This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.

Maine Online Privacy Law Is in Effect, and ISPs Are Not Happy

Canada USA Europe Rest of World

Type: Regulation
Important Date: July 9, 2020

Summary: The state of Maine has started to enforce an online privacy law that protects the data of users of internet service providers (ISP). The Maine Broadband Privacy Law, approved in June 2019 and effective as of July 2020, is one of the United States’ more stringent privacy laws and went through a series of legal challenges prior to its enactment. Privacy and civil rights advocates, however, support the state’s new privacy protections.

The privacy law requires ISPs to gain express consent from their customers before collecting and/or selling personal data. This data includes browsing history, location, device identification, and any other personally identifiable data. ISPs had argued that the law contravenes their US First Amendment rights, however, the law has prevailed in its first legal challenge in federal court from a group of ISP companies (ACA Connects v. Frey).

The legal challenge has not yet conceded, as the court felt that the law warranted a First Amendment review since “creation and dissemination of information is speech within the meaning of the First Amendment.” The court did feel that the law only regulated “commercial speech” concerned with “economic interests.”

Organizations including the American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) have voiced their public support for the Maine Broadband Privacy Law.

Analyst Perspective: The enactment of the Maine Broadband Privacy Law represents a win for Maine internet customers and privacy advocates alike, as it protects personal information using a mandatory opt-in methodology. It will be interesting to track the subsequent stages of this case to see how a business’ First Amendment rights are balanced against privacy rights of its customers in federal court.

Analyst: Jimmy Tom, Research Advisor – Security, Risk & Compliance

More Reading:

Speculation Around Induction of an Enhanced Privacy Shield Begins to Build

Canada USA Europe Rest of World

Type: Development
Announcement Date: August 2020

Summary: After more than a month of ambiguity and inconclusive statements around the Schrems II ruling, the US Department of Commerce and the European Commission have entered into discussions around what should result in more concrete instructions for businesses previously reliant on the EU-US Privacy Shield.

Representatives from both parties have cited the current economic situation and reliance of over 5,000 companies on the Privacy Shield for vital cross-border data transfer capabilities as key reasons for initiating discussions over a renewed and improved version of the agreement. Advocates for the Shield’s continued validation spoke out in favor of continued economic growth and cooperation between businesses with international partners or a global presence, especially during this pandemic-induced time of upheaval. Privacy proponents, however, including Max Schrems himself, have expressed doubts around the legitimacy of this enhanced agreement without significant changes being made to the structure of the American judicial system and the level of omnipotence that surveillance agencies and their enabling acts, such as FISA (Foreign Intelligence Surveillance Act of 1978), are allocated.

Analyst Perspective: Fool me once, shame on you; fool me twice, shame on me. An oversimplification, perhaps, but this old saying is applicable in the case of the European Commission when it comes to another iteration of a cross-border data transfer catch-all agreement between the EU/EEA and the United States.

When Safe Harbor was struck down in 2015 following the exposure of US surveillance powers, the EU-US Privacy Shield was the go-to resolution to ensure that economic lifelines for companies with a global presence were not hastily severed. And although the Shield intended to offer additional safeguards, including prioritization of any issues raised by EU residents with respect to personal data compromise or misuse, significant gaps existed that enabled improper use of personal data by US governmental surveillance agencies.

So, is Privacy Shield 2.0 or Safe Harbor “take 3” likely to offer any additional stringency? Ultimately, the approach to data privacy and the heavy hand of surveillance culture that exists within the United States need to shift if we truly expect this next iteration of the Shield to solve the issues of its predecessor. Andrew Serwin’s statement calls for “bridging the gap between the U.S. model, which is more of a property-based approach, and that of Europe, which focuses more on privacy as a fundamental human right,” as the driving force in re-establishing the data transfer powers of the Shield agreement. This agreement must do more than simply outline principles of privacy by design without any tactical restriction of surveillance capabilities; it must take active steps to change the attitude toward the role of data privacy within American government and society.

Analyst: Cassandra Cooper, Senior Research Analyst – Security, Risk & Compliance

More Reading:

Germany Prepares New Law for Patient Data Protection and Increased Digitalization in Healthcare and “Data Donations” for Research Purposes

Canada USA Europe Rest of World

Type: Regulation
Announcement Date: July 3, 2020

Summary: Germany has passed a draft bill to help make medical records management easier for patients while empowering them to exert more control over their personal health information. The law will expand the use of electronic records for some types of prescriptions, patient files, and referrals. However, in the spirit of GDPR, the law also permits patients to control which of their medical records are stored on their electronic patient files and who can access that information (i.e. details can be hidden from certain medical professionals, if desired). In the same vein, patients can now control whether their data is used for research purposes via a process referred to as “data donation.”

