9. Operations: Data Subject Rights

Question 1

Who are data subjects?

Answer 1

Identified or identifiable individuals whose PI is being processed by an organization

Question 2

What are data subject rights?

Answer 2

Vary across juridictions and include:

1. Right to know how PI will be used
2. Right to opt out of certain processing activities

Question 3

Who can place a data subject request (DSR)?

Answer 3

Data subject, their agent, or (under some laws and circumstances) organizations may need to assist customers with fulfilling DSRs

Question 4

Do organizations need to inform data subjects about privacy practices?

Answer 4

Yes. transparency is a critical requirement under most privacy laws

Question 5

What is a privacy notice?

Answer 5

An external statement directed at data subjects, it is a tool used to describe the organization’s privacy practices.

Question 6

What is a privacy policy?

Answer 6

An internal document directed at employees or contractors that describe how the organization will process their PI.

Question 7

What is a common feature of a privacy notice and policy?

Answer 7

Both describe how personal information will be collected, used, shared, and stored.

Question 8

Does a privacy notice provide blanket protection from privacy litigation?

Answer 8

No. A privacy notice is a promise and if the organization breaks the promise or fails to adequately describe data processing activities, it can face litigation or regulatory action.

Question 9

Against which companies did the FTC initiate enforcement actions for deceptive privacy practices?

Answer 9

Google and its subsidiaries, YouTube, Facebook and Snapchat.

Question 10

What are common elements of privacy notices?

Answer 10

1. Who the organization is and contact information (privacy office or DPO)
2. What information is being collected (directly or indirectly)
3. How the organization will use the information
4. With whom the organization will share the information
5. An overview of applicable data subject rights and the process for exercising those rights
6. How the information is protected and processed securely
7. Under what circumstances the organization acts as a processor for other organizations
8. How the behaviours of the website users are monitored

Question 11

What is a just-in-time notice?

Answer 11

A layered approach provided immediately before the data is collected.

E.g., when a mobile application asks to track location.

Question 12

When is a just-in-time notice a WP29 and a CCPA requirement?

Answer 12

WP29: When providing information at various points throughout the process of data collection

CCPA: When a business collects PI from customer’s mobile device for a purpose that the customer would not reasonably expect.

Question 13

What is a layered approach to notice?

Answer 13

A high-level summary of the various sections of the privacy notice.

*The EDPB states in guidance that “layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise on one hand and understandable on the other.

Question 14

When are QR codes useful in privacy notices?

Answer 14

When there is limited space to provide privacy notice (e.g. an internet of things device or mobile screens).

Question 15

What is a privacy dashboard?

Answer 15

It offers a summary of privacy-related information and metrics and is easy to access and navigate.

Question 16

What does a privacy dashboard ensure according to WP29?

Answer 16

That access and use of the dashboard is intuitive and helps to encourage users to engage with information.

Question 17

Do privacy notices solicit or imply consent?

Answer 17

No.

Question 18

What must be done when relying on consent?

Answer 18

Keep legally admissible record that establishes what the individual consented to, the date it was completed, and establishes that the individual agreed to the consent.

Question 19

Under the GDPR, other than consent, what other lawful basis are available to organizations for processing PI?

Answer 19

1. Contract
2. Legal obligations
3. Vital interests
4. Public interest
5. Legitimate interest

Question 20

What are dark patterns?

Answer 20

Any interface designed to substantially subvert an end-user’s autonomy.

Question 21

Should consents be regularly reviewed?

Answer 21

Yes, and refreshed if necessary.

Question 22

What are the two central concepts of choice?

Answer 22

Opt-in - active, affirmative indication of choice

AND

Opt-out - affirmative action by hitting an ‘unsubscribe’ link

Question 23

What is Age Appropriate Design?

Answer 23

An ICO code that implements GDPR principles “in the context of children using digital services”.

Question 24

What rules does the ICO code for age-appropriate design establish?

Answer 24

1. Not sharing geolocation data by default

AND

2. Differentiating an offering based on child-users’ age

Question 25

What is a COPPA (US) requirement for information collected online from children under 13?

Answer 25

Organizations must obtain verifiable parental consent.

