EAI Endorsed Transactions

on Scalable Information Systems Research Article

Challenges of Complying with Data Protection and

Privacy Regulations
A.M. Lonzetta, T. Hayajneh *

Fordham Center for Cybersecurity, Fordham University, New York, NY 10023, USA

Abstract

As we move into a more digitized society, the collection and use of data continues to increase. This influx in data, partnered
with challenges complying with data protection and privacy regulations and the absence of a comprehensive global data
protection and privacy strategy, has contributed to data breaches and data misusage. In order to reduce these incidents,
updates must be made to existing regulations and included in future regulations. A global agency should also be created to
identify the main data protection and privacy objectives to develop a comprehensive strategy and oversee data protection
and privacy. Our paper presents an overview of existing data protection and privacy regulations, the challenges of complying
with the regulations, and recommendations to achieve long-term data protect and privacy.

Keywords: GDPR, CCPA, Data Privacy, Data Protection Regulations, Compliance

Received on 20 May 2020, accepted on 09 September 2020, published on 18 September 2020.

Copyright © 2020 A.M. Lonzetta et al., licensed to EAI. This is an open access article distributed under the terms of the Creative
Commons Attribution licence (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and
reproduction in any medium so long as the original work is properly cited.

doi: 10.4108/eai.26-5-2020.166352

including product development, product solutions,

consumer targeting, consumer experience, optimization of
1. Introduction operations and supply chains, and the identification of
future market trends [4]. Data is used by governments and
There are currently hundreds of laws related to privacy law enforcement for identification for arrest warrants, as
dating back to colonial America, including criminal law, well as physical and digital surveillance. In both
the common law of torts, constitutional law, evidentiary organization and government instances, data is used to
privileges, federal statues, and state statues [1]. In the create personal profiles, some of which are used to
beginning, the primary purpose for the enactment of these influence behaviour.
laws was to ensure citizen’s freedom from government Individuals are becoming more aware of personal data
institutions [1]. collection and usage. A recent U.S. study found that the
In the last decade of the twentieth century, the majority of Americans are concerned about how their
introduction of internet technology has posed new, personal data is being used [5]. Figure 1 below shows that
challenging threats [1]. Internet technology has become an there are significantly more individuals concerned about
essential part of peoples everyday lives. It includes the use how companies and the government use personal data
of email, online shopping, online searching, social media, compared to those who are not [5]. It also shows that
etc.. Its usage has resulted in the generation of a significant individuals are most concerned about the use of their
amount of personal data that is collected, used, shared, personal data by companies [5].
stored, and sold by organizations, governments, and third
parties (e.g. data brokers) [2,3].
Organizations utilize the collected data to develop a
more strategic approach to common business initiatives,

*
Corresponding author. Email: [email protected]

EAI Endorsed Transactions

1 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
A.M. Lonzetta, T. Hayajneh

papers have been published; however, they extend beyond

the focus of our work.

3. Data Protection Regulations

In this section, we discuss the various global data protection
and privacy regulations. They are divided into three
categories - early data protection and privacy regulations,
recent data protection and privacy regulations, and
Figure 1. Data Usage Concerns upcoming data protection and privacy regulations.

The necessary steps must be taken to protect personal 3.1. Early Data Protection and Privacy
data. This includes how the data is collected, processed, Regulations
shared, and stored.
The objectives of this paper are: The regulations listed below are some of the earliest data
A. Present an overview of data protection and protection and privacy regulations passed [8].
privacy regulations, with a focus on their scope and
objectives The Privacy Act of 1988
B. Identify the challenges of complying with data The Australian Privacy Act of 1988 is the primary privacy
protection and privacy regulations regulation in Australia [8]. Over the years, it has gone
C. Discuss several recommendations that will assist through two sets of amendments. The first in 2000, which
in achieving data protection and privacy in the long-term. expanded the regulation to cover private sector businesses.
The remainder of this paper is organized as follows. The second and more comprehensive update was done by
Section 2 presents related work. Data protection and the Australian Law Reform Commission in 2014.
privacy regulations are discussed in Section 3. Section 4 The main objective of the regulation is to enable
discusses challenges of data protection and privacy information to flow freely outside of Australia, while
regulation compliance. Section 5 provides respecting individual privacy in relation to information
recommendations for mitigating challenges related to data collection, use, disclosure, disposal, access, integrity, and
protection and privacy regulation compliance and credit reporting. The regulation applies to Australia,
achieving data protection and privacy in the long-term. Australia Capital Territory, Norfolk Island government
Finally, Section 6 provides a conclusion for the paper. agencies, and private businesses. Organizations with less
than $3 million in annual sales do not need to comply with
the regulation. The regulation consists of 13 principles
2. Related Work which are detailed below.

As the collection and usage of personal data increases, Openness and Transparency in the Management of
privacy and data protection experts continue to conduct Personal Information. All information should be managed
research and work with lawmakers to protect personal data. openly and transparently. Entities are required to have a
In “Are We There Yet? Understanding the Challenges privacy policy that is clear and addresses specific matters
Faced in Complying with the General Data Protection [8]. The necessary steps should be taken to comply with The
Regulation (GDPR)”, the authors examine the challenges Privacy Act of 1988.
organizations face when trying to comply with GDPR [6]. Anonymity and Pseudonymity of Information.
The study was published shortly after the enforcement of Individuals should have the opportunity, unless exempt, to
GDPR and only a select number of candidates were not be identified.
interviewed. As more organizations continue to provide
feedback on GDPR, more challenges have been identified. Collecting Solicited Information. Personal
This is further discussed in our work. information should be collected by “lawful and fair means”.
In “GDPR Compliance in Norwegian Companies”, the It should only be collected when it is necessary or associated
authors conducted an online survey which identified and with the entity’s function or activities. Consent is needed to
collect sensitive information.
described opportunities and challenges faced by
Norwegian companies when trying to comply with GDPR Handling Unsolicited Personal Information.
[7]. We explore these challenges further, and identify those Unsolicited information must be anonymized or destroyed
and others that are encountered when trying to comply with [8]. This includes information that could not have been
data protection and privacy regulations. collected under the previous principle.
The majority of research on this topic focuses on Notification for the Collection of Personal
GDPR, with minimal to no research done on other Information Individuals must be notified when personal
regulations. Additional research has been conducted and information is collected.

