Most of the foreign privacy laws also focus their security requirements from this perspective. This includes, for example, the EU Privacy Directive, Finland's Privacy Law, Italy's Privacy Law, and the UK Privacy Law. Also in this category is the Canadian Privacy Law. 56. Although they often focus on categories of security measures to address. See, e.g., HIPAA Security Regulations, 45 C.F.R. Part 164. 57. See, e.g., FDA regulations at 21 C.F.R. Part 11 (procedures and controls); SEC regulations at 17 C.F.R. 257.1(e)(3) (procedures); SEC regulations at 17 C.F.R. 240.17a-4 (controls); GLB regulations (FTC) 16 C.F.R. Part 314 (safeguards); Canada, Personal Information Protection and Electronic Documents Act, Schedule I, Section 4.7 (safeguards); EU Data Privacy Directive, Article 17(1) (measures) available at http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf. 58. See, e.g., HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; COPPA, 15 U.S.C. 6502(b)(1)(D), and COPPA regulations 16 C.F.R. 312.8; IRS Rev. Proc. 97-22, sec. 4.01(2); SEC regulations 17 C.F.R. 257. See also UCC Article 4A, Section 202 ("commercially reasonable" security procedure), and Microsoft Consent Decree. 59. "Appropriate" security required by: HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; EU Data Protection Directive, Article 17(1). 60. EU Data Protection Directive, Article 17(1) (emphasis added) 61. See, e.g., Belgium—Belgian Law of 8 December 1992 on Privacy Protection in relation to the Processing of Personal Data, as modified by the law of 11 December 1998 Implementing Directive 95/46/EC, and the law of 26 February 2003, Chapter IV, Article 16(4); Denmark—Act on Processing of Personal Data,; Act No. 429 of 31 May 2000 (unofficial English translation), Title IV, Part 11, Section 41(3); Estonia—Personal Data Protection Act; Passed February12, 2003 (RT1 I 2003, 26, 158), entered into force October 1, 2003, Chapter 3, Sections 19(2); Greece—Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended by Laws 2819/2000 and 2915/2001); Article 10(3); Ireland—Data Protection (Amendment) Act 2003; Section 2.-(1)(d) and First Schedule Article 7; Lithuania—Law on Legal Protection of Personal Data, January 21, 2003, No. IX-1296, Official translation, with amendments April 13, 2004, Article 24(1); Netherlands—25 892—Rules for the protection of personal data (Personal Data Protection Act) (Unofficial translation); Article 13; Portugal—Act on the Protection of Personal Data (transposing into the Portuguese legal system Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), Article 14(1); Slovakia—Act No 428 of July 3, 2002 on personal data protection; Section 15(1); Sweden—Personal Data Act (1998:204); issued April 29, 1998, Section 31; and UK—Data Protection Act 1998, Schedule 1, Part I, Seventh Principle. 62. See, e.g., Finland—The Finnish Personal Data Act (523/1999), given on 22.4.1999, Section 32(1); Germany—Federal Data Protection Act as of January 1, 2003, Section 9; Hungary—Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest, Article 10(1); Italy—Personal Data Protection Code, Legislative Decree No. 196 of 30 June 2003, Sections 31 and 33; Spain—Organic Law 15/1999 of December 13 on the Protection of Personal Data, Article 9. 63. 5 USC Sec. 552a. 64. 5 U.S.C. § 552a (d)(10) (emphasis added). 65. 42 U.S.C. 1320d-2(d)(2). 66. See, Gramm-Leach-Bliley Act ("GLB"), Public Law 106-102, §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, and implementing regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC) (emphasis added). 67. Cal. Civil Code § 1798.81.5(b). 68. See UN Convention at Article 9(3), 9(4), and 9(5). 69. ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005). See text at footnotes 157–169, infra. February 1, 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift May 16 C.F.R. Part 44 U.S.C. Section 45 C.F.R. 164. See of the on by of the Technology and Homeland Security of the Committee on the United States 21, 2007 at p. (noting that FTC under the GLB Act as a for the obligation to maintain reasonable and appropriate available at See also, of the the on Information and the Committee on U.S. House of on April 21, 2004, at p. 5 (noting that is an of reasonable and appropriate measures in of the available at See, e.g., FTC Decisions and Consent Decrees listed in the Appendix. See, e.g., National Association of Insurance for Information Model available at in at See, e.g., Consent Decrees listed in the Appendix. 78. See, e.g., Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006) and Bell v. Michigan Council, 2005 Mich. App. 353 (Mich. App. February 15, 2005). Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006). Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). Committee on available at See, e.g., Italy—Personal Data Protection Code, Legislative Decree No. 196 of 30 June 2003, B, § Act No 428 of July 2002 on personal data § the Appendix, Act, B, Section Act, Section the Appendix, Act, Article Act, Section Act, 16(4); Act, Section 41(3); Act, Section Act, Section 32(1); Act, Section 9; Act, Article 10(3); Act, Article 10(1); Act, Article 24(1); Act, Article 13; Act, Article 14(1); Act, Section 15(1); Act, Article 9; Act, Section 31; UK Act, Schedule 1, Part I, Seventh Act, Article 7. the Appendix, Act, Schedule 2, Section Act, Act, Schedule 1, 4.7 Principle 7, Act, Section Act, Section Act, B, Sections and Act, Sections 17 and the Appendix, Act, Section A Security § Act, Section Decree the Appendix, Decree the Appendix, Act, Section Principle 4; Act, Article Act, Article Act, Sections and Act, Section Act, Section Act, Section Act, B, Sections and Act, Sections 17 and Bruce & Digital Security in a & at p. See, e.g., HIPAA Security Regulations, 45 C.F.R. Section See, e.g., Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. p. Eli Lilly Decision at II.B; GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part See, e.g., Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at See, e.g., FISMA, 44 U.S.C. Sections and GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part See, e.g., In Electronic July 30, Financial Council, 2; available at See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part Eli Lilly Decision at II.B; HIPAA Security Regulations, 45 C.F.R. Section Information Security Management Act of 2002 44 U.S.C. Section See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section Information Security Management Act of 2002 44 U.S.C. Section See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Information Security Management Act of 2002 44 U.S.C. Section See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section See, e.g., HIPAA Security Regulations, 45 C.F.R. Section See, e.g., United States v. Cir. See, e.g., Inc. v. also v. or of to with and of See, e.g., HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part and Part FISMA, 44 U.S.C. Sections and Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of HIPAA Security Regulations, 45 CFR Section and and on HIPAA Security of & Section of Science & Technology Law, No. April 2003, at p. 2, available at See, e.g., HIPAA regulations 45 C.F.R. Sections and GLB Regulations, 12 C.F.R. 208, Appendix and 12 C.F.R. Part 30, Appendix B, Part Microsoft Consent at p. 4. HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Sections and GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section and Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. p. 5 and Para. 25, p. 6. HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. 25, p. HIPAA Security Regulations, 45 C.F.R. Sections and Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section Ziff Davis Assurance of Discontinuance, and 26, pp. HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part See, e.g., FISMA, 44 U.S.C. Section HIPAA Security Regulations, 45 C.F.R. Section Ziff Davis Assurance of Discontinuance, Para. p. 5. Ziff Davis Assurance of Discontinuance, Para. p. 7. HIPAA Security Regulations, 45 C.F.R. Section Microsoft Consent Decree at II, p. 4. FISMA, 44 U.S.C. Section Eli Lilly Decision at GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. and p. 7; Eli Lilly Decision at HIPAA Security Regulations, 45 C.F.R. Section Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. and p. 7; Eli Lilly Decision at GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section and GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at Microsoft Consent Decree at p. 5. Ziff Davis Assurance of Discontinuance, Para. p. 7. See, e.g., of the of the of National on 21, at See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section and GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). See Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). See Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 at (D. Minn. February 7, 2006) that a was the to and a of a was not a of a of reasonable The Financial is a of U.S. federal agencies, that the Board of of the Reserve Insurance the National the of the of the and the of Thrift on on in an Internet 8, 2006 at p. available at on on in an Internet 8, 2006 at p. available at Guide for the Guidelines Information Security