A new year now adorns our calendars, and 2021 is expected to have its fair share of developments that privacy professionals will monitor with anticipation.
One of the most notable events will take place Jan. 20. It’s the day the Biden administration takes over in Washington and the Democrats take control of the U.S. Senate. The results from the 2020 elections may be the catalyst that ultimately pushes forward a federal U.S. privacy law, a goal that has bipartisan support on Capitol Hill.
The new Biden administration and political willingness from both sides of the aisle are the main reasons why privacy professionals from Twitter, Google and Amazon are optimistic a federal law will come in the years ahead.
Twitter Chief Privacy Officer Damien Kieran is “cautiously” optimistic a federal privacy law could be passed within the next two years. Kieran said national rules are long overdue, and while there are some hurdles to getting a law onto the books, he believes there are incentives for Congress to get it done.
Kieran cited fallout from the Court of Justice of the European Union’s “Schrems II” ruling as one such incentive. A federal bill could help provide a path forward following the invalidation of the EU-U.S. Privacy Shield agreement.
“The challenges with cross-border movement likely increase the incentive on the federal government to act. I think the stars have been aligned for some time, but perhaps now as a new administration comes in we can see that change,” Kieran said during the 2021 Consumer Electronics Show. “They can fix the cross-border issue on its own with an executive order, or they can try and do it as part of a federal law. I think the option is there on the table to try and do it as a federal law, and that would be my preference. I think thereâ€™s good reason to do it and I think thereâ€™s bipartisan alignment to get there.”Â
Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, shared Kieran’s optimism over the prospects of a federal privacy law. He said discussions around an omnibus privacy law have changed greatly over the past 20 years. When the likelihood of federal rules was assessed, Enright said the safe, default answer was always “no.”Â
That is no longer the case.
In addition to bipartisan support, Enright said the passage of the California Consumer Privacy Act and the California Privacy Rights Act have also helped brighten Congressional prospects.Â
“If history is any lesson, that is going to be a catalyst for a tremendous amount of state-level legislative activity across the next couple of years,” said Enright. “That tends to dramatically increase the chances that we can develop the political will at the federal level to do something to create a uniform rule of law so that companies know what the rules of the road are, and individual users know what their rights and protections are.”
Any conversation around federal privacy legislation in the U.S. always comes with a discussion of handling different state laws, which usually results in plenty of “patchwork” talk. The panel at the virtual CES was no different.
The common thread in those debates is the challenge of having to handle a swath of different requirements across the country. Enright sees it as an issue companies already face to a certain degree.
While privacy laws in California, Nevada and Maine have been in the spotlight, Enright said patchwork rules affect everyone right now, as virtually every state has legislation that has significant privacy consequences.
“The reality that we are all increasingly dealing with is data is driving everything, and therefore virtually any set of legal requirements are increasingly either being revised or reinterpreted to be legal requirements affecting the movement and governance of data,” said Enright. “I would actual argue we are already dealing with quite a patchwork.”
This is not a new reality for larger tech companies. Amazon Alexa Trust Director Anne Toth said global organizations have to navigate around more than 100 different national-level privacy laws around the globe. A federal privacy law may smooth things over between 50 different states, but the patchwork will not go away, as a law in the U.S. is not going to be a one-to-one match of other rules such as the EU General Data Protection Regulation.
Toth also said it is up to the tech companies to tread those waters and provide the best experience for their users.
“Thereâ€™s absolutely been regulation at the city level and municipal level. When you start to add it all together, it is a patchwork quilt, and I think even if we do get an omnibus federal privacy law, itâ€™s not going to be GDPR either,” said Toth. “Thereâ€™s always going to be differences and all of us here represent companies that operate at a global scale, so weâ€™re dealing with a forever patchwork quilt, but weâ€™re trying to minimize the differences and weâ€™re trying to hopefully give all of our customers everywhere a fair shake and an equal amount of privacy protection.”