EAI Endorsed Transactions

2 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
 Challenges of Complying with Data Protection and Privacy Regulations

Disclosure or Use of Personal Information. the agencies that collect and manage the information,
Information collected for a specific purpose must be used regulations related to the authorization of the collection,
for that purpose. In order to use it for other purposes, the whether the collection was voluntary or mandatory, and the
entity needs the individual’s consent. Matters related to law results of not providing requested information.
enforcement, as well as health and safety are exempt.
Manner of Collection of Personal Information. Data
Personal Information for Direct Marketing. Personal collection cannot be unlawful, unfair, or intrusive.
information used for direct marketing requires the use of an Transparency is required.
opt-out for future messages. Sensitive information on
Storage and Security of Personal Data. Stored data
individuals requires consent for direct marketing.
must be secured to prevent loss, access, use, modification,
Overseas Disclosure of Personal Information. unauthorized disclosure, or misuse.
Overseas recipients of personal information must adhere to
Access to Personal Information. Individuals can
the Australian Privacy Act. Information should only be
request confirmation on whether the agency has their
disclosed to recipients when they adhere to similar
information. They are also entitled to access that
regulations, consent is received, or there is an exception.
information.
This must be confirmed before the disclosure of the
information. In the case recipients do not adhere to the Correction of Personal Information. Individuals can
regulations, the entity could be liable. request corrections to their information and the agency must
make reasonable changes.
Use, Disclosure, or Adoption of Government Related
Identifiers. Government related identifiers for individuals Accuracy of Personal Information to be Checked
cannot be adopted by entities to use as their own. They also Before Use. Agencies must ensure personal information is
cannot use or disclose this government related identifier accurate, up-to-date, complete, relevant, and not
unless there is an exception. misleading.
Personal Information Quality. Personal information Agencies Must Not Keep Personal Information
collected, used, or disclosed must be accurate, up-to-date, Longer than Necessary. Agencies should not retain
and complete. information longer than needed to fulfill the purpose for
which it was collected.
Security of Personal Information. Personal
information must be protected from misuse, unauthorized Limits on Use of Personal Information. Agencies that
access, interference and loss, disclosure, and modification. collect information must use it for purposes originally
Information that is no longer required for business reasons stated, unless a reasonable exception applies. Exceptions
should be anonymized or destroyed. include information that is public, is authorized by the
individual, would not cause prejudice, is necessary to
Access to Personal Information. Individuals must
reduce a threat, is used for a purpose related to that in which
have access to their personal information.
it was originally obtained, or is anatomized.
Personal Information Correction. In the case that
Limits on Disclosure of Personal Information.
individuals request corrections to their personal
Agencies cannot disclose personal information unless it is
information, steps must be taken by the entities to make
related to the purpose in which it was collected, the
these corrections.
information is public, the individual authorizes the
disclosure of the information, the information would not
Privacy Act of 1993
prejudice the individual, the information is necessary to
The primary purpose of New Zealand’s Privacy Act of 1993 reduce a threat, the information is necessary for the sale of
is to protect individuals [9]. It addresses the collection, use, a business, or the information is anatomized.
and storage of identifiable personal data which effects
consumer marketing [9]. This regulation was used as a Unique Identifiers. Unique identifiers should not be
framework by other countries for their privacy regulations assigned to information. Exceptions include identifiers that
[9]. It is comprised of 12 principles which are detailed increase efficiency of an organization or for the disclosure
below [10]. in which the identifier was assigned.
Purpose of Personal Information Collection. There
Data Protection Directive (Directive 95/46/EC)
must be a lawful purpose that aligns with the organization’s
mission for personal data collection. Collection of personal The EU Data Protection Directive, also known as the
data must be necessary to fulfill that purpose. Directive 95/46/EC, was adopted by the European Union
in 1995 to protect the privacy and personal data of EU
Source of Personal Information. Information citizens [11]. It is comprised of 7 principles which are
collected must be obtained directly from the individual, detailed below.
except in the case that the information is public.
1. Individuals should be given notice when their data
Collection of Information from the Subject. is collected.
Organizations must notify individuals about information
collection, the reason for the collection, who the 2. Individuals should be informed of the party or
information will be shared with, the name and location of parties collecting their data.

EAI Endorsed Transactions

3 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
A.M. Lonzetta, T. Hayajneh

3. All personal data collected should be safeguarded 1. Protect the confidentiality, integrity, and availability
from abuse, theft, or loss. of healthcare information.
4. Consent is needed from data subjects to disclose or 2. Safeguard healthcare information from security
share data with third parties. threats. Entities must take the necessary steps to detect
these threats.
5. Individuals should have access to their personal
data, as well as the ability to correct any inaccuracies. 3. Protect health information against foreseen
prohibited use or disclosure.
6. Data collected should only be used for purposes
stated when it was originally collected. It should not be 4. Certify workforce compliance.
used for any other purposes.
Data Protection Act 1998
7. Data subjects must be able to hold personal data
The UK was encouraged after the passing of the EU Data
collectors accountable to all principles outlined.
Protection Directive [14]. In 1998 they went on to pass the
Data Protection Act to protect citizen’s rights related to
Personal Data (Privacy) Ordinance
personal data collection and protection [14]. It is comprised
Hong Kong’s Personal Data (Privacy) Ordinance was
of 8 principles which are detailed below [14].
passed in 1996 [12]. Its primary purpose is to protect
personal data [12]. In 2012, an Amendment Bill expanding Fair and Lawful Use. Organizations need to be
the scope to include the use of personal data for marketing transparent when it comes to collecting and using data.
purposes was passed [12]. The ordinance is comprised of 6 There must be transparency around the identity of the data
principles which are detailed below. controller.
Data Collection Principle. The collection of data must Clear Purpose. The reason for collecting data must be
be done in a lawful and fair manner [12]. Data should only clear and conveyed to the data subject. Data should only be
be collected if it is being used [12]. Data subjects must be
used for purposes originally stated. In the case it will be
aware of the purpose for collection and usage, as well as
used for other purposes, additional consent is needed and
third parties who may receive the data [12].
the purposes must be disclosed.
Accuracy & Retention Principle. The organization
should take the necessary steps to ensure personal data is Adequacy, Relevancy, and Reasonable Use.
accurate. Data should only be kept as long as it fulfills its Organizations should not collect information in excess of
purpose. what is needed for purposes originally stated.
Data Use Principle. The use of personal data is limited Accuracy of Information. Information on the data
to the purpose in which it was collected or related purposes. must be accurate, including the origin and meaning. All
In the case voluntary or explicit consent is given, there is an data must be kept up to date.
exception.
Storage and Retention. Data should not be kept longer
Data Security Principle. Practical steps to safeguard than needed to fulfill the purposes originally stated.
data from unauthorized access, accidental access,
unauthorized processing, erasure, loss, or unauthorized use Individual Rights. Individuals have the right to access
must be taken. their information and decline the use of any data that would
be damaging or distressful. Individuals have the ability to
Openness Principle. Steps must be taken to make refuse the use of their data for marketing or automated
individuals aware of data policies, practices, and usage. purposes. They have the right to ensure the accuracy of
Data Access & Correction Principle. Individuals must their data and request its deletion if it is incorrect.
be given access to their personal data and have the ability to Security. The proper safeguards should be put in place
make corrections when data is inaccurate. for the collection, storage, and disposal of data to prevent
unlawful use or accidental loss.
Health Insurance Portability and Accountability
Act of 1996 (HIPAA) International Use. Data can only be transferred to
The United States’ Health Insurance Portability and nations that have similar or higher safeguards for personal
Accountability Act of 1996 protects a patient’s health data processing.
information. This information is also known as “protected
health information” [13]. It aims to prevent disclosure of Gramm-Leach-Bliley Act
protected health information without a patient’s The Gramm-Leach-Bliley Act, also known as the Financial
knowledge, consent, or authorization, while still enabling Modernization Act of 1999, repealed previous laws
the flow of health information to promote and maintain targeting financial institutions. It also mandated additional
quality healthcare and protect public health [13]. The privacy protections for financial institutions that service
regulation applies to healthcare providers, health plans, customers [15]. It aims to protect nonpublic personal
healthcare clearinghouses, and business associates [13]. information, which includes personal information provided
The entities must: for financial products or services, transaction information,
and information obtained from consumer reports or court

