“Though it was hailed as a potentially groundbreaking bill, the New York Privacy Act (NYPA) failed to materialize during the state’s most recent session. Had it done so, the bill would have introduced a regulatory framework that rivaled or potentially even surpassed that of the California Consumer Privacy Act (CCPA), the first major piece of data privacy legislation in the United States.”

Details from GovTech.

The Federal Trade Commission is seeking comments on the Children’s Online Privacy Protection Act Rule.

In light of continued rapid changes in technology, the Federal Trade Commission is seeking comment on the effectiveness of the amendments the agency made to the Children’s Online Privacy Protection Act Rule (COPPA Rule) in 2013 and whether additional changes are needed.

“In light of rapid technological changes that impact the online children’s marketplace, we must ensure COPPA remains effective,” said FTC Chairman Joe Simons. “We’re committed to strong COPPA enforcement, as well as industry outreach and a COPPA business hotline to foster a high level of COPPA compliance. But we also need to regularly revisit and, if warranted, update the Rule.”

In addition to standard questions about the effectiveness of the COPPA Rule and whether it should be retained or modified, the FTC is seeking comment on all major provisions of the COPPA Rule, including its definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and safe harbor provision.

Details from the FTC.

The European Data Protection Board (EDPB) publishes it’s first annual report and reveals a road map for guidance to come.

In 2019 and 2020, the EDPB aims to focus on data subjects’ rights, the concept of the controller and processor and legitimate interest.

The EDPB will also consider technologies such as connected vehicles, blockchain, artificial intelligence and digital assistants, video surveillance, search engine de-listing and data protection by design and by default.

Read the full report.

The Dutch Data Protection Authority has levied a fine of 460,000 euros on Haga Hospital for insufficient security following an investigation revealing that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person.

In addition, if the hospital has not improved security before October 2, 2019, it must pay 100,000 euros every two weeks, up to a maximum of 300,000 euros.

According to DutchNews.nl, the authority’s chairman Aleid Wolfsen said: “The relationship between a healthcare provider and a patient should be completely confidential. Also within the walls of a hospital. It doesn’t matter who you are.”

Key takeaways:
  • Have adequate logs in place: The hospital must regularly check who consults which file.
  • Good security requires authentication that involves at least two factors.

Details from the Dutch Data Protection Authority.

Checklist for drafting your controller-controller data sharing agreement (from the ICO Data Sharing Code of Conduct now out for public consultation):

  • What is the purpose of the data sharing initiative?
  • Which other organizations will be involved in the data sharing?
  • Are we sharing data along with another controller?
  • What data items are we going to share?
  • What is our lawful basis for sharing?
  • Is there any special category data or sensitive data?
  • What about access and individual rights?
  • What information governance arrangements should we have?
  • What further details should we include?

Read the full text of the draft data sharing code.

Questions to ask when sharing data between two data controllers (from the ICO Data Sharing Code of Conduct):

  • What is the sharing meant to achieve?
  • What information do we need to share?
  • Could we achieve the objective without sharing the data or by anonymizing it?
  • What risks does the data sharing pose to individuals?
  • Is it right to share data in this way?
  • What would happen if we did not share the data?
  • Are we allowed to share the information?
  • Who requires access to the shared personal data?
  • When should we share it?
  • How should we share it?
  • How can we check the sharing is achieving its objectives?
  •  Do we need to review the DPIA?

Read the full draft code of conduct.

The UK Information Commissioner’s Office has issued a data sharing code of conduct for public consultation.

Key takeaways:
  • When considering sharing data, assess your overall compliance with the data protection legislation. Consider conducting a Data Protection Impact Assessment (DPIA) even if not required.
  • It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all the parties to be clear about their respective roles. It helps you to demonstrate your accountability under GDPR.
  • Identify at least one lawful basis for sharing data from the start.
  • Always share personal data fairly and in a transparent manner. When you share data, you must ensure it is reasonable and proportionate. You must ensure individuals know what is happening to their data unless an exemption or exception applies.
  • In a data sharing arrangement, you must have policies and procedures that allow data subjects to exercise their individual rights with ease.
  • If an M&A means that you have to transfer data to a different controller, you must take care. Consider data sharing as part of your due diligence.

Read the full draft data sharing code.

The European Data Protection Board has issued guidance on the use of video surveillance.
Key takeaways:
  • The monitoring purposes of cameras should be documented in writing.
  • Data subjects must be informed of the purpose(s) of the processing: “safety” or “for your safety” is not sufficient
  • The most likely legal bases for video surveillance are: legitimate interest and “necessary in the public interest.”
  • Data subjects’ consent can only serve as a legal basis in exceptional cases.
  • When blurring the picture with no retroactive ability to recover the personal data the picture previously contained, the personal data are considered erased in accordance with GDPR.
  • The notice under Article 13 should be provided in a layered manner – first layer (warning sign) and second layer (other location).
  • Controller should implement technical measures to fulfill an access request without revealing the identities of other people (e.g. image-editing such as masking or scrambling).
  • If the video footage is not searchable, data subject should in its request, specify when, within a reasonable time frame, he or she entered the monitored area.

“The Federal Trade Commission fined Facebook a record-setting $5 billion on Friday for privacy violations, according to multiple reports. The penalty comes after an investigation that lasted over a year, and marks the largest in the agency’s history by an order of magnitude. If approved by the Justice Department’s civil division, it will also be the first substantive punishment for Facebook in the United States, where the tech industry has gone largely unregulated.”

Details from Wired magazine.

The European Data Protection Board has issued an opinion on lead supervisory authority in the event of a change of location of the main establishment of an organization.

Highlights:
  • Competence to act as lead supervisory authority can switch to another supervisory authority until a final decision has been reached.
  • Relocation of a main establishment to another European Economic Area Member State mid-procedure: First authority is deprived of its original competence; operations already carried out remain valid.
  • Creation of a main or single establishment or its relocation from a third country to the EEA: Controller still entitled to one-stop-shop. Every pending proceeding will be transferred to the Supervisory Authority (SA) of the state in which the main establishment is located. This SA will become the Lead Supervisory Authority (LSA), and the proceeding will continue in accordance with the rules in Article 60.
  • Disappearance of main or single establishment mid-procedure: No one-stop shop. In case the establishment ceases to exist in the territory of its Member State, the former lead supervisory authority remains competent; each concerned authority regains full jurisdiction.

Read the full EDPB opinion.