Here are a few takeaways from what I said this week at the InfoGov World Expo virtual auditorium.

  • Is it still “early days for GDPR?” Not if you ask Germany, France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Spain’s Agencia Española de Protección de Datos (AEPD), Denmark’s Datatilsynet and other DPAs who have been hard at work enforcing and issuing fines.
  • Is this enough enforcement? Not if you ask, which is taking the initiative and filing hundreds of claims of its own.
  • Is this enforcement of the wrong kind? Maybe, if you ask UK’s Department for Digital, Culture, Media and Sport (DCMS), which proposes to alleviate the Information Commissioner’s Office from the obligation to investigate every single complaint so it can focus on bigger picture things.
  • Is the US behind the EU on data protection? Hmm, do you have an hour to read this post? It depends. The US is very well established in incident response laws and CPRA is instituting a number of key GDPR principles like: fair and lawful, data minimization, retention limitation, DPIAs and a dedicated data protection authority.
  • Are we headed to a US Federal Privacy law anytime soon? I dunno, define “soon.” The bipartisan dichotomy regarding preemption and private right of action is ongoing but, watch this space for increased federal privacy enforcement with the establishment of a Federal Trade Commission Privacy bureau, the appointment of a new commissioner specialized in privacy and the publishing of eight enforcement priorities.

Key practice takeaways from the Kişisel Verileri Koruma Kurumu (KVKK) Turkey EUR 195,000 fine against WhatsApp (which echoes the Data Protection Commission Ireland decision in many respects):

  • Consent as a legal basis can only be used when it is obtained for a specific data processing. Agreement to terms, which include transfers to third parties and cross border transfers, cannot constitute valid consent.
  • Including transfers, especially ones that are not reasonably expected by users, as part of the terms in a manner which is non-negotiable, is a violation of the “fair and lawful” principle.
  • Transfer of data must be proportional and limited to the purpose for which it is transferred.
  • You must clearly state which data will be transferred and for what purpose. Not doing so is a violation of the transparency requirement.
  • Beware if you structure something as acceptance of terms while making it appear you are relying on necessity for performance of a contract as your legal basis if you are actually relying on consent. This is not valid consent, because, at minimum, it is not freely given.

Read more here.

The UK’s Information Commissioner’s Office (ICO) is taking on cookie banners.

The office will call on fellow G7 data protection and privacy authorities to work together to overhaul cookie consent pop-ups in favor of software and device privacy settings.

“Joined by the Organisation for Economic Co-operation and Development (OECD) and the World Economic Forum (WEF), each G7 authority will present a specific technology or innovation issue they believe closer cooperation is needed,” reads an ICO news release.

“The ICO will present its vision for the future, where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website.”

“While this approach is already technologically possible and compliant with data protection law, the ICO believes the G7 authorities could have a major impact in encouraging technology firms and standards organisations to further develop and roll out privacy-oriented solutions to this issue.”

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory aimed at reminding businesses to be on guard over the Labor Day and other holiday weekends against cyberattacks.

History has shown threat actors often ramp up ransomware and other attacks over holidays when businesses let down their guard.

Nate Williams of the firm’s Privacy & Data Security Practice and Data Breach Prevention & Response Team summarizes the guidance in this client alert.

Ireland’s Data Protection Commission has imposed a fine of €225 million (more than $267 million) on WhatsApp, a popular messaging app owned by Facebook.

Here are some key takeaways for companies subject to GDPR:

Drafting privacy notice disclosures

  • When providing disclosures in your privacy notice, make them easy to understand. It is important to keep the relevant disclosures in one place. Don’t make users click through many documents to collate information that is sometimes repetitive. Don’t make them scroll through a long ongoing scroll.
  • The fact that other peers in the industry are doing it doesn’t affect a determination of compliance with GDPR. Using such an argument is tantamount to saying that the standards of compliance required by the GDPR may be determined by the members of a particular sectors of industry instead of by the legislator.
  • When processing the information of non-users, you must provide sufficient disclosure about the use of the information, including purpose and manner of processing. You must provide it in a location where the non-users are likely to find it – not in the user privacy notice.
  • There needs to be a clear link between the category of personal data, the purpose of specific processing operation and the legal basis relied upon for this processing operation. Unrelated long lists of bullets for each of these items is not enough.
  • Describe the processing in a detailed granular way. For example: “(t)o promote safety and security” does not provide any indication as to what processing operations will be applied to the user’s personal data (i.e. specifically how it will be used and in what context) to meet this objective. Further, it does not enable a sufficient understanding as to what objectives are being pursued when personal data is processed for the general purpose of “[the promotion of] safety and security”.
  • Another example regarding location information: It must be clear whether the company will carry out any further processing operations on the user’s location data and, if so, what particular processing operations.