EAI Endorsed Transactions

4 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
 Challenges of Complying with Data Protection and Privacy Regulations

records [15]. Below are the key items set forth in the law Limiting Collection. Only information that has a
[16]. specific purpose should be collected. Honesty about the
reason the data is being collected is necessary and all
1. The appropriate administrative, technical, and information must be collected fairly and lawfully.
physical safeguards to protect the security, integrity, and
confidentiality of customer data must be put in place. Data Limiting Use, Disclosure, and Retention. Data can
must also be protected from unauthorized access. only be used or disclosed for purposes identified when it
Consumers must be notified of the safeguards that are put was collected. Information can only be kept long enough to
in place [15]. serve the purposes for which it was collected. Organizations
must understand what data they have and how it is being
2. Financial institutions must provide notice to used. Consent is needed if data will be used or shared in
consumers about the type of nonpublic information ways not previously identified. Data must be used
collected and how it is used. appropriately. Organizations must have guidelines in place
3. Individuals must be able to opt-out of financial for the retention and destruction of data. Information no
institutions sharing nonpublic information with specific longer needed must be destroyed or anatomized.
third parties. Financial institutions should not disclose Accuracy. Accurate information must be kept and used.
account number information for marketing purposes.
Safeguards. Information must be safeguarded from
4. When establishing customer relationships, financial loss, theft, unauthorized access, disclosure, duplication, use,
institutions must disclose its privacy policy. It must include or modification.
categories of nonpublic information that is collected,
policies and practices of the institution, and the categories Openness. There must be openness and clarity
of information that may be disclosed. surrounding data management and practices.
5. Information from consumers must not be received Individual Access. Individuals should be able to access
under false pretenses. Financial institutions that knowingly information about them, as well as challenge its accuracy
or intentionally violate this section could face criminal and completeness. Information should be amended as
penalties. necessary.
6. The regulation must be enforced. Challenging Compliance. Individuals can challenge
the organization’s compliance based on the above-
Personal Information Protection and Electronic mentioned principles.
Documents Act
Canada’s Personal Information Protection and Electronic APEC Privacy Framework
Documents Act went into effect in 2000. Its primary The APEC Privacy Framework was developed to provide
purpose is to build trust in electronic commerce by free information flow for continued trade and economic
governing the collection, use, and disclosure of personal growth in the Asia Pacific Economic Cooperation region
information. It has since expanded to additional industries, while ensuring privacy protections [19]. It is comprised of
including banking, broadcasting, and healthcare [17]. All 9 principles which are detailed below [20].
private sector organizations must adhere to the regulation.
Preventing Harm. Protections must be put in place to
It is comprised of 10 principles which are detailed below
prevent the wrongful use or collection of personal
[18].
information. Safeguards must be proportionate to the
Accountability. All information held by the amount of harm that could be done.
organization should be protected. Policies and practices
Notice. Individuals must be notified before or when
surrounding personal information should be developed and
their information is being collected. In the case they cannot
implemented. All relevant organizations should comply
be notified at that time, notice must be given within a
with the principles of the regulation. Someone should be
reasonable timeframe.
appointed to be responsible for compliance.
Collection Limitation. Personal information must be
Identifying Purposes. Organizations need to
collected lawfully and fairly, and only for the purpose in
understand the purpose for which they are collecting
which it is being used. In some cases, with notice or consent
information to ensure they are only collecting data that is
of the individual is required.
needed. Individuals must be notified about why their
information needs to be collected. The Use of Personal Information. The use of personal
information is limited to the purposes in which it was
Consent. Meaningful consent is needed from
collected or other related purposes.
individuals to use, collect, or share their information.
Individuals need to understand what they are consenting to Choice. Individuals should have a choice when it comes
and the consequences of providing consent. Consent can to the collection, use, and disclosure of their data. If
only be required when the information is necessary. information is publicly available there is an exception.
Individuals can withdrawal their consent at any time, but
they must be informed of the implications this will have Integrity of Personal Information. Information should
[18]. be accurate, complete, and kept up to date.

