IF Brexit AND Privacy Shield THEN (amend privacy notice).

If you use the EU U.S. Privacy Shield mechanism to transfer Personal Data from the UK to the U.S., you will need to amend your privacy disclosure to state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield – say new FAQs on the Privacy Shield website.

In case of a “no-deal Brexit,” you will need to make the amendments by March 29, 2019.

In case of a “soft Brexit,” you will need to make the amendments by December 31, 2020 (the end of the “transition period”).

Sample language provided on the site is: “(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield… ”

Details from Privacy Shield.

The Irish Data Protection Commissioner (DPC) has launched a public consultation on children and data protection issues.

The consultation will have two streams: one aimed at adult stakeholders, and the other aimed directly at children and young people.

To do this, the DPC has created a lesson plan on personal data and data protection rights which will help teachers to teach their students about basic data protection rights and allow them to collect the opinions and views of their students.

Some questions in the public consultation are:

  • How should organizations convey information to children in a manner they easily understand?
  • At what age and under what circumstances should kids be able to file an access or erasure request?
  • When should parents be able to file an access or erasure request for their children’s information?
  • What methods should be used to verify that a child is 16 or over?
  • What methods should online service providers use to ensure that the person providing consent is actually the holder of parental responsibility over the child?
  • Should organizations be prohibited from profiling children for marketing purposes?

Read the details here.

A Data Protection Impact Assessment (DPIA) is a process, required by the EU General Data Protection Regulation (GDPR), to help identify and minimize the data protection risks of a project.

The UK Information Commissioner’s Office (ICO) has published a new guidance on DPIA’s.

Per the guidance you are required you to do a DPIA if you plan to:

  • use innovative technology (in combination with any of the criteria from the European guidelines);
  • use profiling or special category data to decide on access to services
  • profile individuals on a large scale
  • process biometric or genetic data (in combination with any of the criteria from the European guidelines)
  • match data or combine datasets from different sources
  • collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”)
  • track individuals’ location or behavior
  • profile children or target marketing or online services at them
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

Read the full guidance.

In its second annual review, the European Commission notes that the Privacy Shield scheme provides adequate protection for personal data but improvements are still in order.

Highlights include:

  • Since the first annual review, the Department of Commerce (DOC) referred more than 50 cases to the Federal Trade Commission (FTC), to take enforcement action where necessary.
  • New tools have been adopted to ensure compliance with Privacy Shield Principles including: spot checks, monitoring public reports about Privacy Shield participants, quarterly checks of companies flagged as potentially making false claims and issuing subpoenas to request information from participants.
  • The US is to appoint a Privacy Shield Ombudsperson by not later than February 28, 2019 or the Commission will consider taking steps under GDPR.
  • The Commission is monitoring the following areas to determine if sufficient progress has been made: (i) effectiveness of DOC enforcement mechanisms; (ii) progress of FTC sweeps; and (iii) appointment and effectiveness of complaints handling by the Ombudsperson.

Read the full report

The UK Information Commissioner’s Office (ICO) has issued a new guidance on the liabilities of Controllers and Processors, advising that the Controller is responsible for assessing that its Processor is competent to process personal data in line with GDPR’s requirements.

  • The assessment by Controller should take into account the nature of the processing and the risks to data subjects.
  • Some considerations:
    1. the extent to which the Processor complies with industry standards, if applicable
    2. whether the Processor has sufficient technical expertise to assist the Controller, e.g. in carrying out obligations under Articles 32-36 of the GDPR (technical measures, breach notifications and DPIAs)
    3. providing Controller with relevant documentation, e.g. privacy, record management and information security policies
    4. adherence to an approved code of conduct (when available)
  • Controllers should continue to monitor a Processor’s compliance, with frequency and methods used to audit compliance depending on the circumstances of the processing.

Read the full guidance.

The UK Information Commissioner’s Office (ICO) has issued several new guidance documents on Data Controllers, Data Processors and the interaction among them.

