German DPA releases findings of GDPR readiness audits of 50 organizations

The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).

Summary of findings in the Report

We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.

The Lower Saxony DPA has now summarized its findings of the audits. It has grouped the audited organizations based on a traffic light system:

  • Green (= mainly satisfactory): 9 organizations
  • Yellow (= some deficiencies): 32 organizations
  • Red (= major deficiencies): 8 organizations

The Report also highlights the GDPR compliance items that still raise the most and the least concerns:

  • Most deficiencies: IT security, data protection impact assessments (DPIA)
  • Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
  • Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability

Continue Reading

New requirements for Singapore banks to include provisions in service contracts on protection of customer data

On 4 November 2019, Singapore’s Parliament published a draft amendment to the Banking Act.

Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to:

(a) safeguard the confidentiality and integrity, and ensure the availability, of the banks’ information; and

(b) protect all customer information against unauthorised disclosure, retention, or use.

Where the service provider is a branch or office of the bank, specific provisions covering the above must be included in the branch or office’s policies and procedures.

Where the service provider is an external party, however, then the relevant provisions must be included in the contract between the bank and the provider.

Such policies and procedures, or contract, as the case may be, must also confer on the bank, the regulator (the Monetary Authority of Singapore or MAS), or an auditor appointed by the bank, the right to audit the books of the service provider to ensure that the above requirements have been complied with.

Continue Reading

EU–U.S. Privacy Shield: EU Commission issues its third annual review report

On 23 October 2019, the European Commission (the Commission) released its report on the third annual review of the functioning of the EU–U.S. Privacy Shield (Privacy Shield). The report summarises various improvements in the functioning of the framework, and further ‘concrete steps’ that need to be taken to ensure its continued effectiveness.

Background

The Commission’s Privacy Shield adequacy decision obligates the Commission to carry out annual reviews of the framework. To date, there have been two annual reviews (September 2017 and October 2018). The 2019 review took place in Washington D.C., with representatives from the Commission, European Data Protection Board (EDPB), and various U.S. government departments and offices in attendance. The Commission’s findings are divided between:

  • commercial aspects of the framework (compliance, administration, oversight, enforcement by U.S. authorities); and
  • aspects concerning public authorities’ access to personal data transferred under Privacy Shield.

We focus our discussion on the commercial aspects of the review.

Continue Reading

Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:

Continue Reading

AI Auditing Framework: data protection impact assessment

In March 2019, the Information Commissioner’s Office (ICO) released a Call for Input on developing the ICO’s framework for artificial intelligence (AI). The ICO simultaneously launched its AI Auditing Framework blog to provide updates on the development of the framework and encourage organisations to engage on this topic with the ICO.

On 23 October 2019, the ICO released the latest in its series of blogs (here). The blog outlines the key elements that organisations should focus on when carrying out a Data Protection Impact Assessment (DPIA) for AI systems that process personal data.

We have outlined below some of the key takeaways.

Continue Reading

Bipartisan social media data portability bill introduced in U.S. Senate

Social media users may soon be able to easily transfer their personal information to competing platforms. On October 22, 2019, a bipartisan group of U.S. senators (Mark R. Warner (D-VA), Josh Hawley (R-MO), and Richard Blumenthal (D-CT)) introduced the Augmenting Compatibility and Competition by Enabling Service Switching Act (ACCESS Act), a bill aimed at encouraging market-based competition among today’s major social media platforms by requiring the largest of these tech companies to allow users to move their data from one service to another.

The bill, should it become law, would be regulated and enforced by the Federal Trade Commission (FTC), and would require large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

  • Make users’ personal data portable, by allowing users to retrieve and/or transfer their personal data in a structure and machine-readable format.
  • Maintain interoperability with other platforms, including competing companies.
  • Give users the ability to designate a trusted third-party service to manage their privacy, content, online interactions, and account settings.

Continue Reading

ICO blogs on AI and data subject rights

On 15 October 2019, the Information Commissioner’s Office (ICO) released the latest in its series of blogs on developing its framework for auditing artificial intelligence (AI). The blog (here) focuses on AI systems and how data subjects can exercise their rights of access, rectification and erasure in relation to such systems. Below, we summarise some of the key takeaways and our thoughts on the subject.

