Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.

California Lawmakers Smooth Over Some of the CCPA’s Rough Edges

Canada USA Europe Rest of World

Type: Regulation
Important Date: April 23, 2019

Summary: The California Assembly Privacy and Consumer Protection Committee approved several bills in late April that would begin to clarify ambiguities in the California Consumer Privacy Act (CCPA). Significant bills approved by the Committee included:

  • AB 873: Clarification of terms such as “personal information,” “consumer,” and “de-identified” information
  • AB 25: Exemption of employee data
  • AB 981: Exemption for insurance companies – with restrictions
  • AB 1564: Alternatives to the current requirement that a toll-free number must be established
  • AB 25: Safeguarding the right to obtain “specific pieces of personal information” when that information applies to households
  • AB 846: Loyalty program exemption to “non-discrimination” restrictions

Having passed Committee review, these amendments will now be considered by the Senate Judiciary Committee that is currently chaired by Sen. Hannah Beth Jackson.

Analyst Perspective: Despite the lack of clarity, companies required to comply with CCPA should continue operationalizing their compliance efforts. The Office of the Attorney General of California is continuing to prepare for enforcement of CCPA, regardless of the defined outcome of the amendment bills. If your organization is affected by exemptions (insurance, loyalty programs), investigate these bills to ensure both applicability and sound reasoning for opting for the exemption. In similar instances, many HIPAA-covered entities have opted to forgo their exemption, instead opting to adhere to CCPA. While these developments help clarify CCPA language, they leave lingering questions around who will be in scope and what tactics will be used for enforcement.

More Reading:

Washington’s New Privacy Legislation Fails to Pass, While Data Breach Notification Laws Are Updated

Canada USA Europe Rest of World

Type: Regulation
Effective Date: March 1, 2020

Summary: Washington was set to introduce new privacy legislation this year, following California’s example, but it quickly fell apart due to many competing interests in the process. After passing overwhelmingly in a 46-1 vote in the State Senate, the bill did not make it past the House committee. Major points of contention revolved around the regulation of facial recognition capabilities, the private right of action (whereas the individuals affected can directly sue companies for privacy violations), and even basic definitions within the bill. Many privacy advocates noted the large influence of major technology companies, such as Amazon and Microsoft, through the legislation process. While the bill has currently stalled, state lawmakers have expressed a desire to revisit this topic in 2020.

While a new privacy law did not come to fruition, Washington has updated its state breach notification requirements. This includes an expanded definition of personal information and updates to the content requirements for notification, timing of notifications, and updates to regulator notification. These amendments will be in effect as of March 1, 2020.

Analyst Perspective: Organizations juggling multiple state-level breach notification requirements should follow the most stringent breach notification laws to remain compliant across multiple state laws, while maintaining standard privacy practices across the board. Washington’s breach notification laws are becoming stricter in their requirements, and organizations will have to follow through. More data types are included in the personal information definition, while the notification timeline is now 30 days, instead of the previously set 45. Conduct a review of existing privacy practices, with updates and changes occurring where needed.

More Reading:

Administrative Fine of €170,000 Imposed on Bergen Municipality

Canada USA Europe Rest of World

Type: Regulatory Enforcement
Announcement Date: April 12, 2019

Summary: Norway’s Supervisory Authority (Datatilsynet) fined the Municipality of Bergen €170,000 for a lack of security controls related to 35,000 user accounts, the majority of which were associated with children. The user accounts are part of a learning platform used by students and teachers at the municipality’s primary schools. Data types shared data on the platform included:

  • Username and password
  • Date of birth
  • Address
  • School affiliation
  • School grades

Insufficient security measures meant that anyone could log in to various IT systems and get access to the above data types. Datatilsynet’s decision to enforce the fine relates to both Article 5(f) and Article 32 of the GDPR, which define security of personal data and security of processing, respectively. The severity of the €170,000 fine can be directly tied to the vulnerability of the data subject group, which is explicitly referenced in GDPR.

Analyst Perspective: Ensure that your organization understands GDPR’s requirements for security measures. While the purpose of the regulation is to enforce privacy requirements, privacy and security have an entangled relationship. Critically, organizations must iteratively define and then apply their security controls that are both required by regulations and leveraging best practices. For many this means thinking about what security controls can be enabled in order to protect data subjects’ privacy. Interestingly, despite being warned by the Norwegian Data Protection Authority in December 2018, the Municipality of Bergen appears not to have taken action to improve its security measures prior to being fined in March 2019.

More Reading:

The Granate Data Authority Fines Data Processor 50,000 for Failing to Comply With Article 32

Canada USA Europe Rest of World

Type: Regulatory Enforcement
Important Date: April 4, 2019

Summary: On April 4, 2019, the Garante, Italy’s supervisory data authority, fined a data controller €50,000. The platform, despite making significant improvements to security, was still deemed to be in violation of Article 32 of the GDPR. This violation related to the platform’s database size and the type of data being stored on it. The platform was determined by the Garante’s investigation to be in violation of this article for a significant period of time, and that the violation affected a significant number of data subjects. Under Article 83, the Garante issued the €50,000 fine.

Analyst Perspective: Data processors must act now to establish appropriate data protection to avoid hefty GDPR fines for requirements that previously rolled up to data controllers under the EU Directive. To comply with Article 32 of the GDPR, Imperva recommends that an organization should:

  1. Encrypt or pseudonymize all personal data collected and stored.
  2. Maintain access and availability of processing services and systems, and ensure the confidentiality and integrity of the data these services and systems touch.
  3. Have strong disaster recovery plans in place that allow for access to personal data in the event of a security breach.
  4. Conduct regular assessments of technology and organizational processes to ensure their effectiveness.

