This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.


Businesses Benefit From New Modifications to CCPA Proposed Regulations

Canada USA Europe Rest of World

Type: Regulation

Announcement Date: February 7, 2020

Summary: The California Attorney General announced modifications to the proposed CCPA regulations on February 7 and February 10 that are primarily to the benefit of businesses. The most impactful changes relate to the concept of “personal information,” the definition of a household, service provider rights around the processing of personal information, privacy policy notifications, sale of consumer personal information, and opt-out requirements. Furthermore, changes have been made to the obligations required of data brokers, for requests made under the “right to know,” as well as changes to biometric data, which is now part of the kinds of data that businesses must not disclose in response to a “right to know” request. The Attorney General closed comments on the changes at 5pm on February 25, with the potential for new revisions to be made to the proposed regulations after the initial comment period.

Analyst Perspective: Ultimately, organizations must be aware of these changes and pay attention to any future modifications as these will be part of the final rules that will be enforced on July 1, 2020. For organizations that already have a privacy program underway to meet the requirements of CCPA, some of these changes may not apply to the way they process personal information. Certain changes, such as whether the business can demonstrate that the information that they collect can identify an individual, have made the concept of personal information more subjective. For example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” For many organizations in-scope, the CCPA will require a formal privacy program that can respond to changes in this regulation, especially if your business does not want to be fined if found in violation of these requirements.

Analyst: Marc Mazur, Research Specialist – Security, Risk & Compliance

More Reading:


Google Hit With New Lawsuit Over Faceprints

Canada USA Europe Rest of World



Type: Development

Announcement Date: February 7, 2020

Summary: Google has been hit with a new class-action lawsuit accusing the company of violating an Illinois biometric privacy law by compiling faceprints. “Unbeknownst to the average consumer ... Google’s proprietary facial recognition technology scans each and every photo uploaded to the cloud-based Google Photos for faces, extracts geometric data relating to the unique points and contours (i.e., biometric identifiers) of each face, and then uses that data to create and store a template of each face -- all without ever informing anyone of this practice.” This is not the first time mainstream social media giants have found themselves facing lawsuits or fines for a garden variety of privacy breaches. A week ago, Facebook found itself in a similar scenario, and paid out a half a billion USD to settle a resulting lawsuit. The infraction was identified as a violation of the Illinois Biometric Privacy Act, a law that requires companies to obtain consumers' written consent before collecting or storing scans of their facial geometry.

Analyst Perspective: Organizations must prove that potential personal privacy harm is minimized when leveraging facial recognition, especially in the world of increasing global and local privacy legislations like GDPR, CCPA, and in this case, the relatively new Illinois Biometric Privacy Act. Having a formal privacy program and review process in place can help such emerging technologies avoid violation of data privacy laws when left unchanged. Moreover, organizations at the size and scale of Google with endless streams of funds may simply consider paying fines associated with their privacy violations (due to gaps in compliance) as the cost of doing business.

Analyst: William Wong, Principal Research Advisor – Security, Risk & Compliance

More Reading:


Violating the GDPR Landed the German Unit of Facebook Inc. a US$55,500 Fine

Canada USA Europe Rest of World



Type: Regulatory Enforcement

Announcement Date: February 13, 2020

Summary: It was recently revealed that the German unit of Facebook Inc. did not follow the correct protocol outlined by the GDPR regarding the naming of a local Data Protection Officer (DPO). Consequently, the data protection authority in Hamburg, Germany, fined Facebook Inc.’s German unit US$55,500. Facebook accepted the fine and proceeded to stop the violation by calling for a DPO.

Analyst Perspective: If you operate in Germany, and do not currently have a Data Protection Officer, take note that their derogation within GDPR requires a DPO for most operations. This enforcement of the GDPR’s DPO provision acts as a reminder to other organizations operating in Germany. Facebook’s repeated scrutiny by various Data Protection Authorities also acts a reminder that organizations should take GDPR compliance and corrective requirements seriously across all EU operations.

