“Increased usage of consumer products and industrial devices connected to the internet will also raise new risks for privacy, information- and cybersecurity, including increasingly potential impacts on the integrity and availability of products and data, which can directly affect safety,”  says the Council of Europe in its “Conclusions on the cybersecurity of connected devices.”

Additional points:
  • Cybersecurity and privacy should be acknowledged as essential requirements in product innovation, the production and development processes, including the design phase (security by design), and should be ensured throughout a product’s entire life cycle and across its supply chain.
  • It is equally important to increase consumer awareness of potential privacy and security risks.
  • All stakeholders, in particular manufacturers, have an important role in raising the level of cybersecurity of connected devices.
  • It’s important to assess the need for horizontal legislation to address all relevant aspects of cybersecurity of connected devices, such as availability, integrity and confidentiality. This could be done by way of a certification framework.

Read the full text of “Conclusions on the cybersecurity of connected devices.”

The European Data Protection Board has issued guidance on its Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The annual coordinated action focuses on a pre-defined topic which participating SAs may pursue using a pre-defined methodology

  • The CEF is the foundation on which the annual coordinated action is built (the ‘rulebook’ for coordinated action). The objective of the CEF is to facilitate joint actions in the broad sense in a flexible but coordinated manner.

No alt text provided for this image

Details in my LinkedIn article.

The European Parliament issued a detailed study on the impact of smart mobility applications on the future of transport and addressed some data protection issues.

  • Public authorities should further specify legislation for data privacy and protection. (e.g. addressing how drivers can grant third parties’ consent to use their data, where processing data is necessary for a task carried out in the public interest).
  • The Cooperative Intelligent Transport System (C-ITS) industry and vehicle manufacturers should develop systems flexible enough to guarantee full control of personal data by the driver (privacy by design) and providing a “no tracking” function.
  • The C-ITS industry, vehicle manufacturers and public authorities should actively inform users of C-ITS applications on the negative consequences of disabling the broadcast (e.g., reduced traffic safety), but at the same time their ability to manage their personal data should be pointed out.
  • The same challenges and potential mitigation actions as for C-ITS services are relevant for Connected Cooperative Automated Transport (CCAM).

Read the full text of the study.

European Parliament Smart Connectivity Transportation Report Odia Kagan

The White House recently issued guidance to government agencies for the regulation of artificial intelligence applications.

Key data protection takeaways:
  • Transparency is essential. Disclosures should be written in a format that is easy to understand.
  • What constitutes appropriate disclosure and transparency is context-specific, depending on assessments of potential harms, the magnitude of those harms, the technical state of the art, and the potential benefits of the AI application.
  • Promote the development of AI systems that are safe, secure, and operate as intended.
  • Pay particular attention to the controls in place to ensure the confidentiality, integrity, and availability of the information processed, stored, and transmitted by AI systems.
  • Consider methods for providing systemic resilience, and for preventing bad actors from exploiting AI systems.
  • Be mindful of any potential safety and security risks and vulnerabilities, as well as the risk of possible malicious deployment and use of AI applications.
  • Consider any national security implications and take actions to protect national security as appropriate.

Read the full text of the guidance.

The Consumer Privacy Protection Act (CPPA) is coming! The Canadian government has submitted a bill for the amendment of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the enactment of a new, modern privacy act.

Key provisions include:
Stronger enforcement:
  • Broad order-making powers to the Commissioner, including recommending the issuance of fines.
  • Administrative two-tiered monetary penalties of up to 3% of global revenue or $10 million or 5% of global revenue or $25 million.
Stronger protections:
  • Required disclosure of data processing in plain language
  • Right for individual to direct the transfer of their personal information from one organization to another.
  • Right to delete/right to object to processing.
  • Transparency about how automated decision-making systems like algorithms and artificial intelligence are used to make significant predictions, recommendations or decisions and the right to request an explanation.
  • Protection of deidentified information and preventing its use without an individual’s consent only to limited circumstances.

Read the full text of the legislation.

Some thoughts from the interactive ad industry on CCPA compliance from a new IAB CCPA Benchmark survey.

  • Allowing the placement of third party trackers for the purpose of advertising is likely a sale.
  • Participants down the advertising chain are sometimes “businesses,” sometimes “service providers” and sometimes “third parties.”
  • Many give CCPA rights to individuals outside California.

Deeper dive into these and other insights from the IAB CCPA Benchmark survey in this client alert.

The European Commission has issued long-awaited draft Standard Contractual Clauses and they have something for everyone…

  • Annexes and pick-and-choose modules (C2C, C2P, P2P, P2C).
  • Lots of emphasis on the laws of the country of transfer and pushing back on government requests.
  • Reiteration of some Article 26 (joint controller agreement) and Article 28 (data processor agreement) provisions.
  • Requirements for transparency to the individuals.
  • Individual redress, third party beneficiary and liability as among the entities

Details in this client alert.

Brace yourselves, the post-Schrems II supplemental measures are coming!

The European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the European Union level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.

“The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data,” said EDPB chair Andrea Jelinek

The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with privacy rights.

Details in this EDPB Press Release.

Continue Reading EDPB Adopts Measures on Post-Schrems II Supplemental Data Transfer Tools

“The LGPD replicates the GDPR’s extraterritorial scope and then takes it one giant step further. The LGPD, like the GDPR, applies to processing carried out in Brazil, as well as processing related to the offering or provision of goods or services to individuals in Brazil,” writes Caitlin Fennessy for IAPP, the International Association of Privacy Professionals.

“Importantly…if your company is processing personal data related to individuals in Brazil, the LGPD ( Lei Geral de Proteção de Dados) now applies regardless of the origin of that data.”

Until the ANPD (Brazilian Data Protection Authority) takes action, “companies may be limited to two data transfer mechanisms only — specific and distinct consent and the necessity for the execution of a contract”.

“Since each of the mechanisms listed above has a close relative under the GDPR, the EU’s experience, as well as the experience of other nations that have replicated the EU model, is instructive [may].. offer insight into how the ANPD might operationalize them and the impact that could have on companies.”

Full details in this article from the IAPP.

Denmark’s Data Protection Authority Datatilsynet  has published an article emphasizing the importance of providing encrypted means for communicating personal information:

  • Authorities and companies must, as data controllers, ensure — on the basis of an assessment of the risk to citizens’ rights — that they establish appropriate security measures. This means, among other things, that authorities and companies are responsible for establishing secure transmission solutions that address the identified risks to citizens — not only when they send information to citizens, but also when they collect information from citizens for the processing of a case or service.
  •  An authority or company is not responsible for the method of transmission if the citizen sends information of a confidential or sensitive nature unsolicited via an unencrypted connection, or if the citizen — despite an invitation to send the information encrypted — still uses an insecure method of transmission.

Details in this article from Datatilsynet.