Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.


Lawmakers Jump-Start Talks on Privacy Bill

Canada USA Europe Rest of World

Type: Development
Announcement Date: August 7, 2019

Summary: Lawmakers who are hoping to pass a federal law before the stringent Californian state-level rules go into place are working through the August recess to cobble together legislation on data privacy. Advocates for a federal data privacy standard are feeling a time crunch as they fret over the limited number of days left in this session and the upcoming 2020 elections. Moreover, as soon as the lawmakers release the draft bill there will be a rush of lobbying and public comments as every stakeholder – privacy advocates, tech groups, companies, and anyone else touched by data collection regulations – offers their perspective.

Analyst Perspective: Build a privacy program now, regardless of whether you fall under California’s Consumer Privacy Act, as a federal level privacy regulation is coming. While many organizations are implementing changes to comply with the CCPA before its January 1, 2020 effective date, it is worthwhile to note that a federal-level regulation will likely be more comprehensive, though likely with overlaps to mandates under the CCPA. Progressively building a privacy program now means better change management across your business and less exposure to regulatory noncompliance when the federal privacy law arrives.

More Reading:


New Hampshire Signs New Data Security Bill for Insurers Into Law

Canada USA Europe Rest of World


Type: Regulation
Effective Date: August 2, 2019

Summary: A governor in New Hampshire signed Senate Bill 194 into law this month. This Bill requires New Hampshire insurers to implement a risk-based information security system and to report any security breaches that meet a certain set of criteria. Failure to do either of these things could result in the suspension or removal of the insurer’s license or an administrative fine of $2,500. The effective date of the Bill is January 1, 2020. Organizations will have up to one year following this effective date to become compliant and up to two years after the date to ensure their third-party vendors are taking the necessary precautions to protect security as well.

Analyst Perspective: Establish a robust incident management program and risk framework now to comply with escalating state and regional regulations. While most organizations have some form of security program in place, many are immature and unmanaged. For many, especially smaller organizations, detecting a breach may be difficult – a scary thought. This Bill seeks to provide some visibility into how insurers secure their data and how to detect and respond to a breach. This Bill sets to motivate organizations to develop an acceptably mature security program, holding them accountable, as reporting breaches can have devastating reputational damage for the organization.

More Reading:


PwC Fined €150,000 by Hellenic Data Protection Authority

Canada USA Europe Rest of World



Type: Regulatory Enforcement
Announcement Date: July 31, 2019

Summary: In response to a complaint, the Hellenic DPA conducted an ex officio investigation into the lawfulness of the processing of personal data of employees working at PwC. According to the complaint, employees were required to give consent to the processing of their personal data. The Hellenic DPA concluded that PWC BS, as the controller, had unlawfully processed the personal data of its employees. Additionally it was concluded that PwC had unfairly and non-transparently processed the personal data of its employees, by giving them the false impression that their data was being processed under the legal basis of consent, in accordance to GDPR, while in reality their data was being processed under a different legal basis, of which the employees had not been informed. As a result the Hellenic DPA has imposed a fine, in accordance with Article 83 of GDPR, of €150,000. Furthermore, the DPA is ordering corrective measures that the company in its capacity as controller must meet within three months.

Analyst Perspective: Review your GDPR compliance program to ensure appropriate lawful basis is assigned to the processing of employee personal data, especially for commercial purposes. GDPR infringements can be identified by any data subjects (including employment prospects, employees, and ex-employees), and exposed via a complaint to data protection authorities. In addition to assuring the necessary lawful basis is assigned, to satisfy GDPR’s accountability principle (Article 5(2)), employers should also ensure appropriate transparency controls are in place to satisfy compliance with Article 5(1). Examples of transparency controls for processing of employees data include employee privacy policies or updated employment contracts that explain how employee data is used, for how long, and for what reasons.

More Reading:


ICO and CNIL Revised Cookie Guidelines: Convergence and Divergence

Canada USA Europe Rest of World


Type: Official Guidance
Important Date: July 2019

Summary: In July 2019, the UK Information Commissioner’s Office and France’s data protection authority, the CNIL, published new guidance on the use of cookies. Organizations under GDPR scope as governed by the UK’s ICO or France’s CNIL should refer to this guide, which includes whether the rules apply only to cookies and touch upon topics such as implied consent, territorial scope, grace period, and whether cookie walls are allowed.

Analyst Perspective: Update your cookie and consent management processes now to avoid fines by two of Europe’s larger data protection authorities. GDPR has dramatically changed how the adtech industry can operate. With data protection authorities now handing out significant fines for noncompliance, your organization can no longer wait on compliance. Follow the ICO and CNIL rules as they apply to you, as there are variances between authorities as they apply allowable derogations to their local implementation of GDPR.

More Reading:


German Authority Orders Google to Stop Harvesting Smart Speaker Data

Canada USA Europe Rest of World


Type: Development
Important Date: August 1, 2019

Summary: Hamburg’s Data Commissioner recently flagged Google for a potential GDPR violation, due to the company’s practice of listening to voice interactions with the Google Assistant smart speaker. According to Google, this practice improves the device’s voice-recognition technology to better account for people’s accents, dialects, and other linguistic variations. Amazon has also since confirmed the use of similar practices. However, Hamburg’s Data Commissioner has ordered a moratorium on the practice, which he argues is not permissible under GDPR, and he has urged other data protection authorities in the EU to review such practices. But because Google’s European operations are based in Ireland, the German authority only has the power to impose restrictions for three months. The Irish authority has the power to impose greater measures but has announced that the matter is still being investigated.

