The U.S. Consumer Financial Protection Bureau (CFPB) is issuing an Advanced Notice of Proposed Rulemaking to solicit comments and information that will assist the development of proposed regulations under Section 1033 of the Dodd Frank Act dealing with consumer rights to access financial records.

Questions include:
  • What are the benefits to consumers from authorized data access?
  • To what extent does direct access to consumer data pursuant to Section 1033 raise any privacy concerns that should be considered by the Bureau?
  • To what extent do such movement, use, storage and persistence of authorized data align with reasonable consumer expectations or preferences, including privacy expectations or preferences?
  • What steps, if any, should the Bureau take to improve the effectiveness of existing laws that bear on data security in the context of data access?
  • What should the Bureau learn about the costs and benefits of authorized data access from regulatory experience in state jurisdictions or in jurisdictions outside the United States?

Read details in the full text of the rulemaking notice.

“I worry that we are caught in a DPA (Data Protection Authority) beauty contest of who issues the bigger fine,” said Ireland Data Protection Commissioner Helen Dixon in her keynote for Daniel Solove’s Privacy+Security Academy Fall Forum Keynote.

Additional Key Takeaways
  • I am hesitant to list our enforcement priorities because I don’t feel that we are in control of setting the agenda and are reacting to complaints and to issues that arise, like the pandemic and the Schrems II judgment.
  • Schrems II didn’t create uncertainty, rather it created too much certainly that isn’t palatable for many.
  • “Let it rip.” Let us first build up a corpus of cases requiring international cooperation between DPAs before we can see if the harmonization mechanism is problematic.
  • In reality, cookie consent ends up as just an inconvenience on the person’s way to get the content. Putting more and more elusive control on individuals is not really achieving what we want to achieve.
  • The Data Protection Commissioner doesn’t have a bias against legitimate interest. Provided that all the other elements are met, including balancing, transparency and fairness, it provides better protection.
  • Legitimate interest could theoretically be used as a legal basis for targeted advertising. EDPB says it’s unlikely but you should do a case-by-case analysis.

Due to the importance of data protection law for employee monitoring practices, a careful and considered approach must be taken when potentially highly intrusive methods, such as tracking employee vehicles, are used. Employees must be informed of the existence of tracking and how it operates, as well as being clearly informed of all the purposes for which their personal data is to be used, in advance of any such tracking being implemented.

  • This means that the employer must clearly explain to the employee who is using the vehicle concerned, what records are being created, why those records are necessary, what they will be used for, how long they will be kept for, who will have access to them and for what reason.
  • This information should be displayed prominently in every car, within eyesight of the driver.
  • To rely on legitimate interest as the legal basis, ensure that the processing is strictly necessary and proportionate for the purpose of achieving that interest, and that the legitimate interest being pursued must be balanced against the rights and freedoms of the employee, including their reasonable expectations of privacy.

Details on guidance from Data Protection Commission Ireland in this article for OneTrust Data Guidance.

The French data protection authority (CNIL) recently issued detailed guidance on online cookies and trackers. The guidance includes four documents: Guidelines, Recommendations, FAQs, and a specific statement on audience measurement. Here are some highlights:

  • You can offer users a global consent to a set of purposes if you present, in advance, all the purposes pursued, for example “accept all,” “refuse all.”
  • Present each purpose with a short and prominent title, accompanied by a brief description.
  • Make the exhaustive and regularly updated list of the data controllers involved available to users when their consent is obtained.
  • If refusal can be manifested by simply closing the window for collecting consent or by not interacting with it for a certain period of time, this possibility must be clearly indicated to users on this window to avoid confusion.
  • You must be able to demonstrate, at any time, that users have given their consent. If you do not collect the consent of users yourself (in particular for third party cookies), you must contractually require the other party to obtain valid consent and make proof of consent available to the other parties.

Full details on the CNIL – Commission Nationale de l’Informatique et des Libertés guidelines and recommendations regarding cookies and trackers in this article for OneTrust Data Guidance.

The German Federal Motor Transport Authority (KBA) and the Federal Office for Information Security (BSI) recently signed an administrative agreement for cross-departmental cooperation to facilitate and accelerate the safe development of automated and networked driving.

