3. Framework: Applicable Privacy Laws and Regulations

Question 1

What elements of data protection laws overlap?

Answer 1

1. Notice
2. Choice and consent
3. Purpose limitation
4. Individual rights
5. Retention limits
6. Transfers

Question 2

What is the responsibility of data regulators?

Answer 2

Regulators enforce how personal information is collected and how data subjects are informed and have a right to decide how their personal data is used.

Many laws have penalties for noncompliance or allow for private right of action.

Question 3

What do new laws focus on?

Answer 3

The application of new technologies:

1. Artificial intelligence
2. Machine learning
3. Data security measures and controls on new technologies such as quantum computing and AI/ML
4. Handling personal data during pandemics

Question 4

What are omnibus laws?

Answer 4

Omnibus laws cover the collection and use of personal data in general with perhaps increased protection and sensitivity required for certain categories of data such as health or sexual orientation data.

Question 5

Who is subject of foreign data protection laws?

Answer 5

Anyone actively trying to solicit business in a country

Question 6

What are the commonalities among provisions among global privacy and data protection laws?

Answer 6

1. Ensuring individual rights (access, correction, and deletion)
   AND
2. Obligations (safeguarding data)

Other: contractual requirements, audit protocol, self-regulatory regimes, and marketplace expectations.

Question 7

When did the EU General Data Protection Regulation come into effect?

Answer 7

The EU Parliament and council agreed upon the GDPR in December 2016 and is enforceable as of May, 2018.

The GDPR was first proposed in 2012.

Question 8

What does the GDPR offer?

Answer 8

A framework for data protection with increased accountability for organizations, and it’s reach is extraterritorial.

Question 9

What is the first comprehensive privacy law introduced in the United States?

Answer 9

The California Consumer Privacy Act (CCPA) was signed into laws in June 2018 and went into effect in January 2020.

Question 10

What does the CCPA achieve?

Answer 10

New privacy laws for Californians and significant new data protection obligations for businesses.

Question 11

How is the CCPA enforced?

Answer 11

The Office of the Attorney General.

Question 12

What was the intent of the California ballot initiative?

Answer 12

To provide additional protection to consumers through the California Privacy Rights Act (CPRA).

The CPRA will come into force on January 1, 2023 with a one year look back to January 2022.

Question 13

What is Brazil’s general data protection law?

Answer 13

Lei Geral de Protecao Dados Pessoias (LGPD)

Question 14

When was the LGPD passed?

Answer 14

It was passed in August, 2018 and went into effect September, 2020, though administrative sanctions could not be issued August, 2021

Question 15

What is China’s first comprehensive information protection law?

Answer 15

The People’s Republic of China Personal Information Protection Law (PIPL)

Question 16

When was the PIPL enacted?

Answer 16

It was adopted in August, 2021 and took effect in November, 2021.

Question 17

Can China’s central government access data under the PIPL?

Answer 17

Some commercial aspects of the PIPL resemble the EU GDPR with provisions mandating companies to exercise data minimization and obtain consent, however the law does not prevent China’s central government from accessing data.

For companies doing business in China, fines for violations of the law range between $7.7 million or up to 5% of the previous year’s business revenue.

Question 18

What industries have sectoral privacy laws?

Answer 18

1. Health; 2. Finance; 3. Telecom; 4. Online; 5. Government; 6. Education; 7. Video; 8. Marketing; 9. Energy; 10. HR and Employment

Question 19

What are the required steps of a data transfer impact assessment (DTIA or TIA)?

Answer 19

1. Map where the data is at and where it is transferred to
2. Identify the mechanisms used for the transfer
3. Assess the effectiveness of transfer mechanisms
4. Adopt additional safeguards as needed
5. Ensure additional measures align with business requirements
6. Monitor for ongoing compliance

Question 20

What questions should be included into transfer impact assessments?

Answer 20

1. What is the likelihood of government access to the data?
2. Is the data within the scope of intelligence and law enforcement activities?
3. Are proper protective measures in place?
4. What are the applicable privacy and security standards of the receiving country?
5. What are the general human rights of the receiving country?

Question 21

What principle apply to data transfers?

Answer 21

Transparency and ‘surprise minimization’.

OPC: “Individuals should expect that their personal information is protected, regardless of where it is processed. Organizations transferring personal information to third parties are ultimately responsible for safeguarding that information. Individuals should expect transparency on the part of organizations when it comes to transferring to foreign jurisdictions”.

Check:

1. Equivalent privacy protections
2. Expectations of the individuals to whom the data pertins

Question 22

What should be considered when data is transferred to different jurisdictions?

Answer 22

Personal information access by national security agencies, law enforcement, and foreign courts.

Adjust the privacy program to the most stringent legal requirements to which the data processing is subject.

Question 23

What terms may differ from jurisdiction to jurisdiction?

Answer 23

Controller, processor, sensitive data, processing, and data transfer.

Question 24

How do you ensure that the privacy program aligns with business initiatives?

Answer 24

Business units must know and understand the goals and objectives of the privacy program and be part of the solution:

1. Compliance should be baseline
2. PbD, plus strategizing with business units to further the organization’s goals and help strike a balance
3. Compliance creates an opportunity to simultaneously reevaluate and improve data management practices, such as data inventory and data access controls
4. Compliance should be achieved with the least amount of business disruption

Question 25

How many tiers of fines are there under the GDPR?

Answer 25

Two, depending on the nature of the violation and whether the controller or processor committed any previous violations.

Tier 1: up to 20 million euros or 4% of total turnover, whichever is higher
Tier2: up to 10 million euros or 2% of total turnover, whichever is higher

Question 26

Do all GDPR infringements lead to fines?

Answer 26

No. The Supervisory Authorities can also:

1. Issue warnings and reprimands
2. Impose temporary or permanent ban on data processing
3. Order the rectification, restriction, or erasure of data
4. Suspend data transfers to third countries

Question 27

What are the penalties under the CCPA?

Answer 27

The Office of the Attorney General can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice.

Under private right of action, the fine can be from $100 to $750/incident/consumer.

Question 28

What was the value of the Facebook landmark settlement?

Answer 28

5$ billion for mishandling users’ personal information.

The FTC found that Facebook’s handling of user data violated a 2011 privacy settlement. The settlement resulted after Facebook was accused of deceiving people about how it handled their data.

Question 29

How do you get management to support and mature the privacy program?

Answer 29

Use examples of high profile breaches suffered by other organizations and the fines associated.

Question 30

What type of penalties can oversight agencies issue?

Answer 30

Civil and criminal based on laws and regulations.