California state flag.
California state flag.

What can the California Privacy Protection Agency learn from the EU experience as it gets ready to draft regulations regarding DPIAs? Here is a recap of my remarks from the CPRA Regulations Stakeholder Session:

1) Don’t reinvent the wheel: Lean on the specificity in the VA and CO laws as a start, and on the detailed work that has been done in the EU.

  • This is faster to get off the ground and in front of companies looking to comply.
  • It also provides more legal certainty, and is helpful to multinationals who can leverage EU work they have done.

2) Provide clear guidelines for when a DPIA is needed.

  • Provide a decision tree if possible.
  • Don’t be too specific. (For example: The European Data Protection Board rejected a member state blacklist that required a DPIA just for processing sensitive information or cross border transfer
  • Consider also providing a “white list” where a DPIA would not be needed.
  • Provide guidance on when to revisit the DPIA (eg. technological advances, changes in processing, post M&A acquisition).
  • Define the input that service providers can provide to assist the business. (Consider issuing guidance encouraging/expecting assistance from the large providers – especially for transparency.)
  • Provide guidance on how to integrate with other risk assessments.

3) Provide clear, but not too complicated, guidelines for how to carry out a DPIA.

  • Leverage the EU Models: ICO, CNIL (with the taxonomies), NL, ES, DE, and/or ISO 29134 (updated).
  • Leverage ISMS and built the Privacy MS on top.
  • Land somewhere between UK and Germany.
    1. ICO – Very easy to read the model, but there may be issues with wrong implementation (proportionality/necessity assessment component is open ended).
    2. Germany – Very complex and detailed model which maps the TOMs to the risks. This is helpful, but there should also be an SME friendly model.
  • Provide guidance re: risks to consider: Leverage existing harms and risk taxonomies.
  • Provide guidance on how to carry out the process: For example, a 3D model that requires you to break the processing down into phases (like: storage, use, modification, sharing) and assets (software, hardware, employees, recipients). And for each phase/asset, assess the likelihood and severity of an infringement of the relevant data protection principles.
  • Provide guidance on the process itself and the relevant stakeholders within the company and outside (e.g involving the individuals impacted).
  • Provide options/guidance for SMEs.
  • Provide/source recommended DPIAs (e.g. in difficult areas like Algorithm impact assessment as discussed by the EU AI Act), which will allow companies to check whether a DPIA was performed in a similar case (The Commission Nationale de l’Informatique et des Libertés (CNIL) has a number of sample analyses. Data Protection Commission Ireland also has recommended a few as “gold standard.”