Privacy Regulation Roundup

Author(s): Safayat Moahamad, Carlos Rivera, Horia Rosian, Andrew Sharp

This Privacy Regulation Roundup summarizes the latest major global privacy regulatory developments, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant.

Canada Joins International Privacy Cooperative

Canada USA Europe APAC Rest of World


Type: Announcement
Announced: April 2024

Summary:

During my career I've seen the increasing importance of data privacy on a global scale. Canada's recent decision to join the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) is a significant step in this direction, and here's a breakdown of what it means for you. The Office of the Privacy Commissioner of Canada (OPC) joined the Global CAPE to fulfill a requirement for Canada's membership in the Global Cross-Border Privacy Rules Forum (Global CBPR). This forum, established in April 2022, aims to streamline data privacy regulations across member countries. It’s sort of like joining an international club focused on data privacy. To be a full member (Canada's status), there are certain requirements, and joining the Global CAPE is one of them. Mexico and the United Kingdom have also joined the club, with more countries expected to follow suit.

The Global CAPE was established in 2023 by the Global CBPR and is essentially a collaborative effort. It's a voluntary agreement between member countries to work together on data protection and privacy enforcement – but it's important to understand it's not legally binding. In essence, it’s a group of law enforcement officers from different countries agreeing to help each other out on certain cases. They can share information, gather evidence, and even transfer complaints to the appropriate jurisdiction if needed. The Global CAPE functions similarly but instead of law enforcement it involves privacy protection authorities.

Analyst Perspective: Canada’s move to join the Global CAPE and the Global CBPR signifies a stronger commitment to international data privacy. If you're concerned about how your data is handled by companies operating across borders, this collaboration between countries can potentially lead to more effective enforcement of privacy regulations. This collaborative effort by Canada and other countries ensures better enforcement of data protection regulations and is a positive step toward a more unified approach to data privacy on a global scale.

Analyst: Carlos Rivera, Principal Advisory Director – Security & Privacy

More Reading:


RSAC 2024: Harmonizing Privacy and Security for Enhanced Digital Defense

Canada USA Europe APAC Rest of World



Type: Conference
Announcement Date: May 2024

Summary: The RSAC 2024 keynote session titled “Shifting Privacy In: How Privacy and Security Can Strengthen Each Other” explored the intricate relationship between security and privacy, emphasizing how they can strengthen each other. The session underscored that security and privacy are not competing interests but are mutually reinforcing when integrated thoughtfully. By adopting a privacy-by-design approach, organizations can ensure privacy considerations are embedded from the outset, thereby enhancing overall security measures. The discussion also highlighted the importance of incorporating privacy into threat modeling. This integration can lead to a more robust security posture, as it accounts for both data protection and threat mitigation. The insights from the session provided practical strategies for effectively weaving privacy into the fabric of security practices, suggesting that privacy should be a foundational element of security, not just an add-on.

Overall, the session conveyed that the convergence of security and privacy leads to a stronger defense against threats, protecting both data integrity and individual rights. This holistic approach is crucial in the digital age, where data breaches can have far-reaching implications for personal privacy.

Analyst Perspective: The RSAC 2024 keynote session's exploration of the interplay between security and privacy from an analyst's perspective reveals a paradigm shift in how these two fields are perceived. The session's narrative, which highlighted the mutual reinforcement of security and privacy, challenges the traditional view that pits them against each other. Instead, it proposes that when thoughtfully integrated, they can bolster one another, creating a more resilient framework.

The adoption of a privacy-by-design approach is a testament to the evolving understanding that privacy considerations are not just a regulatory compliance checkbox but a strategic advantage that enhances security from the ground up. This proactive stance is a departure from reactive privacy measures, signaling a maturity in organizational mindset toward data stewardship. Furthermore, the session's emphasis on incorporating privacy into threat modeling reflects an acknowledgment of the complexity of modern threats. It suggests that a robust security posture is not just about defending against external attacks but also about safeguarding the sanctity of personal data. This nuanced approach to threat modeling, which includes privacy as a core consideration, offers a more comprehensive defense mechanism.

In conclusion, the RSAC 2024 keynote session articulates a clear vision for the future of cybersecurity: one where the convergence of security and privacy is not merely aspirational but a practical reality. This unified approach is particularly pertinent in our digital era, where the consequences of data breaches extend beyond the digital realm and into the very fabric of personal privacy. The session's insights advocate for a security culture where privacy is ingrained in every facet, ensuring that both data integrity and individual rights are upheld in the face of an ever-changing threat landscape.

Analyst: Horia Rosian, Director – Cybersecurity & Privacy, Workshops

More Reading:


Canada’s Privacy Commissioner Launches New Privacy Impact Assessment Submission Form

Canada USA Europe APAC Rest of World


Type: Announcement
Announced: March 2024

Summary: The Office of the Privacy Commissioner (OPC) of Canada has announced the launch of a new privacy impact assessment (PIA) submission form, with the intent of providing a streamlined and safe means for federal agencies to submit PIA information. The new form, which was announced in March, would replace the previous methods of mailing or emailing PIAs to the OPC, which posed risks of letters potentially getting lost in transit. The new secure website will enable federal government departments to submit their PIAs and attach and update documents associated with their submission. A PIA is a risk management process that consists of tools and artifacts that help organizations identify any potential privacy risks to individuals and provide steps to mitigate those risks. It also enables federal institutions to ensure they are meeting legislative requirements, which supports strengthening the privacy of the country, along with building trust with its citizens.