EAI Endorsed Transactions

5 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
A.M. Lonzetta, T. Hayajneh

Security Safeguards. Security safeguards that are Data Privacy Act

proportional to the risk of potential harm must exist for The Philippines Data Privacy Act was passed in 2012 to
personal data. They should be assessed periodically. protect individual privacy while still “ensuring the free flow
of information for innovation and growth” [22]. The
Access and Correction. Individuals can access their
regulation was updated in 2016 [22]. The law applies to
personal information and challenge its accuracy [20]. In the
organizations with offices in the Philippines or
case information is inaccurate, individuals can request a
organizations that process data in the Philippines. It applies
correction. If accessing data is a burden or making a
to all citizens of the Philippines regardless of their current
correction presents risks, there is an exception [20].
place of residence. It does not include the processing of
Accountability. The data controller must comply with information in the Philippines that was legally collected
the regulation and can be held accountable in the case of from foreign residents [22]. Below are the key items set
noncompliance. forth in the law.
1. A National Privacy Commission must be
Federal Data Protection Law implemented.
Mexico’s Federal Data Protection Law went into effect in
2011 to protect personal data that is being held by private 2. All data should be processed in a transparent,
parties [21]. Below are the key items set forth in the law. purposeful, and proportional manner.
1. Data controllers must adhere to the regulation 3. Data must be collected for legitimate purposes that
principles laid out, specifically when it comes to legality, are known to the individual. Consent is need for the
consent, notice, quality, purpose, fidelity, proportionality, collection of personal data. The individual must understand
and accountability. the purpose for which their data is being processed and be
aware of any use for profiling, marketing, or sharing.
2. Personal information must be collected and processed Additional consent is needed for data sharing. Consent is
lawfully and truthfully. not needed if information is fulfilling a contractual
3. Individuals must consent to the use of their data and agreement, protecting the data subject, or being used to
have the ability to revoke consent at any time. For sensitive “respond to a national emergency”.
personal data, written consent is needed. 4. Shared data must be accompanied by an agreement
4. Data must be kept accurate and up to date. that safeguards the data subjects.
5. Data should only be kept as long as it fulfills its 5. The Philippines Human Security Act of 2007 must
purpose [21]. Information about “nonperformance of comply with the Act.
contractual obligations” must be removed after 72 days of 6. Privacy and security programs must be created.
nonperformance.
7. Individuals can request the deletion of their data from
6. Data can only be processed in the way it is described a database. Individuals have additional rights and the ability
in the privacy notice. In the case the organization decides to to take action if data is “inaccurate, incomplete, outdated,
process it differently, the individual must be notified. false, unlawfully obtained”, or used in an unauthorized
7. Individuals must be notified as to what information is fashion. They also have rights related to data portability.
collected about them and why. This must be stated in the 8. A data breach must be reported to data subjects and
privacy notice. the National Privacy Commission within 72 hours if
8. Privacy notices must include information on the sensitive information that can be used for identity fraud was
identity and domicile of the data controller; the reason for obtained, there is a belief that an unauthorized acquisition
data processing; limitations of data use or disclosure; has occurred, there is a belief that significant harm can
individual rights of access, cancellation, or objection; data occur, or the risk to the individual is real. Failure to notify
transfers; and how individuals will be notified about privacy the parties can result in significant penalties [22].
notice changes.
Personal Data Protection Act 2012
9. Individuals should be notified about changes in the Singapore’s Personal Data Protection Act was passed in
privacy notice that are related to how data is obtained. 2012 [23]. Its objective is to regulate the collection and
10. Organizations must take the proper measures to usage of personal data [23]. Below are some key items set
safeguard information and prevent “damage; loss; forth in the law.
alteration; destruction; or unauthorized use, access, or 1. Personal data can only be collected for purposes an
processing” of data. Risk and consequences should be taken individual would find reasonable and appropriate.
into consideration when implementing safeguards [21].
2. Individuals must be notified of the purposes for which
11. Security breaches must be reported immediately to data is collected. Notification must take place before data is
the data owner. collected, used, or disclosed. Consent can either be
12. Confidentiality of the data must be maintained by expressed or implied. Consent can also be withdrawn, but
the data controller. any legal consequences will be the responsibility of the
individual [24].

EAI Endorsed Transactions

6 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
 Challenges of Complying with Data Protection and Privacy Regulations

3. Individuals have the ability to control and access their 3. Sensitive and non-sensitive personal data can be
personal data. They are able to correct, block, and request transferred outside of Turkey; however, the receiving
erasure. Organizations can choose not to correct the data, country must have adequate data protection and both parties
but there must be a note that the data was not changed. in the transfer must commit to protecting the information.
When it comes to erasure, requests may be considered when
4. Data controllers must register with the Data
data no longer serves a purpose. In the case the data is
Controller’s Registry. Policies must be presented [27].
publicly available, it is possible that data will not be erased
[24].
Cybersecurity Law
4. There must be reasonable security to protect data and The Cybersecurity Law of China was passed in 2016 [28].
prevent unauthorized access, collection, use, disclosure, The law addresses how organizations should approach
copying, modification, disposal, or other risks. privacy and security for personal data. Below are the key
items set forth in the law [28, 29].
5. Transfer of data outside of Singapore is limited.
1. The proper security safeguards must be put in place.
Protection of Personal Information Act A layout and requirements for cybersecurity are provided
South Africa’s Protection of Personal Information Act was and key infrastructure is included.
signed into law in 2013 and covers the jurisdiction of South
2. Individual privacy must be achieved. The collection
Africa [25]. It addresses both personal information and
and usage of personal data is standardized in the law.
information related to juristic persons [25]. Below are the
key items set forth in the law. 3. Domestic storage is required for all sensitive data.
1. Personal information must be processed lawfully and 4. In the case organizations violate the law, they will
reasonably. incur penalties.
2. Data must be collected for a specific, defined purpose 5. Individuals have the right to request corrections to
and the individual must be notified. their data. This includes all personal data collected and
stored by the organization. The necessary steps should be
3. Additional processing of the information must be
taken to remove or correct the individual’s information.
related to the original processing.
6. All information collected requires consent and
4. Organizations must take the necessary steps to ensure
notification to the individual.
the quality of personal information is maintained. All
information should be complete, accurate, up-to-date, and 7. All collected information needs to be used legally and
not misleading [26]. properly.
5. Individuals must consent to the collection of personal
data and must be notified about collection. Personal Data Protection Bill 2019
India’s Personal Data Protection Bill was passed in 2019
6. Documentation of processing operations is [30]. It includes a number of provisions to protect personal
mandatory. data, which are outlined below [30].
7. Individuals must have access to their personal 1. Data can only be processed if there is a clear and
information. lawful purpose. This data must be processed fairly,
reasonably, and only for the purpose that the individual has
8. Security safeguards must be in place to protect the
given consent.
integrity and confidentiality of data [26]. In the case of a
breach, parties must be notified “as soon as reasonably 2. Only data necessary for processing can be collected.
possible”.
3. Organizations must ensure the data being processed
9. A Data Protection Officer is required at all is complete, accurate, up-to-date, and not misleading.
organizations. The individual must register with the Individuals are able to request corrections.
Information Regulator [25].
4. Personal information should only be kept for the
Turkish Data Protection Law period in which it is being processed. Following this period,
it should be deleted.
The Turkish Data Protection Law was born from the
European Union Directive 95/46/EC, also known as the EU 5. Data fiduciaries must comply with this regulation.
Data Protection Directive (1995) [27]. Below are some key
items set forth in the law. 6. Notice is needed at the time of data collection.

