News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | 50 years and still kicking: An examination of FIPPs in modern regulation Related reading: Brazilian General Data Protection Law (LGPD, English translation)

rss_feed

""

""

For nearly half a century, organizations and governments have used internationally accepted principles to communicate their privacy goals to the world. These principles are referred to as Fair Information Practice Principles, Fair Information Principles, simply "principles," or, most commonly, FIPPs. Since their emergence, the influence of FIPPs is in nearly every adopted data protection legislation. The EU General Data Protection Regulation codified FIPPs in its Article 5. The recent California Consumer Privacy Act rulemaking file references the data minimization FIPP as one justification for the CCPA regulations. This article explores the history of FIPPS and examines the current impact of two FIPPS — Collection Limitation and Use Limitation — in privacy regulation today. 

A brief history of FIPPs

FIPPs organize aspirational principles for responsible data practices by requiring those who collect or use personal information to be accountable, sensible and transparent. FIPPs helped establish a framework for regulation since their rise in popularity in the 1970s and '80s. Although they have evolved since, FIPPs have consistently emphasized control over personal information, the information life cycle and individuals' rights regarding their personal information. 

Despite scholar's attempts to determine the exact genesis of the term "FIPPs," their origin is unclear. In 1973, the U.S. Department of Health, Education, and Welfare released the HEW report, which focused on the impact of computerization on information privacy. The report articulated a Code of Fair Information Practice that promoted transparency, accessibility and accountability, as well as limited the use of information for secondary purposes without consent. 

The following year, the United States enacted one of its earliest federal privacy laws, The Privacy Act of 1974, which used the HEW Report Code to establish safeguards in the life cycle of personal data held by the federal government. A few years later, the Organisation for Economic Co-operation and Development, an international organization that encourages countries to develop global standards and objectives to improve economic and social well-being, built from the HEW report and adopted eight principles in its 1981 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The most widely recognized OECD FIPPs are: 

  • Collection Limitation.
  • Data Quality.
  • Purpose Specification.
  • Use Limitation.
  • Security Safeguards.
  • Openness.
  • Individual Participation. 
  • Accountability.

After the OECD FIPPS were issued, the first legally binding international treaty on data protection arrived when the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data opened for signatures in 1981. Convention 108 required signatories to incorporate data protection provisions like the OECD FIPPs into their domestic laws to safeguard data quality, protect special categories of data, establish data security and facilitate transborder data flow. Since that Convention, nearly every data protection regulation adopted globally directly incorporated or massaged FIPPs into its regulatory or aspirational framework.  

Collection Limitation

The Collection Limitation FIPP is a substantive principle that directs the behavior of a collector of data. As articulated by the OECD, the principle states "there should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject." What began as consent and lawfulness in the 1980s has grown. Today, the Collection Limitation FIPP, as implemented in privacy laws worldwide, commonly encompasses transparency and accountability in data collection. 

Canada's Personal Information Protection and Electronic Documents Act governs personal information controlled by private sector organizations during commercial business. PIPEDA includes 10 principles at the core of its legislation. Principle 4 is similar to the Collection Limitation FIPP and mandates "the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization and that information shall be collected by fair and lawful means." The Act's language goes beyond the OECD FIPP, including "shall" and mandating organizations identify their collection purposes. Additionally, Principles 2 and 4 limit the collection of personal information by both the amount and the type of personal information to that "which is necessary to fulfill the purposes identified." While these ideals are found in the eight traditional OECD FIPPS, PIPEDA's principles more clearly articulate the framework of the legislation and codify otherwise aspirational goals into substantive legal requirements. 

The impact of the Collection Limitation FIPP is also present in Panama's new privacy law, the Personal Data Protection Law 2019. This law aims to regulate the processing of personal data and is supported by Panama's FIPP-influenced constitution. Article 11 of the law requires a specified, explicit, lawful and authorized use of personal data at the time of collection. This article stems directly from Panama's constitutional right for every person to have their personal information collected only for specific purposes and requiring consent or an otherwise lawful basis. Together, Article 42 of the Constitution and Article 11 of the Data Protection Law mandate the substantive practices articulated by the Collection Limitation FIPP. Yet, the specific elements in Panama's data protection law that require defined purpose and consent prior to data collection move Panama beyond the aspirational and offer more protection for consumers.

In contrast to Panama's constitutional and national codification of FIPPs, the most direct use of FIPPs in the United States stems from the works of the Executive Branch. In 2012 the Obama Administration published a report supporting the creation of a Consumer Privacy Bill of Rights that would carry certain FIPPs forward as "rights" for consumers in the U.S. The Privacy Bill of Rights included a "Focused Collection" right that proposed "consumers have a right to reasonable limits on the personal data that companies collect and retain," which imposes obligations on a company when determining what data needs to be collected for a specific purpose. 

