The International Organization for Standardization (ISO) published a standard for company’s to implement personal information management systems (PIMS). The ISO’s guidance aims to assist businesses with compliance goals and further the emphasis on personal data protection.

In the wake of the detailed privacy framework requirements of the recent FTC Facebook settlement and the California Consumer Privacy Act’s (CCPA) upcoming effectuation, this standard may help establish a benchmark for companies to establish and maintain a privacy framework.

Ready the ISO standard here.

A web developer study shows that when a cookie banner allows users to refuse cookies, 50 percent of users choose this option and subsequently refuse all third-party services.

However, when this choice is not available, we end up with a cookie acceptance rate between 90 and 98 percent via site users clicking the “I accept” button.

In either scenario, only 2-4 percent of users click to read the privacy notice of the relevant website.

A notable trend emerges: users typically select the faster and more comfortable option when facing consent notifications, which can lead to uninformed decisions about personal data privacy.

Read more about the study.

Privacy notices are  required under the European Union’s  General Data Protection Regulation even if your data processing is video surveillance/CCTV.

The Romanian Data Protection Authority issued a fine against a company for failing to provide adequate notice of data processing in connection with CCTV video surveillance in violation of Article 12 of the GDPR.

Full text of the opinion.

The UK Information Commissioner’s Office (ICO) has joined data protection authorities from around the world in calling for more openness about the proposed Libra digital currency and infrastructure.

Per the letter:

  • The ambition to change the online payments landscape must work in tandem with people’s privacy expectations and rights.
  •  Facebook’s involvement is particularly significant, as there is the potential to combine Facebook’s vast reserves of personal information with financial information and cryptocurrency, amplifying privacy concerns about the network’s design and data sharing arrangements.

Key issues to check:

  • Robust measures to protect data including:
    • Sufficient disclosure: including the use of profiling and algorithms, and the sharing of personal information
    • Privacy protective default settings
    • Collection of minimum amount of data
    • Adequate measures to protect the data
    • Simple procedures for exercising rights
  •  Privacy by design
  • Compliance by all processors
  •  DPIA’s
  • Uniformity of data protection standards
  • Data sharing and prevention of re-identification.

Read the full text of the letter.

Sen. Diane Feinstein (D-Calif.) introduced a bill on Wednesday that would limit the use of voter data by political campaigns.

The legislation is being touted as the first bill “directly responding to Cambridge Analytica.”

Feinstein’s Voter Privacy Act seeks to give voters more control over the data collected on them by political campaigns and organizations.

Under the legislation, voters would be allowed to access that data, ask political campaigns to delete it and instruct social media platforms like Google and Facebook to stop sharing personal data with those political entities.

“Political candidates and campaigns shouldn’t be able to use private data to manipulate and mislead voters,” Feinstein said in a statement. “This bill would help put an end to such actions.”

Feinstein’s bill would not apply to information obtained from voter registration databases, which are publicly available. But it would apply to a swath of sensitive data including Social Security numbers, personal property records, biometric information like DNA, browsing history, geolocation data, health information, education data and more.

Details from The Hill.

Under the Bahrain Personal Data Protection Law (PDPL), which came into effect on August 1, 2019, organizations need to obtain consent from customers in order to collect, process, store and use their personal information for commercial purposes.

Personal data refers to an individual’s smart card number or mobile phone number, along with sensitive personal information such as race, ethnicity, political views, religious beliefs, union affiliation, criminal record or any data related to health matters.

The new law was due to come into force August 1, however, no official announcement was made in advance about the implementation or the setting up of the Personal Data Protection Authority, which will be tasked with regulating the sector and investigating violations.

The PDPL applies to those living and working in Bahrain, local businesses and people who do not reside here but have their data processed from Manama. The law stipulates severe penalties, including criminal liabilities for non-compliance, with up to one year in prison and/or a fine of between BD1,000 and BD20,000.

Details from Zawya.

A bipartisan pair of senators has drafted a data privacy bill that would give the Federal Trade Commission more enforcement tools, while preempting state laws.

Sens. Jerry Moran (R-Kan.) and Richard Blumenthal (D-Conn.) now writing their own bill in a bid to see if they can attract the support of other lawmakers, as the August recess looms. Maria Cantwell (D-Wash.), is circulating a legislative framework of her own.

Details from Bloomberg News.

The Higher Regional Court of Cologne Germany has held that internal recorded statements, conversation notes or telephone notes constitute personal data and copies of them must be disclosed in response to a data access request.
The court also held that:
  • The information is not a trade secret since claims made by the plaintiff against his insurance company can not be protected against his or her business secret.
  • It is not economically impossible for data controllers to provide this information. Data controllers who use electronic data processing should organize it as required by law, and in particular to ensure that data protection and the resulting rights of third parties are taken into account.
  • The duty to refrain from infringing upon the rights of third parties when producing information as part of a data access request does not prevent the disclosure of such notes.

Read the full court decision.

A complaint by public interest organization “NOYB” against media streaming services shines a spotlight on the GDPR’s right of “data subject access​.”

While some aspects are GDPR-specific, much of the complaint provides insight into how to properly structure your access request process under the California Consumer Privacy Act (CCPA).

Read the full analysis.

The Belgian Data Protection Authority holds that a Data Protection Officer (DPO) may not himself/herself delete personal information of a data subject.

Doing so constitutes a violation of the General Data Protection Regulation’s prohibition of conflicts of interest for the DPO (Article 38(6) of GDPR).

Rather, all decisions regarding the processing must be taken by the data controller with the DPO. Per Article 38-39 of GDPR, the DPO’s role is to “inform and advise” and “monitor compliance,” as well as “act as the contact point for the supervisory authorities” and for data subjects. However, any decisions regarding data processing, including deletion of data, must be made by the data controller.

Read the full text of the opinion.