3. Privacy Frameworks, Laws & Regulations

Question 1

Laws and Regulations Overview

Answer 1

• Create a roadmap to determine where legal requirements overlap.
• Fair Information Practices (FIPs) appears in various forms and applications. OECD Guidelines are most widely recognized.
• Legal & Privacy should work directly with regulators to remain compliant.

Question 2

Data Controller vs Data Processor (GDPR)

Answer 2

Data Controller: A data controller is a legal or natural person, agency, public authority, or body who alone or with other, determines, the purposes of any personal data & the means of processing it.

Data Processor: A data processor is a legal or natural person, agency, public authority, or any body who processes personal data on behalf of a data controller.

Question 3

CCPA/CPRA: What can consumers do?

Answer 3

1. Opt Out of Sales and Sharing of PII
2. Right to correct inaccurate PII
3. Right to limit use and disclosure of PII

Question 4

CCPA/CPRA: What must businesses do?

Answer 4

1. Provide disclosures to consumers, such as categories of PII collected, purpose for collection, description of consumers’ rights.
2. Respond to consumer requests in a timely manner
3. Provide methods for submitting request to know and requests to delete and have a process to verify the identity of consumers attempting to exercise their rights.
4. Provide a CCPA compliant privacy policy or certain notices to consumer per the CCPA/CPRA privacy policy requirements
5. Provide two or more methods for submitting requests to opt out, including a clear and conspicuous “Do Not Sell My Personal Information” link on the website

Question 5

International Data Transfers: 3 Options

Answer 5

1. Adequacy Decision - adequate level of protection of personal data. “ a conclusive decision that permits a data transfer across the EU borders without further authorization from the governing authority”
2. Appropriate Safeguards:
   - Standard Contractual Clauses
   - Codes of Conduct
   - Ad Hoc Contractual Clauses
   - International Agreements
   - Binding Corporate Rules (BCR)
3. Derogations - The individual has explicitly consented after being informed of the risks of the transfers due to the absence of an adequacy decision and appropriate safeguards.

Question 6

Gramm-Leach-Bliley Act of 1999

Answer 6

consumer financial services must explain sensitive data sharing

Question 7

Brazil (LGPD)

Answer 7

Passed Aug 2018. Effective Aug 1, 2021

Penalty: 2% of revenue in Brazil, max of 50m reals

Question 8

China Personal Info Protection Law:
Cybersecurity Law of the People’s Republic of China

Cyberspace Administration of China (CAC)

Data Security Law of the PRC
Personal Information Protection Law of PRC

Answer 8

Passed Aug 2021. Effective Nov 1, 2021

Penalty: 5% of previous year revenue up to or $7.7m

Question 9

GDPR Article 45

GDPR Article 46

Answer 9

GDPR Article 45 - Adequacy for countries

GDPR Article 46 - Non-adequate country transfer
BCRs or SCCs