General Data Protection Regulation (GDPR)

The UK Information Commissioner’s Office (ICO) has issued several new guidance documents on Data Controllers, Data Processors and the interaction among them.

Key points of the Contracts guidance include:

  • Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.
  • If a processor uses another organization (ie. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.
  • The contract is important so that both parties understand their responsibilities and liabilities.
  • The GDPR sets out what needs to be included in the contract. This is reflected in Art. 28 of GDPR Controllers and Processors under GDPR

Key points of the Controller/Processor guidance include:

  • Your obligations under the GDPR vary depending on whether you are a controller, joint controller or processor.
  • The key question is: who determines the purposes for which the data are processed and the means of processing?
  • If specialist service providers (e.g. accountants) are processing data in line with their own professional obligations, they will be acting as the controller.
  • Joint controllers decide the purposes and means of processing together.
  • Processors act on behalf of the relevant controller and under their authority. They serve the controller’s interests.
  • If you are a processor, as soon as you process personal data outside your controller’s instructions, you will be acting as a controller for that element of your processing.
  • Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities for complying with the GDPR. The main points of this arrangement should be reflected in the privacy notice.

For your GDPR compliance: Have a plan. Try your best. Embrace privacy.

UK Information Commissioner Elizabeth Denham spoke recently in New Zealand about data breaches and the state of the EU General Data Protection Regulation (GDPR) after six months.

Key takeaways included:

  • “EU data protection regulators [are] going to prioritize …enforcement activity towards those bad actors who are a direct threat to EU residents. Companies who are trying their best to comply with the rules and are cooperating with EU regulators can expect to engage the advisory and warning end of our toolkit rather than the 4 percent of global turnover fines.”
  • If, within the 72-hour time limit, you have no clue as to the who, the what or the how of a breach, then you do not have the required accountability data checks and balances in place.
  • Since GDPR went into effect, there have been more complaints from the public – an increase to 19,000 from the previous 9,000  in a comparable six month period; and more breach reports – over 8,000 since the end of May when it became mandatory in some high risk circumstances.
  • “Businesses that embrace a commitment to strong privacy protection will be the ones to flourish”.

Read the full text of the speech on the ICO’s website.

If at first they don’t consent, try, try again?

A new form of privacy fraud further complicates the relationship between the Ad Tech industry and GDPR.

As Ad Tech vendors struggle to comply with the strict requirements of the EU General Data Protection Regulation (GDPR), especially around the acquisition of freely given, specific, informed and unambiguous user consent for the use of personal data – a new form of privacy fraud called “consent string fraud” has been detected.

What is a GDPR consent string? This is “a series of numbers added to an ad bid request, which identifies the consent status of an ad tech vendor. That means whether or not they have a user’s consent to use their data in order to serve them personalized advertising.”

What is consent string fraud? In this practice, companies (whether knowingly or mistakenly), tamper with the consent string, changing the “0” (no user consent) to a “1” (have user consent).

CPO Magazine has more details.

The European Parliament Committee on Civil Liberties, Justice and Home Affairs has weighed in on blockchain with the following key points:

  • If you want to use a blockchain structure to handle personal data you need to specifically design the blockchain platform to support data sovereignty.
  • Personal data in the blockchain is generally not anonymous and GDPR obligations would apply; future blockchain applications should integrate mechanisms that ensure that data can be fully anonymous.
  • You should not process personal data on the blockchain until you are able to guarantee compliance with the GDPR, especially the rights to the rectification and erasure of data.
  • Blockchain users may be both data controllers, for the personal data that they upload onto the ledger, and data processors, by virtue of storing a full copy of the ledger on their own computer.
  • Because there are many copies of the data on the chain, blockchain is likely to be incompatible with the GDPR data minimization principle.
  • The European Commission and the Member States should fund research and innovation on new blockchain technologies that are compatible with the GDPR.

Read the full text of the European Parliament Committee on Civil Liberties, Justice and Home Affairs Opinion.

Keep your passwords close…and complex, and encrypted and unique, and ever-changing.

In the wake of recent data breaches involving passwords, the French data protection authority, the CNIL, has published guidelines for adequate passwords.

Some highlights include:

  • If you use a password as your sole method of authentication, it needs to be at least 12 characters consisting of uppercase letters, numbers and special characters.
  • If you use additional measures of protection, the password may be less complex.
  • A passphrase is better than a password, and the CNIL developed a tool for producing passwords from sentences.
  • Your authentication function must (i) use a public algorithm deemed strong and (ii) have a software implementation that is free of known vulnerabilities.
  • NEVER store passwords in cleartext – require and allow periodic renewal of passwords.

For details, see the full guidelines.

Don’t store users’ passwords in cleartext. Really.

It’s not a good idea. Also, it may be deemed a ‘knowing violation’ of the EU General Data Protection Regulation (GDPR) requirement to adequately protect personal data.

That is one key takeaway from the GDPR enforcement action by the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg, Germany (LfDI), against social media company knuddels.de, after a data breach that impacted 800,000 knuddels.de users.

Other takeaways from the enforcement action include:

  • contact your data protection authority (DPA) directly and quickly after a breach
  • inform users immediately and comprehensively about the breach
  • cooperate with your DPA
  • improve your IT security after a breach, even if this requires a significant monetary investment (6 digits’ worth in this case).

Due to the above, the company received a relatively low fine of €20,000.

“As a DPA it is not important for the LfDI to compete for the highest possible fines. What counts in the end is the improvement of data protection and data security for the users concerned.” – says the head of the LfDI, Stefan Brink.

The IAPP has more on the decision.

Does the EU General Data Protection Regulation (GDPR) apply to me?

The European Data Protection Board (EDPB) published for public comment its much awaited guidelines on the extraterritorial effect of GDPR.

Some highlights include:

  • In some circumstances, the presence of one employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement for the purpose of GDPR scope if that employee or agent acts with a sufficient degree of stability.
  • A non-EU controller will not become subject to the GDPR simply because it chooses to use a processor in the Union.
  • A processor subject to GDPR is required to enter into an agreement containing the key requirements of Art 28 GDPR with its controller who is not subject to GDPR.
  • GDPR applies to people physically located in the Union at the time of the processing regardless of their citizenship or residence.
  • For Non-EU entities, intention to establish commercial relations with consumers in the Union must be manifested. Non-exhaustive factors include taking EU currency, using EU languages or an EU top level domain.
  • Monitoring behavior can be done on the internet or through wearable or smart devices. At issue will be the purpose for processing and any subsequent behavioral analysis or profiling. 

Read the full text of the guidelines.

Enforcement actions under the EU General Data Protection Regulation (GDPR) are coming to a theater near you in 2019.

At the IAPP Data Protection Congress, CNIL Director of Rights Protection and Sanctions Directorate Mathias Moulin, warns that the time for the GDPR’s transition “is coming to an end,” and that it’s “time for action” and there will be “teeth.”

The EDPB’s Andrea Jelinek and Irish Data Protection Commissioner, Helen Dixon, predict major GDPR-related fines will not come down the pike in 2018, but it’s safe to expect some fines in 2019.

Details from IAPP’s The Privacy Advisor.

Registration for the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders in major industries, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Many more businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintainn protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement, including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing businesses.

Stay tuned for more agenda details. Registration is open.

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.