1. There must be a specific purpose for the processing 7. Individuals must be notified of breaches as soon as
of personal information. Any further processing is possible.
prohibited. If other reasons present themselves, the data 8. Data can be transferred outside of India only with the
controller will need to receive consent from data subjects. data subject’s explicit consent [30].
2. Consent is needed for the processing of both sensitive
and non-sensitive data.

EAI Endorsed Transactions

7 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
A.M. Lonzetta, T. Hayajneh

3.2. Recent Data Protection and Privacy The California Consumer Privacy Act (CCPA)
Regulations The California Consumer Privacy Act was passed in 2018
and went into effect in 2020 [34]. The regulation applies to
organizations that do business in California and process the
The regulations listed below are the most recent data
data of California residents [35]. The key items set forth in
protection and privacy regulations. These regulations
the law are detailed below.
capture the majority of the mandates discussed in previous
regulations and build on them further. 1. Individuals have the right to know when their data is
being collected and used.
General Data Protection Regulation (GDPR)
2. Individuals have the right to know if their information
The General Data Protection Regulation was passed in is sold or disclosed. They also have the right to know the
2018. It replaces the UK’s Data Protection Act (1998) and names and addresses of the parties their data is being shared
the EU’s Data Protection Directive (1995). There are 7 key with.
principles of GDPR which are listed and detailed below
[31, 32]. 3. Individuals have the right to access their personal
data. They also have the ability to request copies of their
Lawfulness, Fairness, and Transparency. All data data.
must be processed lawfully, fairly, and transparently. 4. Individuals cannot be discriminated against for
Purpose Limitation. Data must be collected for practicing their privacy rights.
specific and legitimate purposes that are explicitly stated. 5. Individuals have the right to know what type of
Data cannot be processed in ways other than what is personal information is being collected, as well as what
outlined. specific information.
Data Minimization. Data collection is limited to data 6. Individuals have the right to request deletion of their
that is relevant for processing purposes. personal data.
Accuracy. Information must be accurate and kept up 7. Individuals have the right to know the source of
to date. Inaccurate information must be corrected or collection of their personal data.
deleted. 8. Individuals have the right to know why their personal
Storage Limitation. Data should be kept no longer data is being collected or sold.
than what is necessary for processing. 9. Individuals have the ability to opt-out of the
collection, sharing, or sale of personal data.
Integrity and Confidentiality (Security).
Appropriate organizational and technical safeguards must 10. Organizations need explicit consent for collecting
be put in place to protect data from unauthorized or and selling information about minors [36].
unlawful processing, loss, destruction, or damage [32].
11. Individuals have the right to sue organizations that
Accountability. Data controllers are responsible for do not comply with CCPA [36].
GDPR compliance and are held accountable for ensuring
the proper measures are in place [32]. Brazilian General Data Protection Law
The Brazilian General Data Protection Law was passed in
Personal Data Protection Act 2018 and goes into effect in 2020 [38]. It applies to both
The Thailand Data Protection Act was passed in 2019 and public and private organizations that “process personal data
goes into effect in 2020 [33]. The regulation applies to in Brazil”, “process personal data that was collected in
organizations that offer products and services in Thailand or Brazil”, or “process personal data to offer or provide goods
track individuals in Thailand [33]. The key items set forth or services in Brazil” [38]. The key items set forth in the law
in the law are detailed below. are detailed below.
1. Organizations must have a legal reason for the 1. Personal data can be processed if individual consent
collection and usage of personal data. In some cases, is received, it is needed for contract fulfillment, there is a
consent is required. legal obligation, it is needed for research studies, it is
needed for health care purposes, or it effects the physical
2. Appropriate security safeguards must be safety of an individual. Sensitive information can only be
implemented to protect personal data. In the case of data processed with consent.
breaches, notifications must be provided.
2. Individuals have the right to request access to their
3. Individuals are able to exercise their rights regarding personal data; deletion of personal data that was processed
their personal information. without consent; corrections to incomplete, inaccurate, or
4. For sensitive personal data, additional safeguards are stale data; and anonymization, blocking, or deletion of data
needed to protect privacy. processed in ways not complaint with the regulation. It also
applies to data that was collected in excess [38].
5. In some cases, a Data Protection Officer must be
appointed.

EAI Endorsed Transactions

8 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
 Challenges of Complying with Data Protection and Privacy Regulations

3. Individuals have the right to transfer personal data 9. If data is transferred outside of Japan, the receiving
between service or product providers. organization must provide information on the data
protection system that country has in place.
4. Individuals have access to information about the
parties their personal information is shared with. 10. Organizations must detail and notify individuals as
to how their information is being used. Consent is needed
5. Any data transferred outside of Brazil must have from individuals when information is being used for
adequate protection. purposes other than what was originally stated. Information
6. Data transferred outside of Brazil requires consent must be obtained in a lawful and truthful manner.
from the individual or contractual instruments. 11. The necessary measures must be taken to prevent
7. An individual must be put in charge of processing the data breaches, as well as loss or damage to information.
data [38]. They will be liable for regulation compliance
[38]. Data Security Administrative Measures
In May 2019, the draft of China’s Data Security
Administrative Measures was released [41]. Personal and
3.3. Upcoming Data Protection and Privacy important information (information that could significantly
Regulations impact national security, social stability, public health,
public security, and economic security) are covered in the
Many countries are putting significant effort into amending regulation. The regulation was developed to supplement
their existing data protection and privacy regulations, while China’s Cybersecurity Law and Personal Information
others are working to develop new regulations. Some of the Security Specifications [41]. It further addresses notice and
most notable upcoming regulations are listed below. consent, registration requirements, exceptions for personal
information disclosures, guidelines for the collection and
Act on the Protection of Personal Information use of personal information, data breaches, cross-border
Japan’s Act on the Protection of Personal Information was transfers, penalties, and additional measures for data and
passed in 2003 and updated in 2015. The cabinet of Japan activities.
recently approved a bill for further amendments to the Act The regulations listed above are the primary data
[39]. The key items set forth in the law and proposed protection and privacy regulations around the globe. While
amendments are listed below. some regulations may include additional principles, the key
principles have been identified. It is also important to note
1. Data subjects can request that organizations stop that there may be exceptions to some of the identified
using, delete, or stop the transfer of information that was principles.
used for purposes other than those originally stated [39].
This also applies to information used improperly or in
violation of the original Act on the Protection of Personal 3.4. Common Principles Found in Data
Information. The new amendment will increase the scope, Protection and Privacy Regulations
allowing these requests when an individual believes their
interests are likely to be violated. Figure 2 below summarizes the primary principles that are
2. Individuals can request access to their personal data, found in data protection and privacy regulations.
as well as records about data sharing with third parties. Principle Definition
3. Any personal data will be considered retained Refers to openness and transparency
regardless of the retention timeframe. Openness and Transparency when it comes to the collection, usage,
storage, or sharing of personal data.
4. Under the original Act on the Protection of Personal Fair, Lawful, Adequate,
Refers to the fair, lawful, adequate,
Information, data subjects needed to consent to the sharing relevant, and reasonable use of personal
Relevant, and Reasonable Use
data.
of data with third parties. The amendment will utilize opt-
Refers to notification of data practices,
out to restrict the data that could be shared. Data collected including collection, usage, storage, or
deceitfully or improperly cannot be shared. In addition, data Notification
sharing. It could also include
received under an opt-out scheme cannot be used. notification of changes to practices.
Refers to the safeguards that must be
5. In the case of a data breach, data subjects must be put in place to protect personal data
notified if their rights and interests will be violated. Safeguards from unauthorized access, abuse, theft,
loss, accidental access, unauthorized
6. Personal data cannot be used in ways that “encourage processing, and/or unauthorized erasure.
or cause the unlawful or undue use of data”. Refers to consent that is needed or
requested for the collection, usage,
7. Pseudonymized information will be used to ensure a Consent
storage, or sharing of data. This could
specific individual cannot be identified by the data. This include opt-in or opt-out.
mandate is limited to the organization. Refers to the maintenance and assurance
Data Quality and Accuracy of personal data quality. This could
8. When it comes to sharing data, the recipient of the include an individual’s ability to request
data must confirm that consent was given by the individual corrections to personal data or deletion.
to share their data.

