In the age of digitization, personal information your business holds about your customers (or your customers’ customers) has become a strategic enterprise asset and should be treated as such.

Privacy considerations should be incorporated into your go-to-market strategies.

Gartner with some tips:

  • Customer-facing policies and communications should clearly explain what information is collected and why, as well as any applicable customer rights.
  • Policies should be readily accessible and understandable for customers — and are reinforced internally.
  • Managers and senior leaders should echo the standards in small team discussions, all-company meetings and other forms of messaging.
  • There should be a coherent approach to working with third parties. Codify what third parties can and can’t do with user data, and define consequences for failure to comply. Make sure to follow through and monitor compliance.
  • Compare your customers’ privacy appetite to your organization’s overall risk appetite — and be prepared to manage any gaps between the two.

Details from the International Association of Privacy Professionals.

Now serving complaint #6241…

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published guidelines on how it will prioritize the handling of complaints filed with it under the EU General Data Protection Regulation (GDPR).

Criteria include:

  1. How harmful is the alleged violation for the individual(s)? This depends on nature of data and nature of the violation.
  2. What is the broader social significance? For example, does the case involve processing of personal data by governments and in healthcare, trade in personal data, unreported data leaks and data leaks caused by serious shortcomings in security.
  3. To what extent will the DPA be able to act effectively, taking into consideration other complaints filed with it and its available manpower and budget?

If a complaint scores high on several criteria, there may be more reason for further investigation by the DPA. In exceptional circumstances, however, further investigation can be started with a low score on all criteria.

Read the full guidelines.

Clinical trials and the EU General Data Protection Regulation (GDPR): The European Data Protection Board (EDPB) has issued a much-awaited opinion on the legal basis for processing clinical trial data.

Key takeaways:

  • The legal basis for processing operations expressly provided by the Clinical Trial Regulation and by relevant national provisions, as related to reliability and safety purposes is “legal obligation(s) to which the controller is subject” (Art 6(1)(c)). – This specifically includes:
    • performance of safety reporting
    • archiving of the clinical trial master file
    • the medical files of subjects
    • any disclosure of clinical trial data to the national competent authorities in the course of an inspection
  •  The legal basis for processing operations purely related to research activities in the context of a clinical trial would, depending on the facts of the case, be:
    • the data subject’s explicit consent (Art 6(1)(a) + Art 9(2)(a)),
    • a task carried out in the public interest (Article 6(1)(e)),
    • the legitimate interests of the controller (Art 6(1)(f)) + Article 9(2)(i) or (j))

Read the full opinion.

“As California goes, so goes the nation,” said Vermont Attorney General T.J. Donovan.

A group of state attorneys general said Wednesday that they are looking to California for guidance and following how the country’s most populous state prepares for the Consumer Privacy Act which will take effect in 2020.

Data Breach Today reports that: “Several U.S. states, including Oregon, North Carolina, Virginia and Washington, are considering new legislation to shore up consumer data privacy laws in the wake of California passing strict privacy requirements last year”

Oregon is considering a bill that would prohibit the sale of de-identified protected health information without first obtaining a signed authorization from an individual.

In Virginia a bill proposes new requirements for businesses related to disposal of certain consumer records.

Washington is considering a bill that would require companies that collect personal data to be transparent about the type of data being collected, whether consumer data is sold to data brokers, and upon request from a consumer, delete the consumer’s personal data without undue delay.

Coverage from Statescoop and Data Breach Today.

Forget me yes, part two.

Austrian Data Protection Authority holds that a data controller can meet its obligations to satisfy a data subject’s erasure request under GDPR by anonymizing personal data.

Some points:

  • Erasure is not the same as destruction; the controller can select means to carry out the erasure.
  • The controller must ensure that neither the controller himself nor a third party can restore a personal reference without disproportionate effort.
  • The fact that a reconstruction of the data may become possible in future due to new technology, does not render the erasure insufficient.
  • The measures used by the company that were deemed to be sufficient for erasure were:
    • delete the contract offer
    • delete all contacts (e.g. mail address, telephone number, etc.)
    • irrevocable manual deletion of the first and last name and replacement by “John Doe” (with the same date of birth)
    • stop communication with the individual
    • merge the person to be erased with the new anonymous person to ensure that the overwriting is also technically sustainable
    • erase customer in electronic file

Details from the Austrian Data Protection Authority.

