====== 4.4 National Privacy Considerations ======
|< 100% >|
| [[cbdc:public:cbdc_omg:04_doc:15_common:start| Return to Common Elements]] |
Provide Feedback
|
===== Overview =====
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
Although there is no general federal legislation for data and metadata protection and privacy, there are a number of federal data protection laws that are sector-specific or focus on particular types of data. In addition to the Federal regulations, there are some state laws that are also applicable.
Table {{ref>summaryPrivReg}} summarizes the number of U.S. Laws and Regulations covering Privacy Considerations. The total number (i.e., **''16''**) indicates the complexity of the Privacy that confronts the CBDC just within the U.S. The more Laws and Regulations, the more effort there is to coordinate the CBDC efforts and to work with the Legislative and Executive Branches to keep the Laws and Regulations current with CBDC efforts.
Summary of the number of laws and regulations covering National Security Considerations.
|< 40% 20% 10% >|
^ U.S. Privacy Consideration ^ No. of Laws and Regulations |
^ [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc_omg:04_doc:15_common:45_privacy:start#us_federal_laws_and_regulations | U.S. Federal Laws and Regulations ]] | 10 |
^ [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc_omg:04_doc:15_common:45_privacy:start#us_state_laws_and_regulations | U.S. State Laws and Regulations ]] | 6 |
^ Total ^ **16** |
==== U.S. Federal Laws and Regulations ====
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
There is no single U.S. law or regulation covering **Privacy**, but a whole set of laws. Table {{ref>usPrivacy}} outlines most of the laws as determined by the [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:m_acts_laws | OMG DIDO-RA ]].
There are roughly 10 Laws and Regulations in the U.S. covering Privacy.
List of Applicable U.S. Federal Laws.
|< 100% 5% 35% ->|
^ U.S. Federal Laws ^^|
^ Kind ^ Law / Regulation ^ Description |
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:d:dppa | Driver's Privacy Protection Act of 1994 (DPPA)]] |
DPPA governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles, including photographs, Social Security Number (SSN), Driver Identification Number (DID), name, address (but not the five-digit ZIP code), telephone number, medical information and disability information.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:v:vppa | Video Privacy Protection Act (VPPA)]] |
VPPA restricts the disclosure of rental or sale records of videos or similar audio-visual materials, including online streaming.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cablesubscriber | Cable Subscriber Protection ]] |
Cable Subscriber Protection provides access to all [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:p:pii | Personal Identifiable Information (PII)]] regarding the subscriber which is collected and maintained by a cable operator.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:r:rfpa | Right to Financial Privacy Act of 1978 (RFPA)]] |
The RFPA was put in place to limit the government's ability to freely access nonpublic financial records. The RFPA defines financial institutions as any institution that engages in activities regarding banking, credit cards, and consumer finance. It also defines financial records as any documentation of a consumer's relationship with a financial institution.
|
^ Privacy ^ [[ https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:g:glba | Gramm-Leach-Bliley Act (GLBA) ]]|
The GLBA promotes consumer privacy, the Gramm-Leach-Bliley Act included regulations to limit the ways in which companies handled and shared financial data.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:f:fcra |Fair Credit Reporting Act (FCRA)]] |
The FCRA regulates credit agencies and promotes fair and secure handling of consumer information.