EAI Endorsed Transactions

9 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
A.M. Lonzetta, T. Hayajneh

Refers to the retention and storage of regulations apply to them, what areas in which the
personal data. This could include regulations apply, and what they need to do to comply in
Storage and Retention
storage timeframes, the type of data that
is stored, and general storage practices. both a broad and granular sense.
Refers to individuals having access to This could be extremely taxing for organizations,
Data Access
their personal data. especially small and mid-size enterprises (SMEs) with
Refers to the requirements related to small departments, large work loads, and limited resources.
Cross-Border Transfer transferring personal data outside of the
current region.
Refers to the use, disclosure, or 4.2. Translating Regulations into a
Government Related Identifiers adoption of government related
identifiers. Technical Context
Refers to requirements and limitations
Data Collection related to the purpose, source, and Regulations are written in a non-technical context.
manner of personal data collection. According to a GDPR study, this qualitative approach
Refers to the appointment of officers results in a lack of clarity [6]. Organizations must try to
Appointments of Officers and and commissions to manage personal
Commissions data and maintain responsibility for decipher and understand the objectives of the regulations.
regulation compliance. They then need to identify the technical steps that need to
Reporting of Breaches
Refers to time frames in which data be taken to achieve those objectives.
breaches must be reported. Like the previous challenge, this could be extremely
Refers to the right for an individual to
have their personal information taxing for organizations, especially small and mid-size
Right to Be Forgotten enterprises (SMEs) with small departments, large work
removed from applications, storages,
searches, etc. loads, and limited resources.
Refers to limitations on how personal
Purpose Limitations
data can be processed.
4.3. Overcoming Technical Challenges
Figure 2. Main Principles Found in Data Protection
and Privacy Regulations There are several technical challenges when it comes to
complying with data protection and privacy regulations.

Identifying the most common principles found in Identification of Security Controls

regulations helps in understanding the purpose and goals of Many of the regulations mandate security controls, which
data protection and privacy regulations. As global could include encryption, data anonymization or
governments gain more knowledge about how data pseudonymization, and access and identity management,
collection, processing, and retention threaten privacy and among others [44]. The regulations do not identify specific
have other negative impacts, more regulations will be controls, which leaves this requirement open to
amended, drafted, and passed. This will result in an interpretation. In addition, these safeguards could take time
expansion of the common principles.
to put in place and can be especially challenging for
organzations that have limited resources or are not security
4. Challenges Presented by Regulations focused.

The safeguards found in data protection and privacy Managing Data

regulations have made compliance challenging. Many of Organizations need to have a clear understanding of their
these specific challenges have been identified and detailed data flow mapping [6]. This gives them insight into how
below. data behaves and where it is stored [6]. In turn,
organizations can control data and protect it [6].
An example of this challenge can be found when trying
4.1. Understanding and Acting on the Broad to comply with GDPR’s “right to be forgotten”. Individual
and Vague Context of Regulations information can be exchanged and kept on multiple
applications including emails, databases, files, etc. [45]. It
Many regulations are written in a broad and vague context. can also be found in onsite or off-site storages [45]. When
This requires them to be deciphered. A recent GDPR data controllers or individuals responsible for managing
related survey identified “deciphering expectations” as the data receive a “data removal request” they need to know
largest challenge for organizations [6]. It was noted that where to go to delete it.
many feel GDPR is extremely broad and could apply to all It is important to note that organizations that take the
data on individuals [42]. According to another study, some necessary steps to understand data behavior may unearth
provisions in CCPA are considered “too broad” and/or larger challenges that need to be addressed (e.g. the use of
“vague” [43]. extremely risky data practices) [6].
Organizations must have a thorough understanding of
regulations in order to decipher them. Once this is Lack of Automation
achieved, organizations need to determine whether the

EAI Endorsed Transactions

10 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
 Challenges of Complying with Data Protection and Privacy Regulations

