The Regulation on the free flow of non-personal data went into effect on May 28, 2019.

In a new guidance, the European Commission clarifies how to deal with mixed data sets containing both personal data and non-personal data.

Key takeaways:

  • Non-personal data is (1) data which originally did not relate to an identified or identifiable natural person, OR (2) data which were initially personal data, but were later made anonymous.
  • If non-personal data can be related to an individual in any way, the data must be considered as personal data. e.g: if a quality control report on a production line makes it possible to relate the data to specific factory workers (e.g. those who set the production parameters), then the data would qualify as personal data.
  • A mixed dataset consists of both personal and non-personal data. e.g: a research institution’s anonymized statistical data and the raw data initially collected.
  • GDPR applies to the personal data part of the mixed data set. If the non-personal data part and the personal data parts are ‘inextricably linked’, GDPR protection will fully apply to the whole mixed dataset.
  • Read the full text of the guidance.

The EU-U.S. Privacy Shield is in the line of fire, again.

“A legal challenge to the EU-U.S. Privacy Shield, a mechanism used by thousands of companies to authorize data transfers from the European Union to the U.S., will be heard by Europe’s top court this summer. The General Court of the EU has set a date of July 1 and 2 to hear the complaint brought by French digital rights group, La Quadrature du Net, against the European Commission’s renegotiated data transfer agreement which argues the arrangement is still incompatible with EU law on account of U.S. government mass surveillance practices.”

” La Quadrature du Net is a long time critic of Privacy Shield, filing its complaint back in October 2016 — immediately after Privacy Shield got up and running. It argues the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data.”

Details from TechCrunch.

GDPR Enforcement is coming says French data protection authority, CNIL.

“According to the head of France’s data protection authority, the period of relative tolerance following the introduction of the General Data Protection Regulation (GDPR) is now over.”

“Going forward, any company that has yet to comply with the rules should expect tough scrutiny and, failing changes, the threat of financial penalties of up to 4 percent of their global annual turnover,” warned Marie-Laure Denis, who leads France’s Commission Nationale de l’Informatique et des Libertés (CNIL).

“If the CNIL was relatively tolerant over the course of last year, a transition year, we consider that it’s now up to companies to be compliant in terms of data protection,” Denis said.

Denis acknowledged…the slow pace of enforcement.

“You might say that the car is not going fast enough — but it’s moving, with a mechanism that is different from the one it had before, and we’re several parties behind the wheel. So while it’s not abnormal that we’ve yet to see results [from cooperation on GDPR cases], we need to see them.”

Details from Politico Pro.

“Organisations in Singapore are now expected to take no more than 30 days to complete an investigation into a suspected data security breach and notify the authorities of the incident 72 hours after completing their assessment. These are part of new guidelines to help companies manage data breaches more effectively and are expected to be included in the upcoming amendment of the country’s data protection act.”

Businesses are expected to notify authorities if a breach affects more than 500 individuals or where “significant harm or impact” to the individuals is likely to occur due to the breach.

Data intermediaries also should report potential data breaches to their parent organization within 24 hours from when they first identify a suspected incident. “While these are just guidelines for now, with no regulatory repercussions, the commission said organisations in Singapore should make the required changes to facilitate detection as breach notification would be made mandatory as part of the upcoming amendments to the Data Protection Act.”

Details from ZDNet.

Canada has introduced a Digital Charter that will entail considerable changes to its privacy law, PIPEDA.

The principles are:

  1. Universal Access: equal opportunity to participate in the digital world and the tools to do so.
  2. Safety and Security: rely on the integrity, authenticity and security of services and feel safe online.
  3. Control and Consent: control over how and why data is shared and used.
  4. Transparency, Portability and Interoperability: clear and manageable access to data and freedom to share or transfer it.
  5. Open and Modern Digital Government: access modern digital secure government services.
  6. Level Playing Field: fair competition in the online marketplace.
  7. Data and Digital for Good: ethical use of data to create value, promote openness and improve lives.
  8. Strong Democracy: defend freedom of expression and protect against online threats and disinformation.
  9. Free from Hate and Violent Extremism: digital platforms will not foster or disseminate hate, violent extremism or criminal content.
  10. Strong Enforcement and Real Accountability: clear, meaningful penalties for violations of the laws and regulations that support these principles.

