European Union Data Protection Directive
What it covers: This 1995 European directive sets strict limits on the collection and use of personal data and demands that each member state set up an independent national body responsible for the protection of this data.
Link to the law: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:008:0001:0022:EN:PDF
Additional legislative documents and case law: http://ec.europa.eu/justice/policies/privacy/law/index_en.htm
Who it impacts: European businesses, as well as non-European companies to which data is exported (see Safe Harbor Act, below).
Requirements/provisions: The directive incorporates seven governing principles:
1. Notice: Data subjects should be given notice when their data is being collected.
2. Purpose: Data should only be used for the purpose stated.
3. Consent: Data should not be disclosed without the subject's consent.
4. Security: Collected data should be kept secure from any potential abuses.
5. Disclosure: Data subjects should be informed as to who is collecting their data.
6. Access: Data subjects should be allowed to access their data and make corrections to any inaccurate data.
7. Accountability: Data subjects should have an available method to hold data collectors accountable for following these six principles above.
Source: Europa, European Union Agency for Fundamental Rights
Safe Harbor Act
What it covers: The Safe Harbor Act, which went into effect in October 1998, prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection established by the European Union Data Protection Directive (see above). The Act was intended to bridge the different privacy approaches of the U.S. and Europe, thus enabling U.S. companies to safely engage in trans-Atlantic transactions without facing interruptions or even prosecution by European authorities.
Who is affected: U.S. companies doing business in Europe.
Link to the law: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/00/865&format=HTML&aged=1&language=EN&guiLanguage=en
Key requirements/provisions:
* Companies participating in the safe harbor will be deemed adequate, and data flows to those companies will continue.
* Member state requirements for prior approval of data transfers either will be waived or approval will be automatically granted.
* Claims brought by European citizens against U.S. companies will be heard in the U.S., subject to limited exceptions.
Source: Europa, Business Records Management
More security directories and lists on CSOonline.com:
Security policies, tools and templates
The security certification directory
The security recruiter directory
Industry-wide events in digital and physical security, fraud prevention, business continuity planning and much more. (Post relevant events for free.)
Coming soon: The security data source directory
A handy compilation of links to research-based sources of security data.
This story, "Security laws, regulations and guidelines directory" was originally published by CSO.