In many cases, organizations are using manual processes mandates the opposite action and process. GDPR requires
and workflows. This is especially true when it comes to individuals to “opt-in” for data collection, while CCPA
data mapping and tagging [6]. Automation is needed to automatically infers individuals are opted-in and requires
have an efficient and effective process, and ease the that users have the ability to “opt-out”. This requires
challenges that come with data protection and privacy organizations to have two different workflows in place,
regulation compliance. which can be difficult to manage.
It is believed that automation could facilitate technical
compliance in the case of GDPR [6]. When data controllers 4.5. Updating, Monitoring, and Managing
or individuals responsible for managing data receive a Workflows and Processes
“data removal request” they must manually search for,
identify, and remove the data [45]. This needs to be done Workflows must be developed or updated to achieve data
in both the production and back up environment [45]. protection and privacy regulation compliance. In addition,
Automated processes and workflows could simplify the the organization needs to continuiously manage these
process; however, organizations will need to have workflows.
significant resources to implement them. This could be a learning curve for organizations. It also
requires a significant amount of resources. This can be
Updating Proprietary Technology especially taxing for SMEs who may not have dedicated
Many organization have internally built proprietary teams in place and/or have minimal budgets.
technology. Unlike vendor provided platforms,
organizations will need to take on the task of updating There are many challenges related to data protection
systems so they are compliant. This will take both time and and privacy regulation compliance, including
resources. understanding and acting on broad and vague regulations;
translating regulations into a technical context; updating,
Deleting Information on Backups. monitoring, and managing workflows and processes; and
Backing-up data is a process that happens repeatedly to complying with multiple regulations at once. There are also
ensure organizations have copies of up to date information. technical challenges that organizations face.
This process is critical for business continuity, as it enables Understanding these challenges is important, as it will
the quick recovery of systems and data when they are assist achieving data protection and privacy in the long-
damaged or lost due to malicious actions, hardware term.
failures, systems crashes, etc [45].
As previously mentioned, GDPR includes the “right to
be forgotten”. This requires information to be deleted from 5. Recommendations
back-ups, which is extremely challenging and sometimes
impossible. The previous section identifies some of the challenges
Data can not be erased from optical disks [45]. New organizations face when trying to comply with regulations.
back-ups need to be made every time an individual requests This section presents recommendations to mitigate the
the removal of their data [45]. All previous disks must also challenges and achieve data protection and privacy in the
be destructed [47]. In the case of hard disks, the relevant long-term.
data needs to be deleted on the current storage and all
backups need to be altered [48]. When it comes to tape
disks that cannot be randomly accessed, the whole database 5.1. Provide Detailed and Precise Requests
needs to be restored [49]. This is both costly and complex in Regulations
[45]. It can also take a significant amount of time.
Many data protection regulations are broad and vague in
context. This leaves room for interpretation. In order to
4.4. Complying with Multiple Regulations avoid misinterpretation and achieve desired compliance,
with Different Requirements regulations need to be clear and concise about objectives
and what needs to be done to achieve them.
There are many data protection and privacy regulations For example, many of the regulations require that
throughout the world, each having different requirements personal information only be kept as long as it is being
for compliance. This makes it challenging for used. More clarity is needed on this statement, specifically
organizations to implement and manage the proper around the word “used”. Organizations need to understand
controls. what does and does not constitute data usage to prevent the
The scope of information covered by regulations is a storage of information for nonsensical reasons. There
primary example. Recent regulations are expanding should also be a maximum time frame provided for the
personal data to include IP address, location, biometrics, retention of personal data. After this period, personal data
and genetic information [46]. Another example, is some must be destroyed, or additional consent must be given.
regulations mandate one action and process, while another This will prevent information from being stored for

EAI Endorsed Transactions

11 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
A.M. Lonzetta, T. Hayajneh

extensive periods of time, which will result in inaccurate or In order to protect data in the long-term, both short-
out of date information. In the case of a data breach, this term and long-term objectives must be set. Items like the
would reduce the amount of information that is taken. “right to be forgotten” could be broken down into long-
term and short-term objectives. For example, all back-up
processes must be of a certain standard within two years of
5.2. Identify Technical Requirements and the regulation passing and all organizations must adhere to
Provide Support the “right to be forgotten” within four years of the
regulation passing. Other short-term objectives could
Current regulations do not include any technical address personal data collection and usage.
information. They are strictly presented in non-technical The abovementioned recommendations will assist
language. This makes regulations challenging for IT teams regulators in developing regulations that organizations can
to decipher and leaves room for interpretation when it comply with more seamlessly. In addition, they can
comes to the appropriate approach that needs to be taken. provide a more long-term vision for data protection and
The specific controls that need to be implemented should privacy.
be identified, as well as the type of data the controls need
to be applied to.
In addition, IT teams should be provided with best 6. Conclusion
practices and acceptable standards for these controls. These
can come in the form of regulation companion guides. Individual privacy and protection has been a concern for
Many organizations would benefit from the ability to many years. As the collection and usage of personal data
speak with an expert on regulations. For this reason, there increases, regulations are passed and amendments are
should be designated agencies or teams within agencies made. Many of these regulations have presented a number
that can respond to questions or provide hands on support. of challenges for organizations.
This is the case for some existing regulations, but not all. In this paper, we identified different data protection and
These additions will clarify what controls regulators privacy regulations, as well as the compliance challenges
deem appropriate; ensure the controls and safeguards organizations face. This was necessary in order to provide
provide appropriate protection for the data; and provide recommendations that can be used to develop future
overall support for organizations, which would help ensure regulations, make amendments to current regulations, and
the regulations are being adhered to. achieve overall data protection and privacy in the long-
term.
Future work should consider studying the
5.3. Establish a Global Agency to Address recommendations on a more granular level, including
Data Protection and Privacy Regulations specific security controls that should be implemented;
and Standards contents of companion guides; and the identification of
responsibilities, objectives, and a framework for a global
A global agency should be developed to oversee data data protection agency. Future studies can also be done on
protection and privacy. This agency would be responsible data protection and privacy regulation challenges in IoT.
for advocating for data protection; monitoring the risks
related to the collection, usage, and sharing of personal
data; establishing structure and principles for data References
regulations; and helping to ensure the overall protection of
[1] Solove, D. J. (2016). A brief history of information privacy
an individual’s personal data. Having one centralized
law. Proskauer on privacy, PLI.
agency will help identify specific objectives and streamline [2] Choi, J. P., Jeon, D. S., & Kim, B. C. (2019). Privacy and
regulations. This could mitigate the piecemeal approach personal data collection with information externalities.
that is currently taking place and providing a number of Journal of Public Economics, 173, 113-124.
challenges. [3] https://www.businessinsider.com/invasion-of-data-privacy-
online-in-person-examples-2020-1#make-no-mistake-this-
data-is-valuable-in-2018-american-companies-spent-an-
5.4. Identify Long-Term and Short-Term estimated-19-billion-getting-and-analyzing-consumer-data-
Objectives and Set Reasonable Time third-parties-known-as-data-brokers-collect-the-
information-and-sell-it-2
Frames for Compliance [4] Brown, B., Kanagasabai, K., Pant, P., & Pinto, G. (2017).
Capturing value from your customer data. McKinsey &
Some of the most recent regulations require drastic and Company.
expensive changes to be made in short timeframes. For [5] https://www.pewresearch.org/internet/2019/11/15 /americans-
example, the “right to be forgotten” would require personal concerned-feel-lack-of-control-over-personal-data-collected-
data to be deleted from backups. Depending on how data is by-both-companies-and-the-government/
backed up, this could be extremely challenging or [6] Sirur, S., Nurse, J. R., & Webb, H. (2018, January). Are we
there yet? Understanding the challenges faced in complying
impossible for organizations to achieve in the short-term,
with the General Data Protection Regulation (GDPR).
as they may have to update their entire backup process.