Optimism continues to swell around the idea that the clock is ticking closer and closer to the day a federal privacy law becomes reality.Â
But the impetus isn’t just to end debates around state preemption and a private right of action. The existence of a federal U.S. privacy law has important ramifications for the future of the online ecosystem.
Enright said tech companies have to work to ensure any legislation passed provides as much clarity for organizations and citizens as possible. Kieran, on the other hand, believes a privacy law can help with far bigger issues, particularly as transborder data transfers and data localization continue to be hot button topics.
“I think this is where itâ€™s actually incredibly important for the federal government to really understand about the international future of this because it ties back to the question of a divided internet,” said Kieran. “If we get this wrong, you increase the chances for the balkanization of things. These laws need to be interoperable. If theyâ€™re not, the Schrems-Privacy Shield dilemma is only the tip of the iceberg in terms of localization of both services and data, and then the internet, and thatâ€™s not an outcome that any of us wants to see.”
Photo by Bill Oxford on Unsplash
The EU General Data Protection Regulation’s one-stop shop mechanism received a boost amid ongoing questions about the best way to approach cross-border enforcement. Court of Justice of the European Union Advocate General Michal Bobek issued a non-binding opinion supporting the future application of OSS while bringing clarity to the limited exceptions that would allow data protection authorities besides a lead supervisory authority to act on a cross-border action.
“It is clear that one-stop shop is meant to be the procedure to be followed when enforcement action against cross-border processing is necessary,” Bobek wrote in his opinion published Jan. 13. “The imperative terms included, particularly in Article 51(2) and Article 63 of the GDPR, unequivocally indicate that supervisory authorities must cooperate and must do so through the (compulsory) use of the procedures and mechanisms established for that purpose.”
The opinion came in response to aÂ case between Facebook and Belgium’s Data Protection Authority involving whether a concerned supervisory authority has the ability to bring a cross-border case before its state court. Bobek all but ruled out any direct circumvention of one-stop shop, noting “the competence of the LSA is the rule, and the competence of other supervisory authorities is the exception.”
Fieldfisher Partner Tim Van Canneyt, CIPP/E, characterized the opinion as a “nuanced position,” but a clear one from Bobek nonetheless.
“The advocate general puts forward a lot of arguments to stress the fact that as a rule, only the LSA should be able to act in cross-border processing cases,” Van Canneyt said. “He stresses that it is ‘of the utmost importance’ that DPAs ‘duly follow’ the rules of the one-stop shop.”
IAPP Research Director Caitlin Fennessy, CIPP/US, expects Bobek’s opinion to bolster perceptions of one-stop shop. She called it “an important opinion” that “encourages greater attention to strengthening the EDPBâ€™s cooperation procedures.”
While the opinion favors one-stop shop, Bobek did leave open the potential for considering future reform of the mechanism. The Belgian DPA raised concerns about under-enforcement of the GDPR through one-stop shop, which Bobek rebuffed for now given the “infancy” of the GDPR, but indicated it’s possibly worth revisiting if claims ever materialize.
“I must admit that, in my view, if the dangers concerning under-enforcement of the GDPR suggested by the (Belgian DPA) and some other interveners were to materialise, the entire system would be ripe for a major revision,” Bobek said.
Belgian DPA Chairman David Stevens said his office was overall pleased with Bobek’s opinion, but especially happy with the acknowledgment of exceptions to one-stop shop that can be brought before the courts. Stevens said, “If data subjects can go to court to defend their rights, data protection authorities should also be able to do this on their behalf in certain exceptional cases.”
Despite a mostly clear description from Bobek of the six exceptions that would allow for a court to take up a DPA’s case instead of following one-stop shop, Morrison & Foerster Senior Counsel Lokke Moerel is already seeing misinterpretations from onlookers.
“The advocate general indicates there are some very limited situations when a concerned supervisory authority can still act in litigation,” Moerel said. “For example: Where the GDPR does not apply to the processing of data (e.g. the ePrivacy Directive); where the case is about facts preceding GDPR; where the relevant company does not have a main establishment in the EU and thus lacks an LSA; and where enforcement or court action is taken by other Member Statesâ€™ authorities. All no brainers.”