Analyst: Ian Mulholland, Research Analyst – Security, Risk & Compliance

More Reading:


Welfare Surveillance System Violates Human Rights, Dutch Court Rules

Canada USA Europe Rest of World


Type: Regulatory Enforcement

Reported Date: February 2020

Summary: In an important decision, a court in the Netherlands has determined that a surveillance system that was implemented to detect welfare fraud is in contravention of human rights laws. Digital welfare monitoring systems are often developed without enough consultation and often are seen as a manner of undermining the rights of the poor and society’s most vulnerable demographic. This ruling is a precedent for other governments’ social systems who, in many cases, are looking at deploying similar systems.

Analyst Perspective: Organizations leveraging mass surveillance system must ensure data subject rights are balanced, as the growing trend toward risk-based artificial-intelligence surveillance solutions developed to reduce welfare fraud may be a step too far and run counter to human rights. Weighing the ease with which new data can be collected and analyzed against possible heavy handed or punitive monitoring is key consideration prior to developing “digital welfare states.”

Analyst: Christine R. Coz, Principal Research Advisor – Security, Risk & Compliance

More Reading:


Deal or No-Deal, GDPR Edition

Canada USA Europe Rest of World



Type: Development

Announcement Date: February 19, 2020

Summary: With the UK’s exit confirmed as of January 31, a burning question has arisen around how GDPR will impact the UK-EU data ecosystem once the current transition period concludes. The answer to which hinges on whether a withdrawal (deal) agreement is reached prior to December 31. Although the transfer of data to the EU from the UK will not be restricted, should a withdrawal agreement not come to fruition, the UK becomes a “third country” as defined by the GDPR. This means that the EU Commission must determine that UK data protection laws are “adequate” or will require the enactment of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) to validate transfer of data from the EU to the UK once the transition period terminates. Should a withdrawal agreement be reached, it is likely that the UK will remain compliant with the GDPR following the close of the transition period.

Analyst Perspective: Privacy compliance isn’t a one-and-done; organizations that subscribe to a data-privacy-by-design mindset will experience minimal disruption throughout a turbulent remainder of 2020. Achieving initial compliance status does not ensure continuous compliancy, and this rings particularly true for the UK. The UK Data Protection Act of 2018, often referred to as the UK GDPR, mirrors its EU “big sister,” and will continue to, regardless of a deal or no-deal exit from the EU. As a result, a sound data protection culture has long since been established within the UK that will continue to shadow that of the EU, even without the legal red tape. Organizations within the UK should strive to adopt a mindset of continuous improvement when it comes to data privacy and protection in operations as the uncertainty around the political environment governing data privacy law continues to act as a dominant factor.

Analyst: Cassandra Cooper, Senior Research Analyst – Security, Risk & Compliance

More Reading:


Reforming Canadian Privacy Law in an (Artificially) Intelligent Manner

Canada USA Europe Rest of World



Type: Development

Announcement Date: January 28, 2020

Summary: The proliferation of AI has been identified as an area of concern for Canadian privacy law by the Office of the Privacy Commissioner (OPC) of Canada. To bridge the gap, the OPC has put an open call out seeking feedback and insight from subject matter experts. The objective of which is to ensure all areas of concern are addressed and reforms made to privacy law in Canada that incorporate appropriate safeguard measures.

Analyst Perspective: Take a page from the OPC’s book by engaging a proactive approach to emerging tech by leveraging privacy to facilitate AI integration in your organization. The relationship between emerging technologies and data privacy is complex. Logic would subscribe us to the idea that the two work counterintuitively, as privacy has long been viewed as the hand that stifles innovation in organizations. This, however, is an antiquated way of thinking. The OPC is taking a proactive vs. defensive or reactive approach in addressing the current lopsided relationship between Canadian privacy law and AI. Organizations struggling to remain on the cusp of innovation and keep up with evolving privacy laws should adopt a similar approach, before significant regulations are stamped upon AI integration:

  • Seek out expertise in the respective areas of concern or focus, i.e. emerging tech field, as well as privacy regulation
  • Identify core areas of overlap or concern between the two
  • Develop a program that emphasizes cooperation and integration, as opposed to exclusivity and isolation

Analyst: Cassandra Cooper, Senior Research Analyst – Security, Risk & Compliance

More Reading:


SHA Must Do More to Prevent Breaches: Saskatchewan Privacy Commissioner

Canada USA Europe Rest of World



Type: Regulatory Enforcement

Reported Date: January 2020

Summary: Following the loss or theft of 59 patient files, the Saskatchewan privacy commissioner made four recommendations to the Saskatchewan Health Authority (SHA). Between Sept. 29, 2018 and June 10, 2019, the files of 59 patients went missing after several continuing care aides’ (CCA) home visit schedules were either misplaced or stolen in a series of car break-ins. The findings included a need for appropriate safeguards to be defined to ensure patient data protection; inconsistent policies and procedures between cities and regions of the province; a lack of oversight in monitoring compliance; and inconsistency in breach investigation reports.

Analyst Perspective: Don’t be caught flat-footed. Where applicable, multi-jurisdictional data protection programs must be adapted to consider the practicality of both urban and rural operational practices and requirements. The development of policies and procedures is not the end of job. All privacy and security programs, regardless of the nature of the data involved, must be accompanied by a robust compliance monitoring and measurement strategy, awareness training, and regular program review and update to ensure effectiveness.

Analyst: Christine R. Coz, Principal Research Advisor – Security, Risk & Compliance

More Reading:


South Korean Court Imposes Personal Liability on Privacy Officer for Data Breach

Canada USA Europe Rest of World



Type: Regulatory Enforcement

Reported Date: January 6, 2020

Summary: The privacy officer for the South Korean travel agency Hana Tour Service Inc. was issued a fine of ten million won (approx. US$8,500) for a 2017 data breach, which exposed personal data for 465,000 customers and 29,000 employees. This violated South Korea’s Personal Information Protection Act and Network Act, which requires necessary “technological and managerial measures” to be used to prevent such incidents and holds the person in charge of data protection personally responsible. The Ministry of Interior and Safety issued a separate fine to Hana Tour Service of 327,250,000 won (approx. US$280,000).

Analyst Perspective: Protect the personal data of others as if it were your own. Data breaches are becoming normalized and this is a dangerous trend. South Korea’s law imposing personal accountability for data breaches, however, sets a new high (but reasonable) standard for data protection that seeks to counteract this trend, encouraging all of us as practice the principles of data protection by design.

Analyst: Logan Rohde, Research Specialist – Security, Risk & Compliance

More Reading:


ACCC Finally Finalizes Consumer Data Right Rules

Canada USA Europe Rest of World

Type: Regulation

Enforcement Date: February 5, 2020

Summary: The Australian Competition and Consumer Commission (ACCC) has finalized the rules governing the Consumer Data Right (CDR). The CDR has been touted as allowing individuals to “own” their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it. The now-finalized rules still specify three different ways CDR data can be requested: product data requests, consumer data requests made by CDR consumers, and consumer data requests made on behalf of CDR consumers. The privacy safeguards apply only to CDR data for which there are one or more CDR consumers (such as required consumer data and voluntary consumer data); they do not apply to CDR data for which there are no CDR consumers (such as required product data and voluntary product data).

Analyst Perspective: Organizations in banking, energy, and telecommunication industries in Australia must ensure their consumer data confirms to access requirements under the CDR. While the CDR is interpreted as insufficient by some, its enforcement takes Australia one step closer to a robust consumer privacy regime, similar to CCPA’s development in California. Organizations in affected industries should ensure they operate a privacy program that includes transparency and governance around how consumer data is used and how consumer requests can be satisfied.

Analyst: Aaron Shum, Practice Lead – Security, Risk & Compliance

More Reading:


If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: February 27, 2020

Social

Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.