EAI Endorsed Transactions

12 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4
 Challenges of Complying with Data Protection and Privacy Regulations

In Proceedings of the 2nd International Workshop on [33] https://www.insideprivacy.com/data-privacy/thailand-passes-

Multimedia Privacy and Security (pp. 88-95). personal-data-protection-act/
[7] Presthus, W., Sørum, H. & Andersen, L.R.: GDPR [34] https://iapp.org/resources/topics/california-consumer-privacy-
Compliance in Norwegian Companies (2018). Paper act/
presented at NOKOBIT 2018, Svalbard, 18-20 Sept. [35] https://iapp.org/news/a/gdpr-matchup-california-consumer-
NOKOBIT, vol. 26, no. 1, Bibsys Open Journal Systems, privacy-act/
ISSN 1894-7719. [36] https://360advanced.com/what-is-ccpa/
[8] https://iapp.org/news/a/gdpr-matchup-australias-privacy-act- [37] https://iapp.org/resources/article/california-consumer-
1988/ privacy-act-of-2018/
[9] https://www.marketing.org.nz/Resources/ [38] https://www.natlawreview.com/article/6-months-until-brazil-
Article?Action=View&Article_id=16 s-lgpd-takes-effect-are-you-ready
[10] https://iapp.org/news/a/gdpr-matchup-new-zealands-privacy- [39] https://iapp.org/news/a/analysis-of-japans-approved-bill-to-
act-1993/# amend-the-appi/
[11] https://whatis.techtarget.com/definition/EU-Data- [40] https://www.loc.gov/law/help/online-privacy-
Protection-Directive-Directive-95-46-EC law/2012/japan.php
[12] https://iapp.org/news/a/gdpr-matchup-hong-kongs-personal- [41] https://www.endpointprotector.com/blog/chinas-data-security-
data-privacy-ordinance/ administrative-measures/
[13] https://www.cdc.gov/phlp/publications/topic/hipaa.html [42] https://www.dfinsolutions.com/insights/article/deciphering-
[14] https://www.total-shred.com/the-data-protection-act/ gdpr-dfin-primer
[15] https://privacyrights.org/resources/gramm-leach-bliley-act- [43] https://www.nbcnews.com/tech/tech-news/california-bringing-
basics law-order-big-data-it-could-change-internet-n1005061
[16] GRAMM-LEACH-BLILEY ACT. https://www.sec.gov [44] https://www.mckinsey.com/business-functions/risk/our-
/about/laws/glba.pdf insights/gdpr-compliance-after-may-2018-a-continuing-
challenge
[17] https://digitalguardian.com/blog/what-pipeda-personal-
[45] Eugenia Politou et al., Backups and the right to be forgotten
information-protection-and-electronic-documents-act-
in the GDPR: An uneasy relationship, Computer Law &
understand-and-comply
Security Review: The International Journal of Technology
[18] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-
Law and Practice (2018),
canada/the-personal-information-protection-and-
https://doi.org/10.1016/j.clsr.2018.08.006
electronic-documents-act-pipeda/p_principle/principles
[46] https://cloud.netapp.com/blog/how-data-protection-
[19] https://iapp.org/news/a/gdpr-matchup-the-apec-privacy-
framework-and-cross-border-privacy-rules/ regulations-impact-enterprise-storage-management-blg
[20] Raul AC. The privacy, data protection and cybersecurity [47] Ge, Yong-Feng, Jinli Cao, Hua Wang, Jiao Yin, Wei-Jie Yu,
law review. English. 2014. ISBN: 978-1-909830-28-8 Zhi-Hui Zhan, and Jun Zhang. "A benefit-driven genetic
[21] Executive Branch, Ministry of the Interior. DECREE algorithm for balancing privacy and utility in database
issuing the Federal Law on Protection of Personal Data Held fragmentation." In Proceedings of the Genetic and
by Private Parties and amending Article 3, Chapter II of Evolutionary Computation Conference, pp. 771-776. 2019.
Title II of the Federal Law on Transparency and Access to [48] Chenthara, Shekha, Khandakar Ahmed, Hua Wang, and
Public Government Information. Frank Whittaker. "Security and privacy-preserving
https://iapp.org/media/pdf/knowledge_center/Mexico_Federal challenges of e-health solutions in cloud computing." IEEE
_Data_Protection_Act_July2010.pdf access 7 (2019): 74361-74382.
[22] https://iapp.org/news/a/summary-philippines-data-protection- [49] Shu, Jiangang, Xiaohua Jia, Kan Yang, and Hua Wang.
act-and-implementing-regulations/ "Privacy-preserving task recommendation services for
[23] CHIK, Warren B.. The Singapore Personal Data Protection crowdsourcing." IEEE Transactions on Services Computing
Act and an assessment of future trends in data privacy. (2018).
(2013). Computer Law and Security Review. 29, (5), 554-
575. Research Collection School of Law.
[24] https://iapp.org/news/a/gdpr-matchup-singapores-personal-
data-protection-act/
[25] https://iapp.org/news/a/gdpr-matchup-south-africas-
protection-of-personal-information-act/
[26] Van Aswegen, L., Kirkland, A.. How to Comply with South
Africa’s Protection of Personal Information Act (2015)
Trustwave Holdings
[27] https://iapp.org/news/a/gdpr-matchup-turkeys-data-
protection-law/
[28] https://iapp.org/news/a/gdpr-matchup-chinas-cybersecurity-
law/
[29] IT Advisory KPMG China, Overview of China’s
Cybersecurity Law, February 2017
[30] https://iapp.org/media/pdf/resource_c
enter/india_pdpb2019_vs_gdpr_iapp_chart.pdf
[31] https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-
gdpr/principles/
[32] https://www.privacypolicies.com/blog/gdpr-privacy-
principles/

EAI Endorsed Transactions

13 Scalable Information Systems
01 2021 - 04 2021 | Volume 8 | Issue 30 | e4