Van Canneyt believes many DPAs will take the opinion as confirmation that they can proceed with national enforcement. In an effort to avoid gray areas with the application of one-stop shop versus invoking exceptions, Van Canneyt suggests a designated cross-border regulator could be proposed.
“It is interesting to note that the recently published draft Digital Services Act, which contains many principles that are inspired by the GDPR, does not introduce an LSA mechanism, but instead confers the enforcement of cross-border issues to the European Commission,” Van Canneyt said. “Should this be interpreted as an implicit acknowledgment by the European Commission that the GDPR one-stop-shop is not working?”
Photo byÂ Christian LueÂ onÂ Unsplash
Court of Justice of the European Union Advocate General Michal Bobek issued a non-binding opinion Jan. 13 supporting the future application of the EU General Data Protection Regulation’s one-stop shop mechanism while bringing clarity to the limited exceptions that would allow data protection authorities besides a lead supervisory authority to act on a cross-border action. IAPP Staff Writer Joe Duball breaks down the opinion and has privacy pros chime in on its meaning for OSS and future enforcement efforts of DPAs.
With the Biden Administration set to take over in Washington and bipartisan support coming from Capitol Hill, a federal U.S. privacy law could in fact become a reality. During a panel at the 2021 Consumer Electronics Show, privacy professionals from Twitter, Google and Amazon explain why they are “cautiously” optimistic over the prospects of omnibus legislation coming from Congress over the next couple of years. IAPP Associate Editor Ryan Chiavetta, CIPP/US, has the details.
The COVID-19 pandemic has rapidly accelerated reliance on digital platforms and has shifted consumers’ expectations around how their data is used. This IAPP web conference explores these trends as a panel of privacy professionals explores the findings of the “EY Global Consumer Privacy Survey 2020.” Speakers include McGraw-Hill Education Chief Privacy Officer Andy Bloom, CIPP/E, CIPP/US, CIPM, CIPT, FIP, EY Global Data Protection & Privacy Consulting Leader Tony de Bos, CIPP/E, CIPM, and Citrix Chief Digital Risk Officer Peter Lefkowitz, CIPP/US.
- The European Data Protection Board has updated its information note on data transfers to the U.K. under the EU General Data Protection Regulation following the Brexit transition period and its statement on the withdrawal of the U.K. from the European Union.
- Georgetown University Law Center Professor, European Union Law Kenneth Propp explains why the U.S. should develop a strategy to address concerns from the EU in order to maintain data transfers between the two.
- Reuters reports the Irish Data Protection Commission will proceed with a complaint challenging Facebook’s transborder data transfers.Â
The U.S. Department of Health and Human Services Office for Civil Rights announced it has reached a settlement with Banner Health over alleged violations of the Health Insurance Portability and Accountability Act Privacy Rule’s right of access standard. Banner Health agreed to pay $200,000 to settle the allegations and will undertake a corrective plan that includes two years of monitoring. This is the 14th settlement the OCR has reached under its HIPAA Right of Access Initiative.
The Russian State Duma announced amendments to the Federal Law on Personal Data were adopted Dec. 23, 2020 and take effect March 1. The amendments include provisions for explicit user consent for data processing and the addition of a right to deletion. Additionally, Duma laid out all the country’s privacy laws and where they apply. There are two federal laws pertaining to the protection of personal data rights while the Administrative Code and the Criminal Code also carry privacy provisions.
- France’s data protection authority, Commission nationale de l’informatique et des libertÃ©s, announced sanctions against the Ministry of the Interior for its unlawful deployment of drones to oversee and enforce “containment measures.” The sanction prohibits further use of drones until a framework is devised to address the processing of personal data.
- Singapore’s government issued legislative provisions to limit the future use of COVID-19 contact-tracing data by law enforcement. Use will be limited to clear need in a criminal investigation.