While Congress did not act on the proposed Privacy Bill of Rights, the U.S. Federal Trade Commission issued its own report emphasizing many of the same themes and calling for a more comprehensive approach to privacy, including reasonable collection limits for specific business purposes. Although there is no comprehensive federal data protection law in the U.S., recent proposals such as the Information Transparency & Personal Data Control Act from Rep. Suzan DelBene, D-Wash., still choose to incorporate the aspirational elements of the Collection Limitation FIPP, and it remains prominent in today's discussion of future regulation.  

Use Limitation 

The Use Limitation FIPP guides what conduct is permissible after data is collected. The OECD Use Limitation FIPP states, "personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law." Over time, "use" and "processing" limitations became interchangeable in some jurisdictions. The inclusion of either term illustrates the regulation's intent to protect data by limiting what a controller does with personal data once it is collected, as well as the tension limited use of data can cause in foreseeable circumstances. It is this tension that makes the Use Limitation FIPP particularly difficult in practice as exceptions become necessary. 

Hong Kong's Personal Data (Privacy) Ordinance aims to protect a person's privacy rights about their personal data and incorporates a concise version of the Use Limitation FIPP. PDPO Principle 3, the use of personal data, states "personal data shall not, without the prescribed consent of the data subject, be used for a new purpose." However, Principle 3 continues with an exception: The data may be used for a new purpose if the data user has "reasonable grounds" to believe the new purpose is "clearly" in the interest of the data subject. Additionally, Principle 3 does not apply to personal data in records transferred to the Government Records Service, in emergency situations, in statistics and research, in news of the public interest, in some legal proceedings or in circumstances where harm to the physical or mental health of a person would result. 

These exceptions broaden the otherwise adopted OECD FIPP in the interest of efficiency or protection of the data subject and are standard in modern data protection regulation. 

While the PDPO applied the term "use," Brazil's General Data Protection Law employs "processing" language to more broadly adopt the Use Limitation FIPP and include specific limitations on how personal data can be "processed" following collection. LGPD Article 6 requires good faith processing of personal data according to several principles, including "processing done for legitimate, specific and explicit purposes of which the data subject is informed, with no possibility of subsequent processing that is incompatible with these purposes." 

Article 7 supplements Article 6 with the circumstances the processing of personal data can occur. Article 7 also provides a lawful basis, referred to as a "legitimate interest," that allows a controller to use personal information for a purpose neither specified at the time of collection nor explicitly authorized by an individual. While this exception to the limited use of personal data appears large on its face, the LGPD restricts the use of information for "legitimate interest" in several subsequent provisions. These provisions require personal information used under the "legitimate interest" basis to have both specific and explicit purposes and be limited to strictly necessary information. The LGPD moved beyond the OECD FIPP by incorporating the themes of the Use (i.e., Purpose) Limitation FIPP amongst other principles and exceptions. As governments begin the difficult task of promoting privacy by curtailing the unfettered use of collected data, they face the reality of the modern world — global pandemics, terrorist threats, public safety — and must create innovative approaches to serve and protect their populace.   

Conclusion

Approaching 50 years, FIPPs survived and continue to influence legislation around the world. Despite increasing criticism for their alleged inability to adequately address and preserve individual control over data, FIPPs still provide a common language for nations to communicate their privacy values to the world. The arguments that FIPPs cannot adequately address the world's current privacy needs have merit. Nevertheless, legislative bodies still attempt to remain true to these shared fair information privacy practices as they create innovative methods to accomplish their goals. 

Photo by Kendall Scott on Unsplash


Approved
CDPO, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Cheryl Saniuk-Heinig, CIPP/E, CIPP/US IAPP Member Contributor
Tags
Big Data
Privacy Law
Privacy Operations Management
1 Comment

If you want to comment on this post, you need to login.

  • comment Andrew Rawlins-Catterall • Jun 10, 2021 
    Brilliant article, I had no idea the OECD guidelines derived from there.
Related Stories
US House passes bill to force sale of TikTok
The U.S. House voted in favor of fast-tracking a bill to compel TikTok's parent company, ByteDance, to divest itself of the app, The New York Times reports. If passed and signed into law, the bill would give ByteDance up to one year to find a U.S.-government approved buyer for TikTok or face a natio...
Read More queue Save This
Related Stories
Tags
Big Data
Privacy Law
Privacy Operations Management
Recent Comments