The law provides parents with:

1. The right of access, modification, and deletion of their child’s PI

AND

2. Opportunity to prevent and limit further collection and use of the child’s PI

Question 26

What did the OPC state regarding privacy notices directed toward children?

Answer 26

“For minors able to provide meaningful consent, consent can only be considered meaningful if organization’s have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly.”

Question 27

What is the WP29 suggestion for consent obtained from children?

Answer 27

Vocabulary, tone and style of language is appropriate to and resonates with children.

*UN Convention on the Rights of the Child in Child Friendly Language - resource

Question 28

What is the age consent threshold under the GDPR?

Answer 28

16, however individual countries may set an age threshold between 13 and 16.

Question 29

What is the COPPA purpose processing exemption?

Answer 29

Processing to support the operator’s internal operations, such as website maintenance and security.

Question 30

What privacy rights does the Fair Credit Reporting Act (FCRA) (US) grant to customers?

Answer 30

1. Right to customers with respect to how their data is used
2. Access to all information a customer reporting agency has about them
3. Request that credit reporting agency investigate inaccurate information within 30 days
4. Removal of outdated negative information (civil suits, judgements, customer report liens 7 years after the statute of limitation expired)
5. Removal of bankruptcies from credit reports after 10 years
6. Customer notification from the financial institution before the submission of negative information to credit reporting agency
7. Written consent requirement for background checks and inform the individual that the information in the background check may be used to make a decision about employment

Question 31

What is the role of the Health Insurance Portability and Accountability Act (HIPAA) in the US?

Answer 31

1. Regulates the use and disclosure of protected health information (PHI)

AND

2. Provides individuals with rights relating to PHI

Question 32

What are individual rights under HIPAA?

Answer 32

Individuals have the right to:

1. Obtain a copy of their medical records (30 days)
2. Change any incorrect information and add any information that might be missing or incomplete (60 days)
3. Know how their information has been shared with others

AND

4. Request restrictions on information they might not want shared.

Question 33

What registry was created by the FTC as part of the revisions to the Telemarketing Sales Rule (TSR)?

Answer 33

The National Do Not Call (DNC) Registry

Question 34

What organization oversees the DNC?

Answer 34

The Federal Communications Commission (FCC)

The FCC also has it’s own do-not-call rule and bridges gaps in the FTC’s jurisdiction.

Question 35

What does the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) of 2003 prohibit?

Answer 35

Prohibits organizations subject to the law from sending many types of commercial messages.

Question 36

What rights does the US’s Privacy Act (1974) guarantee?

Answer 36

The rights of individuals to:

1. Access their own records from federal agencies (written request from the individual is required)
2. Request amendments

AND

3. Challenge the accuracy of information

Question 37

What does the Privacy Act prevent?

Answer 37

Information collected for one purpose, may not be used for a different purpose.

Question 38

What are federal agencies required to do under the Freedom of Information Act?

Answer 38

Disclose any federal agency records or information upon request by the public

UNLESS

the request falls under one of the nine exceptions and three exclusions that protect national security interests, personal privacy, and law enforcement interests.

Question 39

What is the impact of the California Online Privacy Protection Act (CalOPPA)?

Answer 39

Applies to any website or online service operator in the US and possibly the world if the organization collects PI from California customers.

Question 40

What does CalOPPA require?

Answer 40

The disclosure of specific information in the privacy notice (PI collected, description of process, and Do Not Track request disclosures)

Question 41

How is the Delaware Online Privacy and Protection Act (DOPPA) different from CalOPPA?

Answer 41

CalOPPA applies to consumers and DOPPA applies to users and has brother application.

(DOPPA covers a brother range of entities that could be handling PI, including websites, cloud computing services, and online and mobile applications, while CalOPPA is limited to commercial websites and applications)

Question 42

Which state has legislation similar to CalOPPA and DOPPA?

Answer 42

Nevada, however the disclosure requirement is less comprehensive under the Nevada law.

Question 43

What is the Shine the Light Law?

Answer 43

Law that gives California residents the right to request and be notified about how businesses use and share their PI with other businesses for marketing purposes.

The law also gives customers private right of action.

Question 44

Who does California’s Online Eraser Law protect?

Answer 44

Individuals under the age of 18.