Reuters reports Uber filed an appeal over the $59.1 million fine it was ordered to pay the California Public Utilities Commission over denied requests for sexual assault data from the company. Uber maintains its “transparency and commitment to protecting survivors” while arguing no regulator required the disclosure of personally identifiable information of sexual assault victims, adding CPUC had not explained why it needed the data.
The Australian Digital Health Agency called for a limit to the “number and type” of data breaches organizations need to disclose under federal law, iTnews reports. The agency seeks a harmonization between the data breach reporting requirements of the My Health Records Act and the Privacy Act. “The definition of a breach under section 75 of the My Health Records Act 2012 is very broad and substantially differs from what the community may reasonably consider to be a â€˜breach,â€™ the ADHA said in its submission. “It also differs substantially from the notifiable data breach scheme requirements under the Privacy Act.”
The Reserve Bank of New Zealand experienced a data breach, which may have exposed sensitive information, The Associated Press reports. A third-party file sharing service used by the bank was illegally accessed by hackers. Reserve Bank of New Zealand Governor Adrian Orr said the breach has been contained and that the bank is working with authorities and cybersecurity professionals as part of its investigation into the incident.
The New York Times reports on the privacy concerns around smart cushions designed by a Chinese tech company designed to monitor employees’ health. The cushions scan staff for signs of fatigue,Â measures their heart rates and keeps track of how long they spend at their desks. Hebo Technology, the creator of the cushion, said in a statement it issued a warning to the human resource manager of a company using the cushion over “disseminating” participant data without permission.
The Spanish data protection authority, the Agencia EspaÃ±ola de ProtecciÃ³n de Datos, published a blog post on connected devices that can monitor and control health indicators like physical activity and sleep quality. â€œAll this is personal data that will be analyzed, exploited, stored, and ultimately processed in very different ways, by different managers and managers of the treatment,â€� the AEPD said. â€œIn certain circumstances sensors and devices, despite belonging to the IoT field, do not monitor â€˜thingsâ€™ but rather quantify people.â€�
- The French data protection authority, the Commission nationale de l’informatique et des libertÃ©s,Â sanctioned the Ministry of the Interior for illegally using drones with cameras to monitor compliance with containment measures and ordered the Ministry to cease drone use until a regulatory framework is authorized.
- Germany’s State Commissioner for Data Protection in Lower Saxony issued a 10.4 million euro fine to retailer notebooksbilliger.de for monitoring its employees over a two-year span without a legal basis.
- Poland’s data protection authority, UrzÄ…d Ochrony Danych Osobowych, announced a PLN 1 million fine against ID Finance Poland for insufficient data security measures that led to a data breach.
- A motor industry employee has been sentenced to eight months’ imprisonment, suspended for two years, following prosecution by the U.K. Information Commissionerâ€™s Office for conspiracy to secure unauthorized access to computer data and selling unlawfully obtained personal data.
- Londonâ€™s Borough of Hackney Mayor Philip Glanville announced data stolen in an October cyberattack has been published online, though it is not believed to be accessible through a public forum or through search engines.
- Infosecurity Magazine reports British Airways is prepared for negotiations on a data breach settlement over its 2018 data breach affecting more than 400,000 customers. Talks follow a 20 million GBP fine to the airline from the U.K. Information Commissioner’s Office in October 2020.
As data breaches and other security incidents are the dominating cause of regulatory fines in areas like security and data protection, prevention and proper management are becoming a priority for many organizations. Proper technical and security measures are essential in preventing security incidents. Nevertheless, when it comes to managing incidents it can beÂ challenging to identify and properly follow all the applicable rules and mandatory notifications of different regulators.
This article compares three main EU regulatory norms with incident reporting obligations â€” the EU General Data Protection Regulation, Second Payment Services Directive (PSD2) and Network and Information Security Directive â€” and finds synergies and areas of overlapÂ to provide efficient and simple guidelines for companies that fall under several frameworks.
