This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.

Georgia's Supreme Court Issues a Landmark Decision on Vehicle Data Privacy

Canada USA Europe Rest of World

Type: Regulatory Development
Announcement Date: October 21, 2019

Summary: In 2014, police in Georgia changed their opinion of who was at fault in a fatal car crash after downloading data from the surviving driver’s vehicle. Although this man was originally thought to have been in the wrong place at the wrong time, the data download revealed that he had been traveling almost 100 mph. This key detail caused the police to change course, and the driver was charged with and convicted of double first-degree vehicular homicide. He appealed, however, on the grounds that because no warrant was issued to authorize police access to the vehicle’s data, it violated the Fourth Amendment (i.e. against unreasonable search and seizure). While the Georgia Court of Appeals upheld the conviction, the State’s Supreme Court overturned the conviction, setting a new data-privacy precedent.

Analyst Perspective: Keep your privacy by design practices iron clad by ensuring your use of personal data is lawful and does not infringe on privacy rights. Data collection is becoming an inescapable part of our lives, and cases like this point towards a future in which personal data is treated as an extension of the person themselves, and therefore protected by the same rights. Certainly, there is an argument to be made that this driver was in the wrong; however, the same can be said of the police handling the situation. This case showed that obtaining personal data without a warrant, even for law enforcement, is not acceptable. Your company’s use of personal data for business or commercial reasons should follow good privacy practices to avoid similar roadblocks.

Analyst: Logan Rohde, Research Specialist – Security, Risk & Compliance

More Reading:

E-Privacy Regulation Gains Support Before Year’s End

Canada USA Europe Rest of World

Type: Regulatory Development
Important Date: November 7, 2019

Summary: The Finnish Justice Ministry appears set to reach agreement with other EU members on pushing the EU e-privacy law forward by the end of the year. After an agreement, negotiations can begin over the final text of the legislation that would be the most impactful privacy development since the GDPR. Only Germany and Spain gave vocal support to an 88-page compromise proposal put forward by the Finnish Presidency, whereas other EU member states like Poland, France, and Italy are currently against it.

The e-privacy law seeks to establish rules around confidentiality and general tracking of internet activity over electronic communication and would replace the earlier 2002 E-Communication and Privacy Directive. The law would give users the power to decide what information they are willing to have collected and what is done with it as opposed to the current practice of allowing cookies by default to collect information. The law would also allow data subjects to opt out of cookies entirely, with the EU parliament version of the text stating that even if users choose to opt out the website must continue to provide service.

Analyst Perspective: Ensuring you have a robust consent management system in place as part of your privacy program can prepare your organization for the inevitable push to better e-privacy. While there has been intense lobbying to affect the outcome of the legislation, a recent ruling by the Court of Justice of the European Union on October 1 ruled that people must be able to actively choose whether to let companies install cookies that track their internet browsing, and not just allow cookies by default. If the current text is anything to go by, this will have wide-ranging impacts on the collection and use of data even if it is not personal. A two-year grace period will go into effect if the legislation is agreed upon, therefore the e-privacy law should be watched closely.Moreover, business changes take time, so make adjustments to your business early to avoid last minute scrambles when the E-Privacy Regulation is finally passed.

Analyst: Marc Mazur, Research Specialist – Security, Risk & Compliance

More Reading:

Data Protection Commissioner Investigating Micro-Targeting on Social Media

Canada USA Europe Rest of World

Type: Regulatory Development
Announcement Date: November 7, 2019

Summary: The Irish Data Protection Commissioner’s office is conducting a number of investigations into the micro-targeting of individuals on large social media platforms such as Google, Facebook, and Twitter. An international “grand committee” of parliamentarians were briefed that the micro-targeting of users of social media using personal data raised issues of compliance with the new General Data Protection Regulation rules. Investigations were open into the use of platforms, data brokers (companies who scrape on-line databases for personal information and then sell it), and ad exchanges (where inventories of data are sold). The Data Protection Commissioner’s office believes that micro-targeting individuals with specific content had the potential of amplifying the harmful effects of disinformation. The concern is that users are not aware that their own data is being deployed to reinforce that individual’s existing viewpoint rather than the individual being in a position to take an objectively informed stance based on an understanding of both sides of an issue.

Analyst Perspective: Build a privacy program now. Assess your business processes and whether they are infringing on data subject rights, especially for any organization that uses the services of data brokers and/or engages in ad exchange services. Although it is yet to be determined if any compliance infractions occurred, it’s always wiser to avoid negative publicity.

Analyst: William Wong, Principal Research Advisor – Security, Risk & Compliance

More Reading:

Austrian Postal Service Due to Mail in Their Fine for Misuse of Personal Data

Canada USA Europe Rest of World

Type: Regulatory Development
Announcement Date: November 7, 2019

Summary: Back in early 2019, it was announced that the Austrian Data Protection Authority had discovered suspicious dealings by the Austrian Postal Service (OPAG). It had come to light that the postal service was selling personal data for the purpose of political marketing without the knowledge or explicit consent of the data subjects in question.

