The United Kingdom’s Information Commissioner’s Office has issued for public consultation a  draft guidance on the Right of Access under the General Data Protection Regulation (GDPR).

Read my detailed analysis for key takeaways on how to handle the access request, and how to structure your systems to ensure that one does not fall between the cracks may be equally applicable for those preparing for the right to know under the California Consumer Privacy Act (CCPA).

Read the full analysis here.

“Perhaps the more urgent need is to share ideas, instead of rushing to share people’s data,” writes European Data Protection Supervisor Wojciech Wiewiórowski.

“More than ever, there is a need to illuminate new paths for rewarding more sustainable business models that do not rely on the ubiquitous and constant tracking of human behaviour and relationships, a practice which has already damaged trust in digital services. Many European-based privacy enhancing technologies and ‘personal information management’ solutions are already in development or on the market.”

“The EU can be faithful to its values and offer a thriving, and sustainable, digital environment, giving a stimulus to European innovators and champions with the energy and ideas to compete with the biggest companies from other parts of the world.”

Read the full article.

The Belgian data protection authority has published for public consultation its priorities for 2019-2025.

They are divided into three main categories:

Priorities by sector

  • Telecommunication and media
  • Government
  • Direct Marketing
  • Education

Priorities focused on the themes of the AVG (General Data Protection Regulation)

  • Role of the Data Protection Officer or “DPO”
  • Legitimacy of processing
  • Citizens’ rights (access, resistance, rectification, etc.)

Social priorities

  • Photos and cameras
  • Online data protection
  • Sensitive data (such as biometric data, health data, etc.)

Read the full statement.

In a statement of its priorities over the next year, French data privacy regulator CNIL emphasizes the importance of a balanced approach to data protection regulation.

Key Takeaways:

The CNIL’s enforcement actions have gained added momentum with enactment of the GDPR, and the CNIL must commit itself fully in this respect.

“At the same time, the CNIL must ensure that data protection becomes part and parcel of professionals’ behavior and everyday culture, a condition essential to the GDPR’s success and the legal security of its actions.”

The CNIL will therefore continue to “walk on both feet” in a balanced and coordinated way, by providing support and taking enforcement actions.

Read the full statement from CNIL.

Standard Contractual Clauses live to fight another day.

“(There) is an obligation — placed on the controllers … and, where the latter fail to act, on the supervisory authorities … — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with – writes European Union Advocate General Henrik Saugmandsgaard Øe, who released his opinion in the so-called “Schrems II” case.

The Court of Justice of the European Union is expected to issue a final decision in the coming months.

Details from the International Association of Privacy Professionals’ Caitlin Fennessy.

The House Energy and Commerce Committee unveiled a first draft of a bipartisan federal privacy bill.

Staffers on the committee sent the draft legislation to stakeholders and are seeking comments by mid-January. The draft from Republican and Democratic staffers on the House Energy and Commerce Committee comes as the Senate continues to wrestle with its own privacy negotiations.

“On many issues, the House’s privacy bill discussion draft hews closely to the legislation recently offered by the chairman and ranking member of the Senate Commerce Committee. But the bill side-steps several of the most divisive issues on the table, including whether any federal law will override incoming state privacy laws and whether individuals should be empowered to sue companies over privacy violations.”

Details from The Hill.

California Attorney General Xavier Becerra released the title and summary for the CCPA 2.0 ballot initiative, the California Privacy Rights Act.

Key provisions:
  • Right to amend inaccurate information
  • Right to restrict the use of “Sensitive Personal Information” which includes finances, race, biometric information or information revealing health status or precise location.
  • Data minimization (collect only what you need)
  • Retention limitation (retain only for as long as necessary for the purpose)
  • Increase fines for violations regarding use of children’s information
  • Transparency regarding automated decision making
  • Establish a new authority to protect these rights, the California Privacy Protection Agency

Details from Californians for Consumer Privacy

The French Competition Authority has announced it imposed a sanction of €150 million on Google for abusing its dominant position in search advertising.

The authority also ordered Google to:

  • clarify the drafting of the rules for its Google Ads advertising platform and review the information procedures concerning changes to the rules (individual notification two months before the change of rule)
  • clarify the procedures for suspending accounts in order to prevent them from being brutal and unjustified
  • set up procedures for alerting, preventing, detecting and treating breaches of its rules, so that measures to suspend Google Ads sites or accounts are strictly necessary and proportionate to the objective of consumer protection

To this end, Google must organize an annual mandatory training for staff responsible for personalized support for companies present on Google Ads so that the teams are sufficiently informed of the content and scope of the Google Ads rules, as well as the risks that their customers and users incur if they don’t respect them.

Read the full press release, available in English

A sale by any other name, part 2.

Consumer rights advocates want the California Attorney General to clarify the definition of “sale.”

“The Attorney General should promulgate regulations reflecting that the transfer of data between unrelated companies for any commercial purpose falls under the definition of sale, so that consumers can opt-out of the sharing of their data for targeted advertising,” contends a coalition of consumer rights advocates that includes Consumer Reports, the ACLU and the Center for Digital Democracy.

The regulations, they request, should

  • make clear that the “business purposes” exception doesn’t apply when ad tech companies engage in behavioral advertising.
  • specify that when consumers opt out, data can’t be shared for targeted advertising, even when the company receiving the data is a “service provider.”

Details from MediaPost.

The CCPA regs, they are not-a-changing.

California Attorney General Xavier Becerra doesn’t plan to make major changes to rules he proposed in October to enforce California’s new privacy law before issuing a final set of regulations.

“’That initial public disclosure of our proposed regs gives everyone a sense of where we think we should go,’ Becerra (D) told reporters Dec. 16. Becerra’s office is sifting through about 1,700 pages of written comments on the draft regulations.

Becerra said he is talking with legislators about possible changes to the law as he prepares to enforce it as it is. He said he isn’t ruling out an attempt next year to give consumers a private right to sue companies.”

Details from Bloomberg Law.