Personal data breach according to GDPR
Probably the most familiar law regarding incident management obligations is the GDPR. According to the GDPR, controllers in the European Economic Area who encounter personal data breaches associated with specific risks are obligated to notify the supervisory authority and, in some cases, the affected persons of the breach.
Guidelines on how to assess risks triggering personal data breach notification with some practical examples were provided by former Working Party 29, which has been replaced by the European Data Protection Board.
Several companies are currently facing huge fines imposed by data protection regulators in relation to data breaches. For example, the U.K.â€™s Information Commissionerâ€™s Office recently fined British Airways 20 million euros for failing to protect the personal and financial details of more than 400,000 customers. The ICO also fined the Marriott International hotel group 18.4 million pounds, again in relation to the personal data breach inherited during the Starwood acquisition. A telco company in Germany was fined almost 10 million euros for insufficient measures to prevent unauthorized access to personal data.
According to a DLA Piper report published at the beginning of 2020, over 160,000 data breach notifications were reported across the EU, Norway, Iceland and Liechtenstein since the GDPR entered into force, totaling 114 million euros in fines. All of this data reveals the significant importance of proper data breach management.
Other EU regulations on security incidents
As mentioned above, the GDPR is not the first and only EU legal act that contains incident management requirements. In less than one year, three different legal acts regulating security incidents and related rights and duties were introduced in EU law. The other regulatory frameworks are identified below.
Second Payment Services DirectiveÂ
The PSD2Â and its providing acts oblige all payment service providers, i.e. banks, electronic money institutions and payment institutions including payment initiation service providers and account information service providers, to implement proper security measures and to manage operational and security incidents. In the event of a major operational or security incident, the payment service provider must notify the competent authority, usually the central bank. The notification shall be done without undue delay. If the incident has or may have an impact on the financial interests of the clients, the payment service provider shall inform the clients of the incident and of all measures that they can take to mitigate risks caused by the incident (Article 96 of the PSD2).
The European Banking Authority published detailed guidelines on how to assess the individual incident and the severity based on seven different aspects, like the number of clients and transactions affected, payment service downtime or the reputational impact of the incident. The guidelines include “standard notification templates” and “the procedures for notifying such incidents.”
Network and Information Security Directive Â
The NIS Directive regulates the level of security of network and information systems for certain categories of subjects. These subjects are mainly operators of essential services, companies of significant size in areasÂ like electricity production, distribution and transmission, banking, financial market infrastructure, health care etc., and digital service providers, i.e. provider of information society service containing online marketplace, online search engine or cloud computing services.
The above-mentioned categories of organizations are obligated to implement appropriate and proportionate technical and organizational measures and to manage security incidents. They are obliged to notify of incidents with significant impact to the competent authority, national cybersecurity agencies, or to the relevant computer security incident response team, again without undue delay.
All three EU legal acts are in place to protect the different public interests, such as development, protection and security of internal financial market (PSD2), protection ofÂ individual privacy and other basic rights (GDPR), and security of network and information systems for vital services (NIS).
Definition of the incident and criteria for the severity assessment, scope of the obliged organizations, notification lines and notification deadlines are different in each legal act. Nevertheless, one specific entity could be in the regime of two, or even of all three regulations, for the same security incident. ThisÂ may cause a significant increase in the internal complexity and more capacities used for two or three different internal processes at the expense of the security itself.
How to lower the complexity of security incident management
Security incidents in all three EU legal acts are defined in a slightly different way and the same applies to the corresponding processes. To avoid unwanted complexity, the following common measures can be implemented in organizations, which are obliged to manage the incidents within two or three regulatory frameworks:
- Create a unique internal escalation channel for incident reporting covering all types of incidents including malfunctions of applications or transmission systems, unavailability of internal information, and data breaches. This step may significantly simplify the internal escalation to the employees and give organizations more time to deal with individual incidents.
- Create one department to assess or coordinate the assessment of all regulatory relevant incidents. This department should be responsible for the incident assessment for the regulation that applies to the specific incident and evaluating its severity by the affected regulation.