The FCRA attempts to limit the dissemination of information through five main rules:
: 1. Credit reports and investigative reports must be differentiated so that any irrelevant data are not mixed
: 2. Reports can only be made available to those with “legitimate business needs”
: 3. The subject of a report must be notified of any request for their information
: 4. Agencies must give consumers access to their own files if they should ever request them
: 5. A time limit is set for the retention of information on reports. Information that is seven years or older must be deleted, while information regarding bankruptcies can be removed only after fourteen years
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:f:facta |Fair and Accurate Credit Transactions Act (FACTA)]] |
FCRA amended the FCRA with stricter regulations that need to be enforced first. State laws regarding credit scores, credit reports, and insurance were to remain in effect as a result of the amendments. FCRA gave consumers more rights to explanations of their credit scores and the right to a free credit report each year. It also includes two rules:
: 1. Disposal Rule - how to dispose of consumer records
: 2. Red Flag Rule - how financial institutions identify and prevent identity thefts
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cdcrca | Credit and Debit Card Receipt Clarification Act ]] |
Credit and Debit Card Receipt Clarification Act requires account numbers printed on receipts have to be shortened to five digits in order to protect consumer privacy
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:f:fdcpa | Fair Debt Collection Practices Act (FDCPA) ]]|
Under the FDCPA, collectors are not allowed to publish a consumer's name and address on a bad debt list or reveal any information regarding the debt to unaffiliated third parties except the consumer's partner or attorney.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:e:efta | Electronic Funds Transfer Act ]]|
The act implemented requirements so that banks have to notify their customers of any policies regarding the electronic transfer of funds. Banks are also held liable in the event that information is disclosed through telephone without consent. Also, banks would be held responsible for any damages that came as a result of unauthorized access to a consumer's information.
|
==== U.S. State Laws and Regulations ====
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
The U.S. States each can have their own laws or regulations covering **Privacy**, as well as, a whole set of laws. Table {{ref>stateRegulatins}} outlines most of the U.S. State laws as determined by [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:m_acts_laws | OMG DIDO-RA ]].
There are roughly 6 major U.S. State Laws and Regulations covering Privacy.
: **Note:** FACTA ensured that any state laws with stricter regulations than those outlined in the FCRA would be enforced first. State laws regarding credit scores, credit reports, and insurance that were to remain in effect as a result of the amendments were outlined within the act.
List of Applicable U.S. State Laws and Regulations.
|< 100% 5% 35% ->|
^ State Laws ^^|
^ Kind ^ Law / Regulation ^ Description |
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cpa | California Privacy Act]] |
California Privacy Act is a state-level privacy act that provides protection of consumer information. The act is described as a stricter version of the Gramm-Leach-Bliley Act.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:coppa | California Consumer Privacy Act (CCPA)]] |
CCPA gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cccra | California Consumer Credit Reporting Agencies Act (CCCRA)]]|
The CCCRA regulates consumer credit reporting agencies as well as any users of credit reports. The act also provides a narrower definition of “consumer credit report” as any information that falls within credit reports is protected by the act.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:crfpa | California Right to Financial Privacy Act ]] |
California's Right to Financial Privacy Act regulates the state's government agencies' abilities to access nonpublic consumer information. As a result of the act, California's government agencies are not authorized to access financial records unless the consumer gives consent or if a subpoena or a search warrant is issued for the information.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:csbcc | California Song-Beverly Credit Card Act]]|
Under the California Song-Beverly Credit Card Act, companies may not collect personally identifiable information from consumers who purchase goods or services using credit cards. Companies cannot set conditions in which consumers must consent to share their information in order to use their credit cards for a transaction. However, consumer information can be requested in order to complete a credit card transaction as long as the information is never recorded. The act also set a redundant state-level requirement that companies must shorten a consumer's credit and debit card information on receipts.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:v:vpcihi | Vermont Privacy of Consumer Financial and Health Information ]] |
The law defines the purpose, scope, application, compliance, and exceptions to the law.
The purpose of the Vermont Privacy of Consumer Financial and Health Information is to govern the treatment of nonpublic personal information about consumers by financial institutions.
|
==== Exemplar for Metadata ====
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
The following user scenario is meant as an exemplar of the importance of Data Strategy and Data Governance for a U.S.-based CBDC.
=== Theoretical Problem ===
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
The following is a theoretical problem used to highlight some major issues with privacy.
Two U.S. citizens go into a U.S. clinic: John Doe and Jame White.