December available at Information Security July available at See National Institute of and Management Guide for Information Technology No. available at ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005) (hereinafter "ISO/IEC ISO/IEC § for is the and of International and is of a of the of with and a in that the The American National Institute the United States. See, The also in and in related to including The of make its with the United States. See ISO/IEC 27001, § (emphasis added). ISO/IEC 27001, § ISO/IEC 27001, § ISO/IEC 27001, § 164. ISO/IEC 27001, § ISO/IEC 27001, §§ and 6. ISO/IEC 27001, §§ and 8. ISO/IEC 27001, §§ ISO/IEC that with an International not in from legal p. 1. EU Data Protection Directive, Article 8. Article Data Protection on the processing of personal data to health in health February 15, at pp. available at (emphasis in See list of state laws in Report, Security and Laws of 15, 2005 at Appendix available at Code, § Rev. Stat. Available at www.pcisecuritystandards.org. See list in the Appendix. See, e.g., 16 CFR Section Health Insurance Portability and Accountability Act Security Regulations, 45 C.F.R. § HIPAA security regulations to in the Act Security Regulations, 12 C.F.R. Part 30 Appendix B, Part security regulations to information in the financial Homeland Security Act of 2002 § 1001(b), amending 44 U.S.C. § and § amending 44 U.S.C. § information and information systems from unauthorized and regulations, 21 C.F.R. Part 11. See, e.g., Cal. Civil Code § 1798.81.5(b). See April 2, the Matter of of the Act of of Information and Information Services, No. No. April 2, at available at (hereinafter Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). in an Internet 12, 2005 available at This was by an on on in an Internet 8, available at of No. 25, The is an See, e.g., HIPAA Security Regulations, 45 C.F.R. § at p. 6. Ibid., at p. 3. Ibid. v. National 2007 U.S. App. Lexis 2007), at p. 13. See, e.g., on of Security Breach Personal of Privacy of April 2006 (hereinafter at pp. at note , at p. a of such in the United States and a of the number of individuals Privacy at IRS Rev. Proc. § See list of statutes in the Appendix. on for Access to Information and Part of A to Appendix, at 12 C.F.R. Part 30 (OCC), 12 C.F.R. Part (Federal Reserve System), 12 C.F.R. Part (FDIC), and 12 C.F.R. Part 568 (Office of Thrift 29, Vol. No. 29, at p. (hereinafter the maintains personal information that the not in the laws the to the or of the information, than the individuals of any of the security of the See, e.g., Code § Rev. Stat. § Code, § Stat. § Code § 2007 The also any combination of of information that to or the such as and or and See, e.g., Breach to the of & Financial Services, December 15 USC Section This that with the of at 15 USC Section and are of in this and are of in this See, and of a Duty to Information Security Computer & L. See and to Law the Protection of Personal BNA Privacy & Security Law Report, 19, p. May See at on the of the Framework for Electronic and Services, with focus on the 26, available at Science and Technology Committee, House of Internet of July 24, at Para. of the Privacy of Canada, for in to Privacy available at See Privacy Breach of the Privacy available at Privacy available at See, of the Privacy to the Law of February at available at Available at Available at to information to state

The development of digital technology has driven the transformation of banking services that are now digital-based. Behind the convenience of these services, there are major challenges related to the protection of consumer personal data. This research aims to analyse the legal protection of personal data in digital banking services in Indonesia. This normative research uses a statutory approach by examining relevant laws and regulations, such as the Personal Data Protection Act, Financial Services Authority Regulations and Bank Indonesia Regulations as well as a conceptual approach. The results of this study show that there are already several laws and regulations governing digital financial services in Indonesia that seek to provide protection for the use of personal data for financial services consumers, although there are still several cases of theft and misuse of personal data of financial services consumers as well as forms of legal protection of personal data in digital banking services. This study is expected to provide further understanding of the urgency of personal data protection and the contribution of regulations in creating a safe digital banking ecosystem for consumers.