It allows registered users under the age of 18 to request and remove content posted on the operator’s website or application.

Question 45

What are the limits to the Online Eraser Law?

Answer 45

The operator is not required to respond to the request of the minor if the content about the minor was posted by a third party, who is a registered user of the website.

If the minor does not follow instruction on request of content removal or if the minor received compensation or consideration for the content, the service operator is not obliged to comply with the law.

Question 46

What is the function of the California Consumer Privacy Act (CCPA), 2018?

Answer 46

Extends the existing privacy rights of California residents in the California constitution, including:

1. Ability to request records of PI and use of PI
2. Right to erasure

AND

3. Opt out of having PI sold to third parties.

Question 47

What is the function of the California Privacy Rights Act (CPRA), 2020?

Answer 47

Functions as an amendment to the CCPA and creates new data rights:

1. Defines sensitive PI and limit the purposes for which sensitive PI can be used

AND

2. Allows for opt out of sharing consumers’ PI (the definition of ‘sharing’ is quite limited and includes only disclosures of cross-context behavioural advertising)

Question 48

What CCPA link will be changed as a result of the CPRA?

Answer 48

The ‘Do Not Sell my PI’ link will be replaced with ‘Do Not Share or Sell My PI’ link.

Question 49

What are consumer privacy rights under Virginia’s Consumer Data Protection Act (CDPA)?

Answer 49

Consumers have the right to:

1. Confirm whether a controller processes the consumer’s PI
2. Correct inaccurate PI
3. Delete PI provided by or obtained about consumer
4. Access PI in a portable format
5. Opt out of profiling, targeted advertising, and personal data sales

Question 50

Does the CDPA regulate sensitive PI?

Answer 50

YES and controllers must obtain consent before processing sensitive PI.

Question 51

When will the Colorado Privacy Act (CPA) take effect?

Answer 51

July 1, 2023, six months after Virginia’s CDPA.

Question 52

What data right is guaranteed under the CPPA?

Answer 52

Right to access, correct, delete, and the sale, certain uses of PI, and opt out of the processing of PI for targeted advertising and sale of PI for targeted advertising.

Question 53

What privacy rights do Nevadans have?

Answer 53

Right to opt out of the sale of their PI to data brokers and third parties.

(Nevada operators must make an email to toll-free number available to customers for opt out requests. Operators must respond to requests within 60 days)

Question 54

Which states have biometric privacy laws?

Answer 54

Illinois, Washington, and Texas.

Question 55

What is the requirement under the Illinois’ Biometric Information Act (BIPA)?

Answer 55

1. Requires that a private entity notify an individual in writing of its intent to collect biometric information
2. Inform individuals of the purpose and length of term for which biometric information is being collected and used
3. Receive a written release authorizing the use

AND

4. Obtain consent for further disclosure

Question 56

Are there penalties under the BIPA?

Answer 56

Yes:

• $ 1,000 for negligent violations
• $ 5,000 for intentional violations

AND

BIPA grants individuals a private right of action.

Question 57

What was one of the main ambitions of the GDPR?

Answer 57

Bolstering individuals’ rights.

Data subject rights are set out in Articles 12 - 23 and can have significant impact upon an organization’s core business processes and even business model.

Question 58

Are controllers required to verify the identity of data subjects under the GDPR?

Answer 58

Yes, Article 12(2).

Where the controller has reasonable doubts as to a data subject’s identity, the controller may request the provision of additional information to confirm it.

Question 59

Is the controller obliged to collect additional PI to link data it holds to a specific data subject (GDPR)?

Answer 59

No

Question 60

Under the GDPR what is the time frame set out to honour data subject requests?

Answer 60

Article 12(3): one month starting from the receipt of the request and it can be extended by further two months in specific situations and for complex requests.

Question 61

What must an organization do if it decides to not process a data subject request (GDPR)?

Answer 61

Inform the data subject and inform them of their right to lodge complaints with regulators.

Question 62

What is the GDPR Article 12(1) requirement?

Answer 62

Transparency.

Any information communicated by the organization should be provided in a concise and transparent, intelligible, and and easily accessible forms.

Question 63

What right do data subjects have under GDPR Article 13?