Key points of the Contracts guidance include:

  • Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.
  • If a processor uses another organization (ie. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.
  • The contract is important so that both parties understand their responsibilities and liabilities.
  • The GDPR sets out what needs to be included in the contract. This is reflected in Art. 28 of GDPR Controllers and Processors under GDPR

Key points of the Controller/Processor guidance include:

  • Your obligations under the GDPR vary depending on whether you are a controller, joint controller or processor.
  • The key question is: who determines the purposes for which the data are processed and the means of processing?
  • If specialist service providers (e.g. accountants) are processing data in line with their own professional obligations, they will be acting as the controller.
  • Joint controllers decide the purposes and means of processing together.
  • Processors act on behalf of the relevant controller and under their authority. They serve the controller’s interests.
  • If you are a processor, as soon as you process personal data outside your controller’s instructions, you will be acting as a controller for that element of your processing.
  • Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities for complying with the GDPR. The main points of this arrangement should be reflected in the privacy notice.

For your GDPR compliance: Have a plan. Try your best. Embrace privacy.

UK Information Commissioner Elizabeth Denham spoke recently in New Zealand about data breaches and the state of the EU General Data Protection Regulation (GDPR) after six months.

Key takeaways included:

  • “EU data protection regulators [are] going to prioritize …enforcement activity towards those bad actors who are a direct threat to EU residents. Companies who are trying their best to comply with the rules and are cooperating with EU regulators can expect to engage the advisory and warning end of our toolkit rather than the 4 percent of global turnover fines.”
  • If, within the 72-hour time limit, you have no clue as to the who, the what or the how of a breach, then you do not have the required accountability data checks and balances in place.
  • Since GDPR went into effect, there have been more complaints from the public – an increase to 19,000 from the previous 9,000  in a comparable six month period; and more breach reports – over 8,000 since the end of May when it became mandatory in some high risk circumstances.
  • “Businesses that embrace a commitment to strong privacy protection will be the ones to flourish”.

Read the full text of the speech on the ICO’s website.

If at first they don’t consent, try, try again?

A new form of privacy fraud further complicates the relationship between the Ad Tech industry and GDPR.

As Ad Tech vendors struggle to comply with the strict requirements of the EU General Data Protection Regulation (GDPR), especially around the acquisition of freely given, specific, informed and unambiguous user consent for the use of personal data – a new form of privacy fraud called “consent string fraud” has been detected.

What is a GDPR consent string? This is “a series of numbers added to an ad bid request, which identifies the consent status of an ad tech vendor. That means whether or not they have a user’s consent to use their data in order to serve them personalized advertising.”

What is consent string fraud? In this practice, companies (whether knowingly or mistakenly), tamper with the consent string, changing the “0” (no user consent) to a “1” (have user consent).

CPO Magazine has more details.

The European Parliament Committee on Civil Liberties, Justice and Home Affairs has weighed in on blockchain with the following key points:

  • If you want to use a blockchain structure to handle personal data you need to specifically design the blockchain platform to support data sovereignty.
  • Personal data in the blockchain is generally not anonymous and GDPR obligations would apply; future blockchain applications should integrate mechanisms that ensure that data can be fully anonymous.
  • You should not process personal data on the blockchain until you are able to guarantee compliance with the GDPR, especially the rights to the rectification and erasure of data.
  • Blockchain users may be both data controllers, for the personal data that they upload onto the ledger, and data processors, by virtue of storing a full copy of the ledger on their own computer.
  • Because there are many copies of the data on the chain, blockchain is likely to be incompatible with the GDPR data minimization principle.
  • The European Commission and the Member States should fund research and innovation on new blockchain technologies that are compatible with the GDPR.

Read the full text of the European Parliament Committee on Civil Liberties, Justice and Home Affairs Opinion.

Keep your passwords close…and complex, and encrypted and unique, and ever-changing.

In the wake of recent data breaches involving passwords, the French data protection authority, the CNIL, has published guidelines for adequate passwords.

Some highlights include:

  • If you use a password as your sole method of authentication, it needs to be at least 12 characters consisting of uppercase letters, numbers and special characters.
  • If you use additional measures of protection, the password may be less complex.
  • A passphrase is better than a password, and the CNIL developed a tool for producing passwords from sentences.
  • Your authentication function must (i) use a public algorithm deemed strong and (ii) have a software implementation that is free of known vulnerabilities.
  • NEVER store passwords in cleartext – require and allow periodic renewal of passwords.

For details, see the full guidelines.