The issue of personal data protection has been one of the focal points of attention in recent decades. This is because the protection of personal data is a form of realizing the right to privacy as a fundamental human right. Personal data refers to information about a specific individual’s characteristics that serves as a means of their identification. Personal data protection in Bosnia and Herzegovina is regulated by the Law on Personal Data Protection. This law governs the principles of personal data processing, the obligations of data controllers and processors, the rights of data subjects, as well as sanctions for violations of the law. Since 2016, the protection of personal data in the European Union has been regulated by the General Data Protection Regulation (GDPR), which has significantly improved the system for protecting personal data. A particularly significant category of personal data is personal health data, which includes identification and identifying information about an individual’s health and medical condition, their medical diagnosis, prognosis, and treatment, as well as information about substances that can identify that individual. Data related to an individual’s health is a crucial and potentially vulnerable aspect of their life. These are the most intimate data about an individual, the unauthorized and unjustified disclosure of which can subject them to shame, ridicule, and stigmatization, causing them significant, primarily non-material, harm. Misuse of patient information not only violates their privacy but also undermines their dignity. Therefore, personal health data can only be processed for health-related purposes, i.e., for the benefit of the individual and society as a whole. Laws regulating patients’ rights in the Federation of Bosnia and Herzegovina (the Law on Healthcare and the Law on the Rights, Obligations, and Responsibilities of Patients) guarantee patients the right to confidentiality of information and privacy, the right to data secrecy, and the right to access their medical records. The provisions of these laws significantly meet the standards for the protection of personal health data. However, in order to improve the situation in this area, there is a need to harmonize the provisions of the general data protection law, which is subsidiarily applied in the protection of personal health data, with the provisions of the General Data Protection Regulation.

La actividad cotidiana de cualquier persona deja hoy “rastro digital”. Esto obliga a plantear: ?Que ocurre con nuestro “rastro digital” cuando morimos? ?Puede la persona prever algo al respecto? El hecho de que en el “rastro digital” puedan verse involucrados tanto aspectos de caracter neta­mente personal como patrimonial, determina que la aproximacion al “rastro digital” dejado por la per­sona al fallecer pueda hacerse: o bien desde una perspectiva eminentemente patrimonial-sucesoria, de la gestion y/o el destino del patrimonio digital; o bien desde una perspectiva eminentemente personal, de la proteccion post mortem de la intimidad/privacidad y/o de los datos personales tanto del fallecido como de terceros. Este doble enfoque se refleja en la practica y tambien en la legislacion comparada, europea y norteamericana. Mas concretamente, es esta una materia en la que confluyen cuestiones de Derecho de sucesiones, de Derecho contractual y de Derecho de la persona –en particular, relativas a la proteccion de datos personales y a la proteccion de la intimidad/privacidad postuma y de terceros–. Asi, por lo que respecta al punto de vista patrimonial, si bien en principio no es posible hablar de la “heren­cia digital” como algo distinto de la “herencia analogica”, ello no obsta a que deban tenerse en cuenta ciertas especificidades que rodean y/o afectan a ciertos “bienes digitales”, en algun caso tributarias del Derecho de contratos. En este contexto, la persona puede ordenar sus “voluntades digitales”, previendo disposiciones sucesorias (nombrando “sucesores digitales”) y/o no sucesorias (ya sea designando “albacea/s digital/ es” o bien quien va a poder actuar en relacion a la proteccion de sus datos personales y/o al ejercicio de las acciones de proteccion civil del honor, la intimidad o la imagen). Por lo que respecta a la legislacion espanola, la Ley catalana 10/2017, de 27 de junio, de las volun­tades digitales, adopta una perspectiva esencialmente patrimonial, previendo la posibilidad de designar un “albacea digital” para que actue ante los prestadores de servicios digitales con los que el causante tenga cuentas activas. El hecho de que la norma catalana se muestre plenamente respetuosa con el con­tenido del contrato suscrito entre el usuario fallecido y el prestador de servicios contrasta con las solu­ciones adoptadas al respecto en otros ordenamientos. Por otra parte, la regla por defecto de no acceso al “contenido” de las cuentas y archivos digitales, salvo que el causante lo haya establecido o se obtenga autorizacion judicial, aproxima la Ley catalana a lo previsto en otros sistemas. En la Ley Organica 3/2018, de 5 de diciembre, de Proteccion de Datos Personales y garantia de los derechos digitales, confluyen tanto el enfoque personal –de la proteccion de datos de las personas fallecidas–, como el patrimonial –relativo a los “contenidos digitales”– (en el mal llamado “testamento digital”). Esta ley parte de la regla de acceso por defecto a los contenidos digitales o a los datos perso­nales del fallecido, y establece una legitimacion muy amplia en cuanto a facultades y demasiado extensa en cuanto a personas legitimadas, sin establecer prelacion alguna entre ellas. Esto, que puede generar problemas en la practica, contrasta con lo previsto en la Ley catalana y en otras legislaciones de nuestro entorno. La Ley Organica 3/2018 se revela, asi, mas como una ley de desproteccion de datos y de con­tenidos digitales, que no de proteccion de los mismos.

