Several initiatives signal big changes for the regulation of privacy in China in 2019 reports the International Association of Privacy Professionals (IAPP).

  • End of bundled consent: Controllers are required to provide a privacy notice in intelligible, clear and concise wording and to obtain freely given consent from data subjects. The bundled consent, or “take-it-or-leave-it” approach, is outright discouraged. This is pursuant to a January 25, 2018 joint announcement by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation.
  • Opt out from behavioral advertising: App operators are encouraged to provide an opt-out mechanism for online behavioral advertisement or personalized recommendations, as well as displays for news, feeds or advertisement.

Other provisions deal with cybersecurity requirements for apps and services.

Details from the IAPP.

Local data protection representative – the South Korea version.

“South Korea updated its Act on the Promotion of IT Network Use and Information Protection (Network Act) in December 2018. Starting March 19, the law will require digital communications providers who deal with South Korean data but who have no physical presence in the country to establish a domestic representative to deal with data protection issues.” – Bloomberg reports.

South Korea is also introducing proposed amendments to its Personal Information Protection Act. These steps are part of South Korea’s bid to secure an adequacy declaration from EU that would allow for easier transfers of information from the EU to South Korea. Japan was recently granted such adequacy status by the EU.

Details from Bloomberg.

What’s in store for CCPA?

Narrower definitions? Broader private right of action? Increased funding?

All were discussed at a hearing regarding the California Consumer Privacy Act (CCPA) held at the California State Assembly in Sacramento, CA.

Supervising Deputy Attorney General on Consumer Protection Stacey Schesser indicated that her office would seek to expand the private right of action provision within the CCPA. Schesser also indicated to the lawmakers that the Attorney General will be asking for increased funding to help the office enforce the CCPA.

At the hearing, representatives from the California Chamber of Commerce, California Retailers Association, American Civil Liberties Union and independent academics and researchers, among others, voiced concerns about the CCPA, including the broad definitions of the terms “personal information”, and “consumer”.

Details from the International Association of Privacy Professionals.

To better position themselves for foreign trade, on the heels of the EU General Data Protection Regulation (GDPR), many countries in the Asia Pacific are tweaking, implementing or developing their own privacy laws.

  • Japan – was recently granted an adequacy status by the EU for its privacy protection regime.
  • South Korea – is still in discussion stages for such an adequacy decision.
  • India – is finalizing a standalone data protection bill.
  • Thailand and Indonesia – are targeting their draft personal data protection bills to be passed by this year.

Indonesia has been deliberating a draft personal data protection bill since 2015, but it keeps getting pushed back due to lack of prioritization. It remains to be seen if the push from the Communication and Information Ministry to get the bill passed before the April presidential and legislative elections will bear fruit.

Information from The Jakarta Post.

Show me the money and I’ll show you my data.

“How much would you charge a marketer to use your personally identifiable information for general advertising purposes?”

About 60 percent of 2,000 U.S. adults polled in November 2018 were willing to share personal data for a price. A majority (57 percent) said it was worth a minimum of $10, while 43 percent valued it at less than $10 (28 percent) or would share it without compensation (15 percent).

The higher the income, the more likely they were to want more for their data.

This trend in how individuals regard their data may become even more interesting in the coming year as the California Consumer Privacy Act (CCPA), which will come into effect in 2020, allows companies to provide individuals with financial incentives for their information if certain conditions are met.

Details on the survey from MarTechToday.

The U.S. Government Accountability Office recommends that Congress consider comprehensive federal internet privacy legislation.

Issues that should be considered include:

  1. Which agency or agencies should oversee Internet privacy.
  2. What authorities an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority.
  3. How to balance consumers’ need for Internet privacy with industry’s ability to provide services and innovate.

Click here to view the formal notice.

Sorta, kinda, immutable.

Turns out the blockchain CAN get hacked, and changed.

In the blockchain, a miner who somehow gains control of a majority of the network’s mining power (a so-called “51% attack”) can defraud other users by sending them payments and then creating an alternative version of the blockchain in which the payments never happened.

For popular blockchains, attempting this sort of heist is likely to be extremely expensive. But the price gets more manageable for smaller chains and thus 51% attacks are becoming more popular.

Blockchains are also vulnerable to additional security weaknesses in the form of “smart contract bugs”. Solutions are currently being developed in the form of:

  • monitoring of transactions to detect suspicious activity
  • scanning smart-contract code for known vulnerabilities
  • auditing services based on an established computer science technique called formal verification

Details from the MIT Technology Review.

Privacy compliance as a competitive differentiator: 97% of 3,200 companies surveyed say they are receiving auxiliary benefits today from their data privacy investments, beyond just meeting compliance requirements.

Benefits cited include:

  • greater agility and innovation
  • competitive advantage versus competition
  • operational efficiency
  • investor appeal
  • less costly data breaches
  • for companies that had undergone GDPR compliance work, breaches are said to have included fewer records, be shorter in duration and led to smaller financial impact
  • fewer sales delays

Details from the International Association of Privacy Professionals.

Will the California Consumer Privacy Act serve as a blueprint for a federal privacy law or for a patchwork quilt of state privacy laws?

As states have been commencing legislative proceedings and as proposals for a federal privacy law are being formulated, the following seem to be principles that most agree should be included in a privacy law in the U.S.:

  • Banning some practices, including using data to discriminate against users.
  • Giving people the right to sue over misuse.
  • Giving people ownership rights in their data including the right to delete it, change it or take it back.
  • Requiring companies to be more transparent about how they use data and collect consumers’ consent, with some exceptions.

A point of contention is whether or not a federal U.S. privacy law should completely preempt (invalidate) state privacy laws (or whether they should continue to be binding if stricter than the federal law).

Details from the San Francisco Chronicle.

New Jersey follows in California’s footsteps with legislative initiatives on privacy.

The main proposed law (bill A-4902), will require commercial websites and online service operators to give customers:

  • a description of the personal information collected
  • a way to prevent the disclosure of personal information to third parties
  • a description of the information
  • an email address or phone number for requesting information
  • upon request from an individual, information on all disclosures of his data within the past year
  • a “Do Not Sell My Personal Information” link to a page that would allow customers to opt out of the disclosure of their personal data

Here’s what the chairman of the state’s Assembly Science, Innovation and Technology Committee has to say about the legislation:

“Should this happen at the federal level? Absolutely. We would want to see these protections at the federal level, but we are not seeing that … Until they do, New Jersey is going to do everything we can to protect New Jersey residents,”  said Assemblyman Andrew Zwicker (D-Middlesex), who chairs the committee and is sponsoring four of the bills on the agenda. Additional bills cover GPS data, student data and cybersecurity.

Details from NJ Spotlight.