Regarding Data Retention:

  • “Until it is no longer necessary to provide our Services or until your account is deleted, whichever comes first” is somewhat misleading in that it gives the impression that, if the user deletes his/her account, the company will no longer process his/her data.
  • You need to to provide practical examples of how each of the criteria impact on the period of retention so as to demonstrate accountability for compliance with the storage limitation principle.

Regarding third country transfers:

  • State either (i) that the transfer is subject to an adequacy decision; or (ii) that the transfer is not subject to an adequacy decision and enable the data subject to access more information, in a meaningful way, about the adequacy decision(s) being relied on or the alternative method (i.e copy of SCCs.) It is not enough to say “may” rely on adequacy decisions, “if applicable”.
  • It is not sufficient to provide a link to a generic European Commission webpage.

On August 27, 2021, Illinois Governor JB Pritzker signed the Protecting Household Privacy Act into law. It goes into effect Jan. 1, 2022.

House Bill 2553 prohibits Illinois law enforcement agencies from obtaining household electronic data or direct the acquisition of household electronic data from a private third party.

This includes any information or input provided by a person to any device primarily intended for use within a household that is capable of facilitating any electronic communication, excluding personal computing devices (like a personal computer, cell phone, smartphone, or tablet) and digital gateway devices (like a modem, router, wireless access point, or cable set-top box serviced by a cable provider.

There are exceptions to this prohibition, including certain emergency situations, if a warrant is obtained or if the owner of the household electronic device or person in actual or constructive possession of it gives consent.

If a law enforcement agency obtains such information under an exception, it may not
disclose any information obtained. Again, however, there are exceptions: a supervisor of that agency may disclose particular information to another government agency, employee of a government agency, or material witness with some conditions.

Any person or entity that provides household electronic data in response to a request from any law enforcement agency under this bill shall take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency. They also shall limit any production of household electronic data to information responsive to the law enforcement agency request.

Here is one more note on the UK Department for Digital, Culture, Media and Sport’s (DCMS) new international transfers initiative: The documents contain a template and a detailed questionnaire for assessing the adequacy of the destination third country in connection with data protection.

These are organized, thorough and very user-friendly documents that should even prove useful to us in conducting Schrems II TIAs. They also are easier to use than either the European Data Protection Board guidelines on Essential Guarantees or the Annex III attached to the EDPB Schrems II guidelines.

Here’s hoping for similar documentation to come from the EC/EDPB!

DCMS Transfer assessment Manual

DCMS Transfer assessment template

Can consent be considered “freely given” if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?

That is what is asking in new complaints against seven major German and Austrian news websites.

It’s important to note that a somewhat similar test requiring the value derived by the company from the user’s data to be reasonably related to the value provided to the user. CCPA outlines the purpose of assessing the legality of a financial incentive.

In the cases at hand, the websites ask their users to either agree to letting their data be shared with tracking companies or take out a subscription for up to €80 (about $95) per year.

“Saying “no” to tracking is not only time-consuming (you have to enter your name, address and credit card data), but users also have to dig deep into their pockets,” according to noyb. “While the media companies only get a few cents per user for passing on data.”

The costs for these subscriptions go far beyond making up for lost ad revenue when users do not agree to tracking.

“Innovative advertising systems that media companies operate themselves and where both data and profits remain with the quality media are not only legally required, but probably also a question of economic survival,” Alan Dahi of noyb said. “We need to get back to a system where the reader follows the advertising instead of where advertising follows the reader.”

The Information Commissioner’s Office (‘ICO’) has issued new guidance for public consultation on cross-border transfers of personal data from the UK to third countries without an adequacy decision, replacing the old Standard Contractual Clauses (‘SCCs’) which are currently in use for such transfers.

The guidance has three documents:

  • Guidance on conducting Schrems transfer impact assessment (which the ICO is calling a transfer risk assessment (‘the TRA Guidance’))
  • Guidance on International Data Transfer Agreements (‘the IDTA Guidance’)
  • Addendum to new SCCs

In Part 2 of this series for OneTrust DataGuidance, I discuss the ICO’s recommendations for what to include in international data transfer agreements (‘IDTAs’).

Part 1 of the series previously looked at TRA Guidance.