The article is devoted to the issues of modern understanding of the concept, essence and content of administrative and legal support for the protection of personal data of citizens. In this aspect, the author emphasizes the growing need to form an appropriate level of protection of an individual from information threats of the modern world and to form administrative and legal support for the protection of personal data of citizens. The methodological basis of the study. The selected issue is approached using a systematic methodology, which incorporates dialectical, formal-logical, and structural-functional methods, in addition to other standard scientific research techniques. Furthermore, specific legal methods, such as formal-logical, systematic-functional, comparative analysis, methods of legal interpretation, and legal forecasting, are employed. The study is grounded in the theory of cognition, with a particular emphasis on materialist dialectics as its overarching method. General scientific research methods used include formal-logical and systematic approaches. Results. The author emphasizes that legal protection of personal data by the authorities is based on legislation and regulations governing the rights and obligations of the authorities with respect to personal data processing. It is emphasized that these rules may include requirements for data registration, confidentiality, notification of an individual about the collection and use of his or her personal data, and establishment of liability for violation of data protection rules. The concept of personal data protection by the authorities includes the adoption of appropriate legal measures to ensure the security and confidentiality of these data. Conclusions. The administrative and legal support for the protection of citizens’ personal data takes place within the activities of government authorities as an element of their service function. The concept of administrative and legal support for the protection of citizens’ personal data is defined as the regulated administrative and legal activities of entities responsible for ensuring the protection of personal data, primarily the activities of public administration subjects, aimed at administrative and legal regulation, implementation, protection, and safeguarding of public relations in the field of personal data. It guarantees the rights and legitimate interests of all subjects of legal relations, focusing on creating the necessary conditions for compliance with legislation on personal data protection. It is emphasized that administrative support is the activity of public authorities manifested in legal regulation, application, and protection of the rights, freedoms, and interests of citizens.

The Right to the Protection of Personal Data (Dreptul la Protecţia Datelor cu Caracter Personal)

The process of legislative settlement of issues related to the protection of personal data began in the European Union (EU) with the entry into force of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals regarding the processing of personal data and on the free movement of such data (Directive). After adoption the Charter of Fundamental Rights of the European Union (2000), which Article 8 defined the protection of personal data as a human right, establishment of the sufficient principles in the Lisbon Treaty (2009), there were amended two key EU acts: the Treaty on EU and the Treaty establishing the European Community. As a result, everyone in the EU was guaranteed the right to protect their personal data. In 2016 the EU adopted Regulation 2016/679/EC of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data (Regulation), which radically updated the methods of collecting and processing personal data, and not only in the EU. As a result, to comply with its requirements, both EU-based companies and those operating in the EU or working with consumers from the EU market were forced to update their privacy/personal data policies. In turn, in Ukraine, significant progress in the development of legal regulation of personal data protection occurred later. As of 2010, public relations regarding collection, storage, use and dissemination of information about a person were regulated by more than two dozen uncoordinated laws and secondary legislation. To specify and define the mechanisms for implementing the provisions of Article 32, Constitution of Ukraine, which proclaimed the right of a person to non–interference in its personal life and established a ban on the collection, storage, use and dissemination of confidential information about a person without its consent, the Verkhovna Rada of Ukraine in 2010 adopted the law of Ukraine “On Personal Data Protection”. Having played a vital role in the legislative codification of the rules for processing personal data, the law, like the Directive, failed to respond to technological changes and the processes caused by this in society, despite numerous amendments made by MPs. Since the Association Agreement between EU and Ukraine came into power, there is noticeable arising necessity to harmonize the Ukrainian legislative framework with EU, as though contexts of adoption of the Regulation and the Law are different, so are the ways of resolving personal protection issues in Ukraine and the EU. Therefore, it is necessary to establish the new legislative amendments, the degree of compliance of personal data protection standards in Ukraine with the relevant standards in the EU. In this paper, as an outcome of estimations of relevant international research, further analytical and comparative analyses, there are some proposals to future