Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.

Germany’s first GDPR fine shows benefits of early notification

Canada USA Europe Rest of World

Type: Regulatory Enforcement

Announcement Date: November 21, 2018

Summary: The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) imposed the first fine under the GDPR in Germany on November 21, 2018.While the fine of €20,000 of the maximum enforceable fine of €10 million or 2% of the organization’s revenue seems low, according to the LfDI, the company benefited significantly from the fact that it contacted the LfDI directly after the hack and informed users immediately and comprehensively about the attack.

Analyst Perspective: With the Austrian DPA imposing a €4,800 fine for illegal video surveillance activities, and a €400,000 fine imposed in Portugal on a hospital after staff members illicitly accessed patient data, Germany’s first GDPR enforcement shows proportionality when it comes to size of organization (for the Austrian and Portuguese examples) and the organization’s intent to cooperate. Ensure your GDPR and incident management programs are optimized to ensure timely notification to your supervisory authority in the event of a data breach to minimize fine-based impact.

More Reading:

  • Source Material: IAPP
  • Info-Tech Research:

CNIL publishes Blockchain GDPR guidance

Canada USA Europe Rest of World

Type: Official Guidance

Announcement Date: November 6, 2018

Summary: CNIL, the French data protection authority, released guidance on “responsible use of blockchain in the context of personal data.” As blockchain is a technology with a high potential for development that raises many questions, including questions on its compatibility with the GDPR, the CNIL has addressed this matter and presents concrete solutions to stakeholders who wish to use it as part of their personal data processing operations.

Analyst Perspective: Personal data as processed by emerging technologies such as AI and blockchain has been a topic of discussion recently, since GDPR does not tactically specify how technologies can be made compliant. Instead, organizations are expected to balance risk to data subjects and rights of individuals with business interests gained from these technologies. Guidance from various data protection authorities will provide ongoing insights to lawful operation of emerging technologies. It is important to note that compliance extends beyond checking off checkboxes; following these guidelines alone do not guarantee compliance, ensure a comprehensive GDPR compliance program is in place so your organization can continue to adjust to technological changes.

More Reading:

Mandatory breach rules in effect for PIPEDA

Canada USA Europe Rest of World

Type: Regulation

Effective Date: November 1, 2018

Summary: On November 1, 2018, important changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) came into force, with non-compliance fines of up to $100,000. Any organization that is subject to PIPEDA will have reporting, reporting, notice, and record retention obligations for any “breach of security safeguards.” While all breaches trigger the requirement to retain records of the breach, reporting and notification are only engaged where there is a “real risk of significant harm” to an individual.

Analyst Perspective: While the fines pale in comparison to the 4% or €20M touted by GDPR, non-compliance to the new PIPEDA breach reporting rules could bring reputational impact to an organization. Organizations with operations that extend beyond Canada (such as the USA or EU) should look to streamlining their incident management process to ensure appropriate notification mechanisms are in place.

More Reading:

Ohio privacy breach safe harbor law in effect

Canada USA Europe Rest of World

Type: Regulation

Effective Date: November 2, 2018

Summary: Ohio has enacted its own data protection act, effective November 2, 2018. Interestingly, it is a breach law that will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical, and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law.

Analyst Perspective: To qualify for safe harbor, a business must “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of several industry-recognized cybersecurity frameworks, including:

  • NIST
  • FedRAMP
  • GLBA
  • CIS Controls
  • ISO 27000 Family

Leverage Info-Tech’s Information Security strategy framework, which aligns with NIST and ISO 27000 family, and ensure your organization has a robust incident management program in place.

More Reading:

FTC to hold hearings to examine enforcement actions against privacy infringements

Canada USA Europe Rest of World

Type: Development

Important Date(s): December 11-12, 2018 & February 12-13, 2019

Summary: The Federal Trade Commission (FTC) is holding four days of hearings in December and February to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters. The data security hearings will include five panel discussions and additional discussion of research related to data breaches and data security threats, including incentives to invest in data security and consumer demand for data security, data security assessments, the U.S. framework related to consumer data security, and the FTC’s data security enforcement program.

Analyst Perspective: The FTC, Congress, and technology enterprises continue their push towards a Federal-level data privacy regulation. This upcoming set of hearings, along with a draft privacy bill, may mean a Federal privacy mandate ahead of enforcement date for the California Consumer Privacy Act on January 1, 2020. Organizations should strive to build a comprehensive data security program with robust incident management before these highly anticipated rules arrive.

More Reading:

China local law enforcement gains power on cybersecurity and data privacy laws

Canada USA Europe Rest of World

Type: Regulation

Effective Date: November 1, 2018

Summary: China’s new regulation provides a legal basis and framework for wide-ranging authority for local law enforcement agencies (Public Security Bureau or PSB) in China to enforce China’s cybersecurity and data privacy laws by conducting onsite or remote inspections of internet service providers and any entities that use networks for their operations.

Analyst Perspective: Chinese local authorities gained the power to perform onsite and remote inspections of a company’s network and data security, including remote assessment of vulnerabilities and onsite review of a company’s data security posture. Organizations with operations in China should take heed and ensure appropriate data protection and vulnerability management are in place.

More Reading:

If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: December 11, 2018


Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.