Analyst Perspective: Honor data subject rights but be aware that information may be missing. This is an interesting case: this law upholds the GDPR in admirable fashion, but it also presents an opportunity to remove certain parts of one’s own medical history. This latter detail is important if one has had a bad experience with a previous physician that has led to records that may distort how a future doctor might interpret their case. Yet it is not clear if such power might also open the doors to concealing pertinent details about the patient, such as a history of addiction. Depending on how issues like this will be handled, this law may inadvertently cast light on the possible boundaries of data subject empowerment.

Analyst: Logan Rohde, Research Analyst Security, Risk, and Compliance

More Reading:

Barclays Probed by UK Privacy Watchdog Due to Accusations of Spying on Staff

Canada USA Europe Rest of World

Type: Development
Announcement Date: August 8, 2020

Summary: Barclays Plc, a large British multinational investment bank and financial services company, is being probed by the United Kingdom’s data protection authority, the ICO, over allegations that the British bank spied on its staff.

In 2017, Barclays implemented a solution in a pilot project to monitor staff that included tracking employees on how they were spending their time at work. After an onslaught of critical media reports and public scrutiny, Barclays is now changing the system. Apparently the bank installed “black box” tracking devices, called OccupEye, by employees’ desks, which involve heat and motion sensors.

Barclays claimed that it wasn’t snooping on its people, stating, “The sensors aren’t monitoring people or their productivity; they are assessing office space usage. This sort of analysis helps us to reduce costs, for example, managing energy consumption, or identifying opportunities to further adopt flexible work environments.”

Analyst Perspective: Many organizations have long since relied on tools to watch over their employees for various reasons such as safety or productivity. Some would argue this degree of monitoring is intrusive to an employee’s privacy. This has very much transitioned into a grey area as more and more employees find themselves in remote work environments. Monitoring employees in their private homes during working hours could generate employee litigation against employers due to violation of privacy laws regardless of mitigating internal employee guidelines and policies that were signed during the onboarding or hiring process.

Organizations must be clear on employee privacy policies, not just privacy policies for customers and partners, while simultaneously ensuring compliance with privacy laws. In a landscape where employee productivity to help sustain the business bottom line is imperative, employers must carefully weigh business benefits against privacy and human rights infringements, especially outside of the physical workplace. Business and IT leaders should implement appropriate frameworks to protect the privacy of not just clients and customers but also their employees.

Analyst: William Wong, Principal Research Advisor – Security, Risk & Compliance

More Reading:

Canadian Privacy Watchdog Is Going to Court Over Improper Use of the Canadian Voters List by Liberals, Conservatives, and the NDP

Canada USA Europe Rest of World

Type: Development
Announcement Date: August 10, 2020

Summary: The Centre for Digital Rights (CDR) is going to court over a disagreement with Canadian Elections Commissioner Yves Cote and his ruling that the Liberal, Conservative, and NDP parties did not abuse the Canadian voter list. The complaint from the CDR alleged that all three parties violated the Elections Act by “knowingly using personal information that is recorded in the list of electors provided to them by the Chief Electoral Officer for purposes contrary to subsection 110(1) of the Elections Act.” This section of the Elections Act states that parties can use the voter list for communication with voters, including donation solicitation efforts.

The CDR contends that the three parties stepped outside of the permissions of this subsection, but the original applications do not specify to what degree these boundaries were crossed. The elections commissioner’s office responded, stating, “Enforcement actions have not been warranted because the Act’s provisions are broad and minimally restrictive with respect to using the information contained in the list of electors.” The CDR felt that this response was lackluster and has since proceeded with its court case.

Analyst Perspective: Define the purposes for data collection and make sure that data subjects know them up-front. In this particular case of data misuse, the CDR is focused on exposing four main areas where political parties erred:

  • Using big data mass surveillance and harvesting techniques and analytical algorithms
  • The misuse of big data
  • Targeted digital advertising
  • Use and disclosure of the personal information from Canadians for an unreasonable purpose

The first three items listed, while concerning, are no different than what many other businesses or companies already do and align with the larger problems that exist with respect to data collection and use. The fourth item, however, produces reason for legitimate concern. As information has become digital, political parties have amassed a grand repository of voter data with very little oversight given into how it is stored, managed, or governed by the parties. As a result, there must be more oversight, which may extend to include a legal review of these databases. Canadians are expected to entrust their personal information to political parties, yet there are no guidelines established around appropriate governance: something seems amiss.

Due to the lack of restriction around the disputed subsection, there is a great deal of permissible behavior that is technically left uncovered by the Elections Act. Anyone with access to the elector list can use the information for purposes regarding communications and has no true punishment in the case of abuse other than monetary fines, leaving voters at a disadvantage should their data be misused or compromised. As a result, one can clearly understand the CDR’s persistence in this case. And while a decisive result may not be easily rendered, this issue may serve to spur continued conversation around the management and use of voter lists and party databases.