After deliberation and thorough investigation into the underlying series of events, a fine of €18 million was handed out to the OPAG as a result of the organization neglecting to observe any one of the following six legal grounds for data processing:

  • Legal obligation
  • Vital interest
  • Contract
  • Legitimate interest
  • Public authority
  • Consent

The final ground listed (consent) being the requisite criteria that was overlooked by the Austrian Postal Service, as the nature of the data being sold (political opinion) falls under the category of special data.

Analyst Perspective: The sale or transfer of consumers’ personal information from collecting party to third-party processor is commonplace across a variety of industries. Organizations must review their data processing procedures, keeping at the forefront of the review process a clear understanding of the following as they move forward:

  • Intent behind collection.
  • Which third-parties will gain full access to the data collected.
  • Level of sensitivity of the personal information collected.
  • Awareness of the data subjects with respect to who has access to their personal information.

The Austrian DPA’s decision to award this sizeable fine sends a clear message to businesses on the importance of dotting the i’s and crossing the t’s of data privacy best practices. Upon first glance, the outcome seems blatantly obvious; there’s no way to justify the sale of personal information without consent to third parties for political gain or marketing purposes. Many organizations, however, currently find themselves in a position very similar to that of the OPAG, and may soon too find themselves at the scrutiny of their respective jurisdiction’s regulatory authority.

Analyst: Cassandra Cooper, Senior Research Analyst – Security, Risk & Compliance

More Reading:

Canadian Privacy Law Gets a Facelift

Canada USA Europe Rest of World

Type: Regulatory Development
Effective Date: November 6, 2019

Summary: The time has come for Canadian privacy law to undergo significant modernization. Through a joint resolution, the Office of the Privacy Commissioner of Canada (OPC) is calling for an upgrade to current privacy legislation to meet the basic rights and needs of Canadian citizens.

The focus of the joint resolution is to uphold the democratic rights of citizens and promote the protection of personal information while still enabling individuals to leverage the benefits of a changing technological landscape. The primary calls-to-action within the new legislation include:

  • Privacy: Application of privacy laws across public and private sector entities, and transparency within privacy practices.
  • Access to Information: Increased overall coverage of privacy laws, and reduced cost of access.
  • Enforcement: Empowerment of individuals over their privacy rights through adequate enforcement.
  • Continued Management: Focus on engagement, collaboration, and evolution of privacy laws.

This privacy law modernization holds at its forefront a commitment to better support the fundamental rights of Canadian citizens, an endeavor that will be welcomed by the public with open arms.

Analyst Perspective: Keep at the helm of your privacy program the needs and fundamental rights of those individuals whose personal information filters through your organization and ensure that any approach you take onboard is proactive in nature. While many Canadian-based companies may have preemptively taken steps to align with recent, more stringent privacy frameworks such as the GDPR, any organizations that have until now put their privacy program on the backburner must shift gears and address the primary pillars that the OPC has chosen to highlight:

  • Right of access
  • Legislative framework
  • Enforcement
  • Privacy laws

Organizations looking to develop or revamp their privacy program should take a user-centric approach to the overarching framework. Examine and develop documentation around each process within the data lifecycle, and tighten any gaps that are identified with a comprehensive framework. Seek input from each of the business units to ensure that privacy in your organization does not exist in a vacuum.

Analyst: Cassandra Cooper, Senior Research Analyst – Security, Risk & Compliance

More Reading:

PDPC “Guide to Notification” Update Provides Guidance on Dynamic Consent and Just-in-Time Notification Practices

Canada USA Europe Rest of World

Type: Regulatory Development
Announcement Date: October 21, 2019

Summary: By the end of 2019, the Fair Trade Commission (FTC) may release a guideline that regulates the act of organizations installing cookies on the computers of users. This is in addition to guidelines released in August around how large IT companies should be protecting the personal information they collect. The cookies in question themselves do not contain names or other personal information, but when combined with other information about the user the ability to identify and track the user becomes a reality. In the future, location data stored on devices may also be regulated by the FTC.

Analyst Perspective: Consider all of the different ways that cookies data can be used and whether any of those uses put the user at risk through the violation of a data subject’s privacy or security. Storing cookies on your data subjects’ computers can be a beneficial exercise, as it improves the user’s experience and provides valuable data to the IT team of the organization. However, while cookies do not store personal information inside, they can be combined with other pieces of information on the user that would jeopardize their privacy, and potentially put the organization at risk of violating privacy laws. Before storing cookies on a data subjects’ computer, you should gain express consent. Many organizations today have this request pop up when visiting the webpage for the first time.

Analyst: Ian Mulholland, Research Analyst – Security, Risk & Compliance

More Reading:

If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: November 28, 2019


Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.