An unintended consequence of the EU General Data Protection Regulation (GDPR) are fake, or nefarious requests for access to or deletion of information.

Some points to note:

  • If you received a (badly worded) request for erasure under GDPR, where you have confirmed that GDPR does not apply or where you cannot authenticate the individual properly, consider whether this request could double as an unsubscribe request under CAN SPAM, with which you must comply.
  • Once you have collected all the data to give to the data subject and before disclosing it to the individual, have the materials reviewed by counsel to determine:
    • do all the documents you collected really constitute “personal data” under GDPR
    • can this be disclosed without breaching other rights — those of the company, or those of other individuals
    • does any other exception under GDPR apply to the obligation to produce or delete the information.

Details from the International Association of Privacy Professionals.

Are inferences the next frontier of data protection? Social media and other technology companies are increasingly making inferences from data collected from individuals.

They may be able to infer protected attributes such as sexual orientation and race, as well as political opinions and how likely a user is to attempt suicide, or eligibility for loans and infer political stances on abortion.

The EU General Data Protection Regulation (GDPR) imposes enhanced requirements and limitations on automated processing that involves profiling, but Oxford scholar Sandra Wachtel argues that the protection provided by GDPR on this is lacking.

Wachter suggests ‘a focus on how data is evaluated, not just collected, with a standard for the ‘right to reasonable inferences.

The newly passed California Consumer Privacy Act specifically includes inferences made from personal information collected as a category of personal information by itself and subjects this data to disclosure and to data access rights and may provide such enhanced protection to some extent.

Read the full story in Forbes.

Forget me yes.

The Danish data protection authority has published a practical guide on data minimization and the right of erasure under GDPR:

  • If you use “soft delete,” a link is deleted but not the personal information in the underlying database, this is not a real deletion.
  • Based on the purposes of the processing, and subject to legal retention requirements, the data controller must determine and document the deletion deadline for each processing.
  • Data controllers must develop deletion procedures for systems where personal data is processed and must implement a follow-up procedure to ensure deletion.
  • For accountability, data controllers may keep a log of requests received under the right to be forgotten. They should set reasonable deletion deadlines for the log.
  • Personal data must be deleted from backups if technically possible. If not, data controller must ensure that the personal data deleted from the system in operation is also removed if a backup is restored.

Read the guide.

Enforcement is increasing under the EU US Privacy Shield Framework for cross border transfer of personal data. A report published by European regulator, the European Data Protection Board (EDPB), lists enforcement initiatives by the Department of Commerce (DoC) and the FTC.

  • On a quarterly basis the DoC conducts “false claims reviews” to identify organizations that have started but not finished an initial or re-certification or that did not submit their annual recertification.
  • The DoC performs random web searches for false claims of participation in the program
  • The DoC performed a sweep of 100 randomly chosen organizations.
  • The DoC designated a person to follow the media and to do keyword searches to identify possible breaches of the Privacy Shield commitment.
  • The DoC performs regular checks for broken links to the privacy policy on the Privacy Shield list.
  • This year the FTC brought 5 new Privacy Shield cases.
  • The FTC investigates Privacy Shield-related referrals (approximately 100).
  • The FTC started to send Civil Investigation Demands (CIDs) proactively to monitor compliance with the Privacy Shield principles.

Details in the Second Annual Joint Review.

Key takeaways from the European Commission (EC) decision holding Japan as providing adequate protection to personal data:

  • Japan ensures an adequate level of protection for personal data transferred from the EU Japan pursuant to the Japanese Act on the Protection of Personal Information (APPI) as complemented by the stricter Supplementary Rules and official representations, assurances and commitments received from Japan.
  • The Personal Information Protection Commission (PPC) is empowered to adopt “Guidelines” for the actions to be taken by a business operator under the data protection rules.
  • To comply with the Supplemental Rules, Japanese business operators receiving and/or further processing personal data from the EU need to ensure (e.g. by technical (“tagging”) or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their “life cycle.”

Excluded from the adequacy decision are:

  • broadcasting institutions, newspaper publishers, communication agencies or other press organisations
  • professional writers
  • universities and academic institutions
  • religious bodies
  • political bodies

Read the full text of the decision.