Analyst: Isaac Kinsella, Research Specialist – Security, Risk & Compliance

More Reading:

Two Privacy Breaches Identified at Nova Scotia Health

Canada USA Europe Rest of World

Type: Development
Announcement Date: August 2020

Summary: Nova Scotia Health is in the process of notifying 211 people who were impacted by two recently discovered privacy breaches. These breaches were not related to each other, as they involved two different employees, each employed at a different a hospital. In both cases, the employee accessed a wide variety of confidential information on the hospital’s scheduling software. These privacy breaches were discovered as part of two separate investigations that were triggered by a privacy audit. Nova Scotia Health is notifying those impacted by the breach by letter, specifically naming the employees who accessed their files, identifying the files that were accessed, and providing information on how these affected individuals can request more information or file a complaint.

Analyst Perspective: Visibility into your IT environment is crucial for detecting breaches. The Nova Scotia Health breaches support this fact. Once investigations were triggered, enough access information was captured and stored that the people investigating were able not only to identify the perpetrators but also to provide victims with details regarding how much of their information was accessed.

Improving visibility into user access can fall under efforts to improve the identity and access management practices within the organization. When purchasing software, ensure that it includes the ability to audit what users have accessed in the past. Keep in mind that using shared accounts, which is generally not considered to be best practice in the first place, could in fact restrict your ability to identify a specific individual in a privacy-proof or privacy-aware manner, leaving the organization susceptible to potential legal implications.

Analyst: Ian Mulholland, Senior Research Analyst – Security, Risk & Compliance

More Reading:

Kerala Police Collect Call Detail Records to Contact Trace

Canada USA Europe Rest of World

Type: Development
Important Date: August 2020

Summary: For months, Kerala Police have been collecting call detail records (CDRs) of COVID-positive citizens without their knowledge nor consent to contact trace the virus. Despite opposition parties and legal experts expressing concern that the police’s contact tracing strategy represents a serious breach of privacy and Indian laws, Director General of Police Loknath Behera has continued to comment that major mobile service providers such as BSNL and Vodafone should make CDRs available when necessary and upon police request.

Analyst Perspective: Privacy protection law is only as robust as the federal support it does or does not receive. The issue here is that the police requested and used CDRs outside of the scope laid out in federal legislation. This represents an unquestionable breach of privacy carried out by Kerala State Police and demonstrates a distinct need for the following:

  • Organizational privacy awareness and training on statutory provisions contained in Section 92 of the Code of Criminal Procedure, 1973 or Section 5(2) of the Indian Telegraph Act, 1885 read with Rule 419A of the Indian Telegraph (Amendment) Rules, 2007.
  • Government review and revision of statutory provisions related to CDR requests that address medical surveillance.
  • Greater transparency of citizen privacy rights.

While the actions of the Kerala Police may represent a seemingly extreme case, we should not be surprised to see many more examples like this involving the misuse of information obtained in the name of “contact tracing” across the world.

Analyst: Michelle Tran, Research Analyst – Security, Risk & Compliance

More Reading:

TikTok Tracked User Data That Bypassed Google’s Android Policies

Canada USA Europe Rest of World

Type: Development
Announcement Date: August 11, 2020

Summary: According to a recent Wall Street Journal investigation, TikTok collected users’ MAC addresses and sent this data with other device data in ByteDance. TikTok had apparently been collecting MAC addresses for at least 15 months and ended the practice with an update released on November 18, 2019, conveniently around the same time that ByteDance fell under scrutiny in Washington.

TikTok’s bundling of MAC addresses with other device data, including the device’s advertising ID, goes against Google’s Play Store policies, which state, “The advertising identifier must not be connected to personally-identifiable information or associated with any persistent device identifier,” the latter part of which denotes a category that encompasses MAC addresses. The MAC address is useful for advertising-driven business because it cannot be reset or altered, giving advertising-based applications developers and third-party data brokers the ability to build profiles of consumer behavior that cannot be changed unless or until the consumer purchases a new mobile device.

The fact that this was discovered behind an extra layer of encryption adds further suspicion around TikTok’s and ByteDance’s practices. This is because the extra layer of encryption did not provide additional security controls around users’ data but rather obfuscated what TikTok was doing with that data, including collecting MAC addresses. Google is now investigating the loophole that allowed for TikTok to collect the MAC addresses but would not respond to further comment on the findings.

Analyst Perspective: If privacy is a major concern for you, your employees, or your organization, reconsider permissions around the use of social media on mobile devices. Government and military officials as well as Republican and Democratic party members are prohibited from using TikTok over its privacy concerns, and this article from the Wall Street Journal will directly contribute to future cases against TikTok. The fact that TikTok was using a well-known vulnerability in the Android OS to gain access to MAC addresses is cause for concern, but it is also worrying that Google had not closed the loophole last year when it was first brought to the attention of the company.

As a safeguard, when you consider installing an application, ask yourself whether you need to install it at all or if you can access a web version. Then ask yourself if you are comfortable with how many trackers and permissions the application gains access to after installation. If the application does not pass muster, do not install it.

Analyst: Marc Mazur, Research Specialist – Security, Risk & Compliance

More Reading:

If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: July 31, 2020


Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019