institutional features of such modernization, affecting such issues as: clarification regarding material effects in order to limit legal regulation and avoid excessive legal burden on individuals, as well as in some cases on state authorities; providing new definitions of concepts that are not yet available in domestic regulation; establishment of fundamental guidelines for the processing of personal data in accordance with international standards; fostering more sustainable standards for the processing of sensitive personal data; in-depth structuring the issue of processing personal data for a different purpose than the one for which they were collected; regulating the implementation of the rights of personal data subjects, in particular, the right to information, the right to access, the right to correct personal data, the right to be forgotten, the right to personal data mobility, the right to restrict the processing of personal data, the right to protection from automated decision-making, the right of the data subject to protection of their rights and compensation for damage; clarifications regarding the definitions of the duties and responsibilities of the personal data controllers and operator; sustainable regulations concerning the issue of cross-border transfer of personal data.

Privacy as a legal concept is an unavoidable part of a modern democratic society and is recognized as one of the fundamental human rights of every citizen. The right to privacy and the protection of personal data are guaranteed by international human rights documents. In librarianship, the right to privacy and protection of personal data is also guaranteed in the documents of international library associations, which clearly emphasize that librarians are obliged in their work to protect the privacy and personal data of their users. Privacy and personal data are increasingly difficult to protect today, as access to data is simpler and easier due to the use of different and new information technologies, electronic communication, social networks, electronic databases, etc. Personal rights are guaranteed by international documents on protection of personal data and protected by national personal data protection laws. The main objectives of the paper are: to problematize the definition of the concept of privacy from several perspectives; problematize the importance of the right to privacy and protection of personal data in the context of the library profession; provide an overview of significant international documents in the field of human rights which also guarantee the right to privacy and protection of personal data; make a review of important international documents guaranteeing the right to protection and confidentiality of personal data; and finally, the paper will provide an overview of documents of international library associations that in their texts indicate the importance of privacy and protection of personal data in the library business.

Over Troubled Water: E-Health Platforms and the Protection of Personal Data: The Case of Portugal

Unlike conventional methods and technologies of collecting, processing and analysing the personal data of natural persons as part of law enforcement activities, the broader use of different artificial intelligence methods brings into focus the need for specific rules regulating the application of various artificial intelligence methods to protect two independent fundamental rights as regulated by EU Charter of Fundamental Rights, Art. 7 and 8 – data protection and privacy. Privacy, the protection of personal data and the security of their processing and transmission within law enforcement activities, whether it is non-automated, partially or fully automated, is prescribed by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. When considering personal data protection in the context of Directive 2016/680 it is referred to the protection of information on the confirmed identity of a natural person (data protection) and the protection of all information by which identity can be confirmed (privacy). Thus, this information should not be part of the defined personal data category, and all methods and technologies that can be used for direct and indirect confirmation of the identity of a natural person should be taken into account. The paper aims to determine whether there is relationship between privacy and security and whether there are differences in the personal data collection, processing and analysis methods by law enforcement authorities, when used methods are conventional or artificial intelligence. The first hypothesis emphasises causality between privacy and security when collecting, processing and analysing their personal data by conventional methods and artificial intelligence methods for law enforcement purposes. The second hypothesis implies a statistically significant difference in making personal data available to law-enforcement bodies in cases they are collected, processed and analysed by conventional methods and in cases they are collected, processed or analysed by artificial intelligence methods. The methods used are: descriptive method for describing the process of collecting, processing and analysing personal data in law enforcement activities, as well as for describing the differences between conventional and artificial intelligence methods and evaluating hypotheses; induction for creating hypothesis; deduction for observing specific relations; content analysis and synthesis in the evaluation phase; survey method; statistical and comparative method in the testing phase and for determining the compliance with the hypotheses.