Get full details from the Canadian Government. 

“The game-changing rules [of GDPR] have not only made Europe fit for the digital age, they have also become a global reference point,” say Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality.

“The main aim of the rules has been to empower people and help them to gain more control over their personal data. This is already happening as people are starting to use their new rights and more than two-third of Europeans have heard of the regulation.”

“Also, companies now benefit from one set of rules applying throughout our Union. They have put their house in order when it comes to data, which led to increased data security and a trust-based relationship with their clients.”

“The new law has become Europe’s regulatory floor that shapes our response in many other areas.”

“The principles of the GDPR are also radiating beyond Europe. From Chile to Japan, from Brazil to South Korea, from Argentina to Kenya, we are seeing new privacy laws emerge, based on strong safeguards, enforceable individual rights, and independent supervisory authorities.”

Read the EC’s press release.

“European Union privacy regulators are ramping up enforcement of the General Data Protection Regulation as the bloc’s comprehensive privacy regime heads into its second year,” write Bloomberg’s Sara Merken and Daniel R. Stoller Esq.

Businesses “can expect in 2019 is the transition from the warning authority that explains things and conducts campaigns, to also the enforcement authority that intervenes where necessary,” said Aleid Wolfsen, the Dutch privacy chief.

“EU privacy officials are ‘a serious enforcement community with real powers,’ said Giovanni Buttarelli, the European Data Protection Supervisor. Multinationals in the EU need to take responsibility for the data they process and profit from, whether or not they have proper consent, Buttarelli said.”

Read the full article in Bloomberg Law.

“The ad tech sector was and will continue to be a focus for the Irish Data Protection Commissioner due to concerns regarding profiling, particularly using sensitive data, the use of location data, and lack of lawful bases for or individual awareness of processing.”

Additional key takeaways from the IAPP white paper on the first year of GDPR include:

“The UK Information Commissioner’s Office cited fairness as an overriding theme in its investigations and enforcement actions, noting inquiries into unfair processing and lack of transparency. In terms of priorities moving forward, the Commissioner said the ICO is looking at data brokers, the processing of children’s data, and ad tech.”

Per Giles Watkins, IAPP UK country leader: “There is only a limited time for organizations to put their houses in order before the commissioner does revert to the enhanced penalty regime, with potential enforcement actions perhaps being even more significant to businesses than the monetary fines.”

Per Paul Jordan, Managing Director of IAPP Europe, we should: “Expect enhanced frequency of activity in 2019.. both at the member state level and through the EDPB. Any grace period afforded truly at an end.”

Read the full report.

“Privacy Commissioner of Canada Daniel Therrien believes the question about whether privacy legislation should be amended is in the past. It is no longer should the country’s privacy laws be amended, but what is the best way to do so, and with the announcement of the country’s Digital Charter, the commissioner said the federal government seems to agree.”

“‘A revamped privacy law should remain tech neutral, principle based and crafted in a manner to keep it from going out of date,’ Therrien said.”

Therrien added that his office now plans to focus on how to approach cross border data flows in the short term under current law but also in the long-term under future legislation.

“‘Change is coming to Canada,’ he said, ‘and the goal is to find the best way to allow Canadians to participate in the digital economy with the confidence that their rights will be upheld.'”

Details from the International Association of Privacy Professionals.

“For those who will for the first time be facing consumer data access requests under the CCPA, my advice is to get started now building automated systems when possible and human teams that can help you gather data and respond to requests in a timely manner because it takes longer and is more difficult than you might think,” says Rita Heimes of the IAPP, discussing experiences and lessons learned after one year implementing GDPR compliance.

Read Rita’s full piece for the International Association of Privacy Professionals.