Analyst Perspective: With the rampant evolution of innovative technologies, organizations are identifying ways to leverage those technologies to get ahead of the technology curve. However, it is important to understand that each technology poses its own privacy risks that should be assessed prior to adoption. Technologies such as AI possess privacy risks such as concern with how data is collected and stored as well as security implications in safeguarding data. Leveraging a PIA would enable organizations to assess their current privacy practices and deploy measures to strengthen their privacy, which will build trust with their customers, enhance their brand image, and avoid any potential financial and reputational risks. As technologies continue to evolve, privacy assessments should be ingrained in the process of reviewing the technology and its potential benefits, risks, and overall impact to the organization.

Analyst: Ahmad Jowhar, Research Analyst – Security & Privacy

More Reading:


Balancing Act: TikTok’s Fight for Free Speech and Privacy in the Face of National Security Concerns

Canada USA Europe APAC Rest of World



Type: Legislation
Announcement Date: May 2024

Summary: TikTok and its Chinese parent company, ByteDance, have filed a lawsuit claiming that a new US law mandating ByteDance’s divestiture of the app violates the First Amendment. The company argues that the law unfairly targets TikTok and that divesting the app is not practical within the imposed time frame due to technical and legal hurdles. The lawsuit underscores the ongoing debate over the balance between national security and free speech. The US government has expressed concerns that TikTok could be used for espionage or to spread misinformation, given its Chinese ownership. However, TikTok contends that it has taken significant steps to protect user data and ensure the platform’s security.

TikTok’s legal action also brings attention to the broader implications of technology ownership and the geopolitical tensions between the US and China. The outcome of this case could set a precedent for how foreign-owned apps operate in the US and influence the global tech industry. Moreover, TikTok emphasizes its cultural and economic significance, highlighting its role as a medium for creative expression and a tool for businesses to reach consumers. Millions of Americans use TikTok for entertainment, education, and connection, making the app an integral part of the social media landscape.

The case’s progression to the Supreme Court could have far-reaching consequences, potentially affecting not only TikTok’s operations but also the principles governing international business and internet freedom. The decision will be closely watched by policymakers, tech companies, and users alike, as it may determine the future of digital communication and commerce.

Analyst Perspective: TAnalysis of the lawsuit delves into the conflict between national security and free speech, as the US government’s concerns about data security clash with TikTok’s role as a platform for expression. From a geopolitical standpoint, the case reflects the tensions between the US and China, especially regarding technology ownership. Analysts are examining the cultural and economic repercussions of a potential TikTok ban, given its widespread use for entertainment and business.

Privacy considerations are central to this debate, as the handling of user data by foreign-owned apps like TikTok is under scrutiny. The outcome of this legal dispute could influence international business practices, internet freedom, and the future of digital privacy. The decision will be pivotal, setting a precedent for how digital platforms operate within global markets while balancing privacy and security.

Analyst: Horia Rosian, Director – Cybersecurity & Privacy, Workshops

More Reading:


American Privacy Rights Act: The Discussion Draft

Canada USA Europe APAC Rest of World



Type: Legislation
Announced: April 2024

Summary: A significant data privacy law could soon be enacted by US Congress, following the introduction of a bipartisan proposal by leading members of House and Senate committees. The proposed bill, known as the American Privacy Rights Act (APRA), is designed to limit the kind of consumer data that companies can gather and use, restricting it to only what is essential for their services. It would also give users the ability to opt out of targeted advertising and to access, correct, and delete their own data. Furthermore, the APRA would create a national registry of data brokers and mandate these companies to give users the option to opt out of data sales.

A significant aspect of the APRA is "Civil Rights and Algorithms." This section requires large data holders (LDHs) to conduct algorithm impact assessments if their algorithms have a potential to cause significant harm. The assessments must be shared with federal authorities and the public. Additionally, entities using such algorithms for significant decisions, including nonprofits and government bodies, must perform an algorithm design evaluation prior to any relevant deployment. This evaluation needs to examine the algorithm's design, structure, and inputs to minimize harm to individuals (especially those under 17 years of age) and address discriminatory impacts.

The Federal Trade Commission (FTC), along with state regulators, will enforce these requirements should the bill become law.

Analyst Perspective: Entities that could fall under the purview of the draft APRA would be required to adhere to several obligations. This would include, among other things, minimizing data, meeting transparency requirements, and handling privacy rights requests.

The draft distinguishes between different types of organizations, such as covered entities, service providers, data brokers, and LDHs, and imposes varying compliance obligations on each. A major focus of the draft is on transparency, necessitating covered entities to disclose data transfers, including those to foreign adversaries, and prohibiting the use of deceptive tactics that undermine individuals’ privacy rights.

The APRA draft also introduces responsibilities related to targeted advertising, which could have implications for publishers and advertisers. Furthermore, it requires the implementation of data security practices and the appointment of data privacy and security officers.

In principle, this legislation would give Americans the power to manage their personal information and restrict Big Tech’s misuse of user data without permission. Nevertheless, lawmakers are still split on matters such as whether federal law should supersede stricter state regulations, and whether individuals should be allowed to sue companies for privacy breaches. That said, Microsoft’s Chief Privacy Officer, Julie Brill, has pointed out to the International Association of Privacy Professionals (IAPP) that innovation and personal information protection cannot be carried out appropriately in the absence of a federal privacy law.

Analyst: Safayat Moahamad, Research Director – Security & Privacy

More Reading:


If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019