* John Doe works in an assembly line
* Jane White is a Chief Executive Officer (CEO) and President of one of the largest, most valued innovative companies in the world
Both show up at a medical facility that treats mental health and substance abuse. The diagnosis and treatment for John and Jane are identical, with the same prognosis, and the outcomes are expected to be the same. On a personal level, this is a tragedy for both John and Jane, their families, and their friends.
Both John and Jane would like to keep their visit to the medical facility quiet. John has a better chance of keeping his visit secret, especially since there is no real economic incentive to divulge the secret. However, if it is known that Jane has visited this clinic, the collateral impact on her company, its employees, the investors, and even those investing in competing companies can be wide-reaching and significant.
Regardless, if the data and metadata are about John or Jane, there is a reasonable expectation by both of them that data and metadata about their transaction with the medical facility are secure and remain private.
=== Theoretical Solution ===
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
A theoretical solution is for the CBDC to develop a rigorous and comprehensive Data Strategy that guarantees the security and privacy of the transactional data associated with the CBDC. The CBDC and the Federal Reserve do not need to develop their own Security and Privacy framework but can rely on the existing framework laid out by the U.S. Federal Government.
The [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.l_regulations:fds&s[]=federal&s[]=data&s[]=strategy&s[]=fds | OMG DIDO Reference Architecture (DIDO-RA)]] provides a discussion on what a **U.S. Federal Data Strategy** is.
==== U.S. Federal Government on Data Strategy ====
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
The following is from the U.S. Federal Government on Data Strategy:
: //The U.S. **Federal Data Strategy (FDS)** provides a common set of data principles and best practices. The 2020 Action Plan identifies milestones that are essential for establishing processes, building capacity, and aligning existing efforts. This initial plan builds a solid foundation that will support the implementation of the strategy over the next decade.// [[https://strategy.data.gov/progress/]]
* Privacy refers to the control over a person's [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:p:pii&s[]=personal&s[]=information | Personal Identifiable Information(PII)]] and how the information is used. PII is any information that can be used to determine a person's identity.
* Security refers to how protected a person's PII is from unauthorized or unintended use.
The DIDO-RA summarizes the areas required for a U.S. Federal Data Strategy covering the following areas:
1. Principles
* Ethical Governance
* Conscious Design
* Learning Culture
2. Practices
* Building a Culture that Values Data and Promotes Public Use
* Governing, Managing, and Protecting Data
* Promoting Efficient and Appropriate Data
3. Actions
* Agency Actions
* Community of Practice Actions
* Shared Solution Actions
===== Examples =====
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
The "desirements" specified in [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:15_summary:start&do=edit | White Paper]] and identified by the [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:15_summary:start | OMG's CBDC WG White Paper Analysis]] as **Privacy Issues** are listed in Table {{ref>privacyReq}}.
Examples of **Privacy Desirements** identified during the White Paper Analysis conducted by the OMG's CBDC WG
|< 100% 20% ->|
^ Category ^ Desirements ^
^ Benefits | B0004, B0022 |
^ Policies and Considerations | P0004 |
^ Risks | R0014 |
^ Design | D0012 |
: **Note:** **''B''** = Benefit, **''P''** = Policy, **''R''** = Requirement, **''D''** = Design.
===== Discussion of Examples =====
[[cbdc:public:cbdc_omg:04_doc:15_common:45_privacy:start| Return to Top]]
Table {{ref>privacyReqDiscussion}} provides discussion points for each of the "desirements" identified by the [[https://www.omgwiki.org/CBDC/doku.php?id=cbdc:public:cbdc_omg:15_summary:start | OMG's CBDC WG White Paper Analysis]].