Analyst Perspective: Tighten up your interpretation of GDPR and honor its core principles. Personal data is personal data no matter how it was collected or what processing activities are taking place, and in many cases the data subjects’ explicit consent is mandatory before such processing can occur. GDPR is about giving choice to EU citizens about how their data will be used, and this principle needs to be upheld for GDPR compliance. Simply waiting for data protection authorities to tell you you’re in violation is not a good strategy. If it seems like it is violating GDPR, it probably is.

More Reading:


Facebook and Website Owners Liable for “Like” Button, Says Top EU Court

Canada USA Europe Rest of World



Type: Development
Announcement Date: July 29, 2019

Summary: The Court of Justice of the European Union (ECJ) ruled that website plugins such as Facebook’s “Like” button constitute a breach of personal data rules. This ruling builds on EU data privacy rules adopted under GDPR last year, where now both websites and Facebook share joint responsibility in the processing of data derived from social plugins. This is because website operators, as data controllers, must communicate why personal data is being collected and processed and are responsible to secure consent from users, while data processors, like Facebook in this instance, process data on behalf of the controller. “The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website,” the judges said. While website operators are not liable for how Facebook processes data after it has been transmitted, they are accountable for how the initial collection and transmission of that data takes place.

Analyst Perspective: According to Bitkom, Germany’s technology industry association, the European court ruling imposes more responsibility on website operators no matter their size or kind of social plugin. While this may appear to be a burden for smaller website operators, this ruling will make everyone more aware of how they process data and how they design and communicate their data processing agreements (DPA). Again, as customers are becoming increasingly privacy-aware, this constitutes a reasonable demand that companies have demonstrable privacy practices in place to ensure the protection of their data.

More Reading:


With Digital Charter on the Horizon, Scope and Enforcement Still Unclear

Canada USA Europe Rest of World




Type: Development

Important Date: May 21, 2019

Summary: On May 21, Minister of Innovation, Science and Economic Development Navdeep Bains announced the launch of Canada’s Digital Charter as well as a discussion paper outlining an initial set of actions that will modernize the Personal Information Protection and Electronic Documents Act (PIPEDA) to support Canada’s new Digital Charter. The goal of the charter is to modernize the rules and governance of Canada’s digital sphere, and it does this by outlining ten key principles. The new Digital Charter will play a large role in how PIPEDA’s modernization will take shape, specifically how Canada will align its privacy legislation with that of the European Union and the United States. One of the most significant changes with these announcements is the proposal that the powers of the Office of the Privacy Commissioner of Canada be enhanced to allow better enforcement and compliance with PIPEDA.

Analyst Perspective: The Digital Charter and its principles are clear statements that require further observation. Because the Charter has broad implications for not only the Office of the Privacy Commissioner but also the Competition Bureau, Statistics Canada, and the Privacy Act, the stated goals included in this plan will undergo many changes as Parliament reconvenes after the summer adjournment. While Canada taking a principled stance on the digital sphere is a positive development, it is hard to tell how far it will change its enforcement of digital rules from how it has generally acted in the past.

More Reading:


Office of the Privacy Commissioner of Canada Shares Advice on How to Protect Information Shared on Social Media

Canada USA Europe Rest of World



Type: Official Guidance
Important Date: August 1, 2019

Summary: The Office of the Privacy Commissioner of Canada (OPC) has released some guidance for the average citizen to better protect their social media accounts and the information they share on those platforms. The guidance surrounds the central theme that once your information is out there, you no longer have full control over it. The OPC recommends that citizens better manage their privacy settings, which includes first reading the privacy policy to understand how the social media platform defines and executes privacy and what options you have to restrict or enable privacy of data when using the service. The OPC also touches upon how to reduce the potential for devices or passwords to be stolen, allowing bad actors unauthorized access to an account.

Analyst Perspective: While the OPC guidance was aimed at general citizens, the best practices outlined within can be leveraged by organizations to reinforce good security hygiene in the workplace. Today, security awareness and training programs put a lot of emphasis on phishing, passwords, and physical security. All three of these areas are relevant for protecting social media. Therefore, reiterating the guidance given by the OPC in your training program can help keep training content personal – a characteristic seen in most successful training programs.

More Reading:


Singapore’s Personal Data Protection Commission Issues Directions to Six Organizations for Breaching the PDPA

Canada USA Europe Rest of World




Type: Development
Important Date: August 2, 2019

Summary: Singapore’s Personal Data Protection Commission recently announced decisions on six cases of potential Personal Data Protection Act (PDPA) violations. Fines were issued in five of the six cases, and all had accompanying directions regarding the infraction that took place. These financial penalties ranged from $5,000 to $54,000 and were used to penalize instances of unauthorized data disclosure, lack of a data protection officer, and failure to provide adequate protection for personal data.

Analyst Perspective: Verify that your organization is accounting for both security and privacy. Privacy has become a global issue that we all need to accept and take seriously, and doing privacy right depends on a strong security program. But don’t make the mistake of thinking that good security equals good privacy. While they are related, privacy and security are two separate functions, and each needs to be accounted for on its own.

More Reading:


If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: August 8, 2019

Social

Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.