“Anyone who buys a new car today assumes that they will receive a safe vehicle. Modern cars are moving high-performance computers that depend to a large extent on digital technology and are to be controlled autonomously by this in the future. The question of safety must therefore also be extended to this area, because possible cyber attacks must not have any influence on driving safety,” said BSI President Arne Schönbohm

“The future belongs to networked vehicles….It is therefore only logical to work with the BSI and KBA to create optimal conditions for testing the functionality and security of the required systems….Together we will contribute to promoting automated and connected driving with the necessary care and attention – for more traffic safety and environmental protection.” said KBA President Richard Damm.

Details in this press release from the BSI.

How does GDPR apply to the transfer of personal data from an EU entity to an international organization?

“Entities subject to the GDPR that exchange personal data with international organisations have to comply with the GDPR, including its rules on international transfers (Chapter V of the GDPR),” says the European Data Protection Board in a response letter to Miguel de Serpa Soares, Undersecretary General for Legal Affairs and UN Legal Counsel.

“The EDPB guidelines on the territorial scope of the GDPR clarify the specific (and limited) obligations of service providers established in the EU that carry out processing on behalf of an entity that is not subject to the GDPR.”

“At the same time … certain questions remain … The European Data Protection Board will explore ways to further clarify how the rules on international transfers under the GDPR apply when personal data is transferred to international organisations. Please note that this may require some time due to the judgment of the Court of Justice of the European Union in case C-311/18 (Schrems II) issued on 16 July 2020.”

Read the full text of EDPB letter.

California lawmakers recently passed legislation that amends the California Consumer Privacy Act.

“The most significant outcome of AB 713’s passage is that, pending California Gov. Gavin Newson’s signature, information that is deidentified is exempt from regulation under the CCPA if the information is (1) derived from patient information that is protected under HIPAA, the California Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule; and (2) created pursuant to either the HIPAA expert determination method or the HIPAA Safe Harbor method. While the CCPA exempts deidentified information as defined in Cal. Civ. Code 1798.140(h) that definition did not align with the HIPAA deidentification standard, which led to confusion regarding the applicability and scope of the exemption.”

“Businesses that sell or disclose such information must state this in their privacy policy… If HIPAA deidentified information is sold or licensed after Jan. 1, 2021, to or by a party doing business in California, the contract must include provisions prohibiting the reidentification or further disclose of information.”

Details from the International Association of Privacy Professionals.

“The Illinois General Assembly has evaluated numerous proposals similar to the CCPA. Illinoisans want to know that their personal information is protected, and they have a right to know who is collecting their data, for what purpose, and within reason, a right to request that data to be deleted if it is not needed. I will continue to work with the industries that collect this data to develop policies that afford consumers basic data protection rights that are also feasible for the entities collecting data,” said Illinois attorney general Kwame Raoul.

“Illinois consumers should receive just as much protection as California consumers have under the CCPA, if not more. Therefore, any similar Illinois legislation should be consistent with California’s law”.

“It is important for any federal privacy law passed to contain the same strong data rights and protections for consumers that I have advocated for in Illinois law, without preempting more protective state laws. It is also important for state attorneys general to have the authority to enforce federal law to protect Illinois consumers.”

Details from the International Association of Privacy Professionals (IAPP).

“It is unknown what the new [Standard Contractual Clauses] will say on ‘Schrems II’ … It would be surprising if the new SCCs did not address the CJEU decision, but it may be overly optimistic to think that they will provide the much-needed certainty that privacy professionals are looking for. The additions are likely to be reasonably high level and generic and unlikely to replace the case-by-case assessment that the ‘Schrems II’ decision seems to require from controllers that want to transfer EU personal data to destinations outside the EU,” – writes Henriette Tielemans  for the IAPP – International Association of Privacy Professionals.

“The most probable scenario for the additions to the SCCs is that the revised SCCs will contain an additional representation from the data exporter that it has verified — and is satisfied — that the law of the third country of destination ensures adequate protection under EU law for the transferred data and that the level of protection required by EU law is respected in the country of destination. There also may be an additional requirement…to assist the data exporter with making this determination. ”

Details from the IAPP.

It’s beginning to look a lot like (a Schrems II solution by) Christmas.

“A revised mechanism allowing companies to transfer Europeans’ data around the world may be ready before Christmas,” said EU digital chief Margrethe Vestager.

“My colleagues Vera Jourova and Didiers Reynders are working very, very hard to look at standard contractual clauses, at least for that to step in as an intermediate solution. They are very ambitious and hope that it can be in place before Christmas … because the situation right now is not sustainable.”

Details from Reuters.