- This approach can help the organization avoid situations where the incidents are assessed in isolation and without consideration of other regulatory obligations. For example, if one department assesses the incident only from a cybersecurity point of view, the organization may fail to consider other regulatory obligations (like notification of the incident to the data protection authority) leading to a breach of law or unjustifiable delays.
- Create a separate department responsible for notifying and communicating with relevant regulators and affected individuals.One communication tone, style and range of information are important to manage the impact of the incident and to lower related regulatory and reputational risks.
- Create one register including, among others, description of all incidents, date of occurrence and date of internal escalation, severity, impact on data security (confidentiality, integrity and availability of the information or systems), impact on affected persons, applicable regulations, next steps toward regulators and affected persons, etc. Such a list could help improve internal processes in incident management and information security itself.
- There should be unified internal training on all incident handling and obligations of each employee. Employees, especially in big companies, are usually overwhelmed with too much training. Having only one training on incident handling, the importance of quick reaction and comprehensive information about internal escalation lines could lower this burden and increase the quality and benefit of the training. This should be a simple and brief procedure, or internal guideline, dealing with the topic in a consolidated manner and providing a practical, at-hand guide with clear, step-by-step instructions on how to proceed in case of an incident.
It is not an easy task to design and implement an efficient incident management system while considering all relevant regulatory aspects. In a time of stringent regulatory requirements in all areas, it is key to look at common points of different regulations and search for areas to integrateÂ into single compliance systems. Moreover, the effortÂ to unify requirements and simplify reporting processes would be appreciated by regulatory authorities. There is no doubt that having a proper data breach management system is an important topic and each organization could benefit from harmonized rules.
Photo byÂ Scott GrahamÂ onÂ Unsplash
Greetings from Brussels!
If you are a user, and I am one, you will have received a consent notice that updates will be in effect as of 8 Feb. That said however, the extent of the update will all depend on where you reside, as determined by your mobile number. The new rules of engagement will apparently only impact non-EU/EEA users â€” not covered by the GDPR â€” who will be obliged to accept and mandate WhatsApp to share and process certain data sets with parent company Facebook. In short, WhatsApp will start to share personal data such as usernames, phone numbers, profile photos, IP addresses, and other device information with Facebook. The reason for these changes as cited by Facebook is to help operate and improve its offerings and services across its group companies.
If you are a long-time user of WhatsApp, you will recall that back in 2016, two years after being acquired by Facebook, users were given the option to opt-out of the user data exchange with the parent company which was considered a value proposition for many; if nothing more, or being particularly principled, than just to keep the app â€” and by extension your user data â€” separate and independent. This, coupled with the 2014 development of cutting-edge end-to-end encryption, was a winner the world over across both personal and professional usage to the tune of 2 billion users.
Despite the dual communications around the recent changes, there has been some unrest among users, which has resulted in an upsurge of rival instant messaging services such as Signal and Telegram. I for one am also a subscriber to Signal and saw a deluge of new users (known from my contact list) register with the service; I received dozens of notifications. I am also reading that in the week WhatsApp announced the changes, Signal was downloaded 8.8 million times worldwide. From my own contacts, many of these new users were European, which may suggest that they did not fully comprehend the impact of the new rules.
Of note, Italian DPA, the Garante, also issued a statement this week. The agency is concerned that the recent changes were not fully transparent or clear for the end user. The Garante also stated that it has referred its concerns to the European Data Protection Board in Brussels, and reserves the right to intervene, as a matter of urgency â€” if required â€” to protect the interests of Italian users.
There is more to come on this story: One thing is abundantly clear, wherever you find yourself in the world, there is a growing concern over surveillance capitalism. More importantly, consumers clearly care about their privacy.
The Advocate General of the Court of Justice of the European Union issued its opinion on the case between Facebook and Belgium’s Data Protection Authority. The advocate general determined the one-stop shop mechanism under the EU General Data Protection Regulation does not prevent regulatory authorities from bringing proceedings before a judge as long as the issue falls under the European privacy law. The case will now move to the Court of Justice of the European Union.