Develop an information security strategy to ensure all areas of security are being addressed and continuously improved to an acceptable level of maturity. This strategy should be reviewed on a semiannual basis and communicated to appropriate members of the organization.

More Reading:

Office of the Privacy Commissioner Revisits Its Position on Transborder Dataflows

Canada USA Europe Rest of World

Type: Development Announcement Date: April 23, 2019

Summary: On April 9, 2019, the Office of the Privacy Commissioner (OPC) of Canada decided to revisit its policy position and seek out consultation from stakeholders to review its guidelines for processing personal data across borders. The OPC’s change in position from the original 2009 guidelines revolves around the definitions of transfer and disclosure. Whereas the transfer of personal information from one organization to a third party was originally not considered a disclosure, during the Equifax investigation, this distinction was debatable. A transfer fits with the accepted definition of disclosure as well as the meaning of the term in the Privacy Act. Previously, a transfer did not require additional consent, because it was assumed that the transferred information was being used for the purpose it was originally collected. In accordance with Principle 4.3 of the Privacy Act, an organization must obtain consent for a transfer to a third party for processing, including for transborder transfers. The change in position requires organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers.

Analyst Perspective: Ensure your organization has a data map that identifies transborder transfer of data so that appropriate disclosure can be made when this rule comes into effect. Similar to GDPR, this proposed update to PIPEDA means when an organization transfers data from one jurisdiction to another, data subjects must be made aware of the risk that authorities will have access to information under the new jurisdiction’s regulatory environment. The OPC is seeking feedback from stakeholders to ensure that it provides accurate and beneficial guidance to all stakeholders. However, until a further revision or decision is made, avoid future impacts to your business by proactively providing data subjects with the opportunity to give consent for any transfer of their data outside of Canada.

More Reading:

Facebook Is Found to Have Violated Canadian Privacy Laws

Canada USA Europe Rest of World

Type: Regulatory Enforcement
Announcement Date: April 25, 2019

Summary: Facebook has violated Canada’s privacy laws, according to the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, based on their investigation into the Cambridge Analytica scandal. The major findings from the report were regarding a lack of consent to collection, inadequate safeguards, and a lack of accountability. Both agencies provided recommendations to Facebook to address these findings. However, Facebook has refused to implement these recommendations as they dispute the final report. The privacy commissioners are planning to challenge the organization through federal courts, as they acknowledge that the existing privacy laws, such as PIPEDA, do not provide the authority needed to force such recommendations.

Analyst Perspective: Canadian privacy laws continue to lack the enforcement or authority needed to be truly effective regulations. Organizations can choose not to comply and there are no immediate consequences, apart from a potential court challenge. This may change in the future, as both privacy commissioners have expressed a desire to see Canadian regulators have the authority to hold organizations accountable for how they use personal data. They hope to see this become a major issue in the upcoming election, as well as in the new Parliament term. Until then, however, Canadian privacy laws lack the bite, or consequences, needed to make organizations comply.

More Reading:

Australian Worker Fired for Refusing to Use Fingerprint Sign-In Wins Appeal Due to Breached Privacy Act

Canada USA Europe Rest of World

Type: Development

Important Date: May 1, 2019

Summary: The full bench at an Australian appeal court sided with the worker on May 1, 2019 in a ruling that could throw the viability of using finger and retinal scanning technology in the workplace up in the air. Superior Wood, a sawmill based in Queensland and owned by the Finlayson Group, fired a casual factory hand last February for refusing to register his fingerprints for use in a new biometric scanner. The worker filed for unfair dismissal, claiming the sawmill’s attendance policy was unlawful because his fingerprints are sensitive information under privacy legislation and his employer could not compel him to provide them.

Analyst Perspective: Ensure you have a lawful reason to process sensitive types of personal information. While businesses can cite security or even business reasons for leveraging sensitive personal information such as biometrics for identification, balancing the business interest with individual rights is paramount. Many regulations have specific requirements or guidelines on how to make these assessments. Ensure your privacy program aligns with all applicable regulations. When in doubt, perform a privacy impact assessment (PIA) or data protection impact assessment (DPIA) to determine whether mitigating actions are required before implementing a technology or process.

More Reading:

China Is in Desperate Need of a New Privacy Law, but Enforcement Logistics Are Causing a Delay

Canada USA Europe Rest of World

Type: Development
Announcement Date: May 5, 2019

Summary: China’s legislators are in the process of drafting a new data privacy law, however no release date has been given because of issues around how the law will be enforced. The need for this law comes as a result of a surge in growth of China’s technology sector and a rising demand for increased privacy from society. Privacy regulations have yet to catch up with China’s technological advances. More and more organizations are leveraging and collecting biometric data on Chinese citizens, and the Chinese government manages more than 176 million surveillance cameras across the country. As time goes on, the need for a privacy regulation will only increase.

Analyst Perspective: Organizations operating in China should start documenting their data privacy practices ahead of this change. Without privacy laws in place, organizations within China (including the Chinese government) collect as much information as possible about the people who use their products. There is no current penalty for doing so, but organizations aggregating data without valid purposes may eventually find themselves in noncompliance with no easy way to reverse their efforts once formal rules are established.

More Reading:

If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: May 22, 2019


Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.