Privacy references of desirements in the **White Paper**
|< 100% 5% 45% 50%->|
^ Desirement No. ^ Desirement Text ^ Comment ^
^ B0004 ^ Protect consumer privacy | Consumer privacy is information privacy as it relates to the consumers of products and services. A variety of social, legal and political issues arise from the interaction of the public's potential expectation of privacy and the collection and dissemination of data by businesses or merchants |
^ B0022 ^ Provide a CBDC that is:
: 1. YES [[cbdc:public:cbdc_omg:8_append:20_glossary:privacy-protected| Privacy-Protected ]]
: 2. NO [[cbdc:public:cbdc_omg:8_append:20_glossary:intermediated| Intermediated]]
: 3. NO [[cbdc:public:cbdc_omg:8_append:20_glossary:transferable| Widely Transferable]]
: 4. NO [[cbdc:public:cbdc_omg:8_append:20_glossary:identity-verified| Identity-Verified]]
| Privacy-Protected means that the Central Bank Digital Currency (CBDC) protecting consumer privacy is critical. Any CBDC would need to strike an appropriate balance, however, between safeguarding the privacy rights of consumers and affording the transparency necessary to deter criminal activity. |
^ P0004 ^ Protect consumer privacy | See **''B0004''**. |
^ R0014 ^ Risk of not achieving an appropriate balance between safeguarding the privacy rights of consumers and affording the transparency necessary to deter criminal activity |
: 1. See **''B0004''** for Consumer privacy.
: 2. Transparency is the ability to easily access and work with data no matter where they are located or what application created them, or the assurance that data being reported are accurate and are coming from the official source.
|
^ D0012 ^ Design should address privacy concerns by leveraging existing tools already in use by intermediaries | Intermediaries means commercial banks and regulated **''nonbank''** financial service providers that would operate in an open market for CBDC services |
| **''B''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#benefits| Benefit Considerations ]] |||
| **''P''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#policy_considerations| Policy Considerations]] |||
| **''R''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#risks| Risk Considerations ]] |||
| **''D''** = [[cbdc:public:cbdc_omg:04_doc:12_summary:start#design| Design Considerations]] |||
: **Note:** FACTA ensured that any state laws with stricter regulations than those outlined in the FCRA would be enforced first. State laws regarding credit scores, credit reports, and insurance that were to remain in effect as a result of the amendments were outlined within the act.
List of Applicable U.S. State Laws and Regulations.
|< 100% 5% 35% ->|
^ State Laws ^^|
^ Kind ^ Law / Regulation ^ Description |
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cpa | California Privacy Act]] |
California Privacy Act is a state-level privacy act that provides protection of consumer information. The act is described as a stricter version of the Gramm-Leach-Bliley Act.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:cccra | California Consumer Credit Reporting Agencies Act (CCCRA)]]|
The CCCRA regulates consumer credit reporting agencies as well as any users of credit reports. The act also provides a narrower definition of “consumer credit report” as any information that falls within credit reports is protected by the act.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:crfpa | California Right to Financial Privacy Act ]] |
California's Right to Financial Privacy Act regulates the state's government agencies' abilities to access nonpublic consumer information. As a result of the act, California's government agencies are not authorized to access financial records unless the consumer gives consent or if a subpoena or a search warrant is issued for the information.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:c:csbcc | California Song-Beverly Credit Card Act]]|
Under the California Song-Beverly Credit Card Act, companies may not collect personally identifiable information from consumers who purchase goods or services using credit cards. Companies cannot set conditions in which consumers must consent to share their information in order to use their credit cards for a transaction. However, consumer information can be requested in order to complete a credit card transaction as long as the information is never recorded. The act also set a redundant state-level requirement that companies must shorten a consumer's credit and debit card information on receipts.
|
^ Privacy ^ [[https://www.omgwiki.org/dido/doku.php?id=dido:public:ra:xapend:xapend.a_glossary:v:vpcihi | Vermont Privacy of Consumer Financial and Health Information ]] |
The law defines the purpose, scope, application, compliance, and exceptions to the law.
The purpose of the Vermont Privacy of Consumer Financial and Health Information is to govern the treatment of nonpublic personal information about consumers by financial institutions.
|
/**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/* To add a discussion page to this page, comment out the line that says
~~DISCUSSION:off~~
*/
~~DISCUSSION:on|Outstanding Issues~~
~~DISCUSSION:off~~