Saturday, November 13, 2021

International research and new Privacy laws

A lot of research subscribes the following format: find an answer first and then worry about the consequences later. There are books, papers, and movies dealing with this. In fact, this is a perennial Science Fiction topic. Henry K. Beecher once said that "the problem was not that researchers were malicious or evil; rather the problem was they manifested thoughtlessness or carelessness."

The way research has been performed changed throught the years. Depending on the chosen topic, American scientists have to comply -- grungly at times because some think it hampers their style -- policies set forth by their institutions and funding agencies such as (small sample otherwise we will be here all day) Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GBLA), the Federal Information Security Modernization Act (FISMA), and the NIST sp 800-171. Doing research with international partners makes life even more interesting: now we need to know which rules these partners have to play under. That goes doubly so when dealing not only with security but specially privacy ones, which cover the test subjects and their data and the researchers themselves. Of these, the most famous is the European General Data Protection Regulation (GDPR), but it is not the only one. In a NFS-funded international experimental testbed project I worked on, I had to deal with GDPR, the Brazilian General Personal Data Protection Law (LGPD), and the Japanese Act on the Protection of Personal Information (APPI).

One of the most important points in these laws is the scope: they are applicable if you are intentionally trying to provide a business or a service to someone residing (not necessarily a citizen) in Brazil, the European Union, or Japan. In our case, we were attracting researchers -- from principal investigators to grad students -- in those countries; therefore, we checked that box.

Here are the most interesting differences between the 3; in blue are where one regulation is more restrictive than other. The idea here is that if you need to deal with all of them, plan to satisfy all the blues.

Shameless plugin

In October 18–21 I had the opportunity to participate in the NSF 2021 Cybersecurty Summit, which is run by TrustedCI, both as a presenter and as a workshop co-chair (fancy term for catherder). The talk I gave was called "GDPR, APPI, and LGPD: don’t go sciencing internationally in your experimental testbed without knowing them," which covers some of the topics raised in this article. But, don't take my word for it! They made the videos available in Nov 2, so you too can enjoy seeing me realizing the 1h talk I prepared needs to be presented in less than 30 minutes.

I know you can't see it, but I am sporting an ioactive t-shirt; no, it was not because it was laundry day.

References