Rights relating to training data

Organisations need data in order to train machine learning models. While it may be difficult to identify the individual to whom the training data relates, it may still be personal data for the purposes of the General Data Protection Regulation (GDPR), and so will still need to be considered when responding to data subject rights requests under the GDPR. Provided no exception applies and reasonable steps have been taken to verify the identity of the data subject, organisations are obliged to respond to data subject access requests in relation to training data. The right of rectification may also apply but, as an individual inaccuracy is less likely to have a direct effect on an individual data subject that is part of a large data set, organisations should prioritise rectifying personal data that may have a direct effect on the individual.

Complying with requests from data subjects to erase training data may prove more challenging. If an organisation no longer needs the personal data as the machine learning model has already been trained, the ICO advises that the organisation must fulfil the request to erase. However, organisations may need to retain training data where the machine learning model has not yet been trained. The ICO advises that organisations should consider such requests on a case-by-case basis, but do not provide clarity on the factors organisations should consider.

Continue Reading

At odds no more: can regulatory collaboration bring innovation and data privacy closer together?

In July 2019, the UK’s Financial Conduct Authority (FCA) held a week-long Global Anti-Money Laundering and Financial Crime TechSprint (FCA TechSprint) event. The FCA TechSprint looked at ways to effectively combat financial crime and money laundering within the financial services industry. On 16 October 2019, the Information Commissioner’s Office (ICO) released a blog (here) that focuses on the lessons learnt from the FCA TechSprint.

Background

The FCA TechSprint brought together teams from all over the world to explore how encryption techniques known as privacy enhancing technologies (PETs) can facilitate data and knowledge sharing among financial institutions, regulators and law enforcement agencies to detect and prevent money laundering and financial crime, while remaining compliant with data protection and privacy laws.

The teams worked towards developing solutions to the following use cases:

  • how can a network of market participants use PETs and data analytics to interrogate financial transactions stored in databases within institutions to identify credible suspicions without compromising data privacy legislation?
  • how can market participants efficiently and effectively codify topologies of crime which can be shared and readily implemented by others in their crime controls?
  • how can a market participant check that the company or individual they are performing due diligence on has not raised flags or concerns within another market participant, and/or verify that the data elements they have for the company or individual match those held by another market participant?
  • how can technology be used to assist in identifying an ultimate beneficiary owner across a network of market participants and a national register?

ICO’s Regulators’ Business Innovation Privacy Hub was present at the FCA TechSprint to offer guidance on the data protection implications of implementing PETs.

Continue Reading

Guidance given on Singapore cross-border data transfer obligation for intermediaries and cloud providers

In Singapore, private sector organisations must generally comply with the transfer limitation obligation in the Personal Data Protection Act (the Act). Any transfer of personal data outside Singapore must be in accordance with the Act’s requirements, to ensure that a comparable standard of protection is accorded to that data.

However, where an organisation is a data intermediary, i.e., it processes personal data on behalf of and for the purposes of another pursuant to a written contract, that intermediary is not subject to the transfer limitation obligation, as specified in section 4(2) of the Act.

Continue Reading

IAB issues CCPA compliance framework for public comment

Given the vast challenges California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), poses for digital marketing, the Interactive Advertising Bureau (IAB) released for public comment a draft of its proposed Compliance Framework for Publishers & Technology Companies (the Framework) on October 22.

“Selling” and CCPA challenges for digital. Those who have been actively preparing for CCPA’s implementation on January 1 know by now that pursuant to section 1798.115(d) of the CCPA, a company that has personal information about a consumer may not onward “sell” (as defined in the CCPA) such information to another party without the consumer (1) having received explicit notice of the sale of the personal information and (2) being given the right to opt out pursuant to section 1798.120. Under the CCPA, even if consumers opt out of having their personal information sold, the information may be shared with third parties acting as “service providers” for limited purposes, but the party disclosing the personal information (that is, the “business”) is very specifically limited in its ability to use any data it received that is deemed “personal information.”

Current information sharing practices. Currently, in the programmatic advertising ecosystem, publishers may pass personal information about visitors to their website to downstream participants (the Downstream Participants) who then may pass such information on to others in the supply chain. These Downstream Participants include providers such as:

  • supply-side platforms (SSPs)
  • demand-side platforms (DSPs)
  • ad exchanges
  • ad networks
  • ad tech platforms
  • data management platforms (DMPs)

Downstream Participants also include the advertiser who ultimately purchases the ad, funds the ecosystem, and, in many cases, expects to have ready and trusted access to information associated with its advertising activity and consumer behavior in response to such advertising.

Continue Reading

LexBlog