Answer 63

To be provided with certain pieces of information that describe their relationship with the controller:

1. Controller’s identity
2. Contact details
3. Reasons or purpose for processing
4. Legal basis for processing
5. Recipient of the data

Controller must identify the source of the data if collected or obtained from a third party.

Question 64

What right do data subjects have under GDPR Article 15?

Answer 64

Right of access:

1. Purposes of processing
2. Categories of PI
3. Recipients to whom the PI has been or will be disclosed
4. Retention period
5. The right to request erasure or processing restrictions
6. Right to lodge a complaint
7. Source of the PI collected
8. The existence of automated decision making (Article 23(1) and (4)

Question 65

Does the GDPR define the term ‘accuracy’?

Answer 65

No.

Individuals can place rectification requests and organizations must react within one calendar month and requests can only be refused under limited circumstances.

Question 66

To what principle is the ‘right to rectification’ linked under the GDPR?

Answer 66

Accuracy: Article (5)(1)(d)

Question 67

What GDPR right is the most actively scrutinized?

Answer 67

Right to erasure OR right to be forgotten (Article 17(1)

Question 68

Under what circumstances can individuals request to have their data errased (GDPR)?

Answer 68

1. The data is no longer needed for its original purpose and no lawful purpose exits
2. Data subject withdraws processing consent
3. The data subjects objects to the processing and the controller has no overriding grounds
4. The data has been processed unlawfully
5. Erasure is necessary for EU or national law compliance

Question 69

What does GDPR Article 17(2) require?

Answer 69

Where the controller has made PI public (e.g., phone book or social network) and subject exercises right to erasure, controller must inform third parties that are processing published PI.

Question 70

What are the exceptions to the right of erasure under GDPR Article 17(3)?

Answer 70

1. Exercising the right of freedom of expression and information
2. Compliance with legal obligation for processing
3. The establishment of, exercise of defence against legal claims

Question 71

What is a GDPR Article 19 requirement?

Answer 71

Where controller has disclosed PI to third parties and data subjects requested rectification, erasure, or blocking, the controller must notify the third party.

Recital 66: extension of the right to erasure especially in the online environment.

Question 72

What GDPR article establishes ‘blocking’ of data?

Answer 72

Article 18

Data subjects have the right to restrict the processing of their PI if:

1. The accuracy of the data is contested (and only for as long as it takes to verify the data)
2. The processing is unlawful and data subject requests restriction instead of erasure
3. The controller no longer needs the data for their original purposes but the data is still needed by the data subject to defend legal rights
4. Verification of overriding grounds is pending in the context of an erasure request

Question 73

What is a new term in European data protection law?

Answer 73

Data portability (Article 20)

The right aims to empower data subjects regarding their own PI and it facilitates their ability to move, copy or transmit PI easily from one IT environment to another.

Question 74

Do data subjects have objection rights under the GDPR?

Answer 74

Yes. Article 21(1) allows data subjects to to object to processing whenever a controller justifies the processing based on its legitimate interest.

Question 75

What is a controller required to do when faced with a valid data processing objection (GDPR)?

Answer 75

Stop processing the data unless it can demonstrate compelling and legitimate grounds for processing.

The GDPR does not define ‘compelling and legitimate’.

Question 76

What is a limitation on the right to object under the GDPR?

Answer 76

Article 21(6): If the data is processed for scientific and historical research purposes, the right to object exits as far as the processing is not considered necessary for the task carried out in the interest of the public.

Question 77

What does GDPR Article 21 establish?

Answer 77

A general prohibition for decision-making based solely on automated processing and it applies irrespective of the data subject’s actions.

Question 78

Does GDPR Article 22 have a narrow application?

Answer 78

Yes. The right not to be subjected to automated decision making applies only if such a decision is based solely on automated processing and produces legal effects concerning the data subject or significantly affects them.

Question 79

Do EU countries have the right to impose national privacy and data protection rights?

Answer 79

Yes, they may provide additional guidelines on the principles of Article 5, insofar as its provisions correspond to the rights and obligations provided for in Articles 12 to 22.

Question 80

What may an organizations procedures around withdrawal of consent address?

Answer 80

1. When and how consent may be withdrawn
2. Rules of communicating with individuals
3. Methods for withdrawing consent
4. Documentation of requests and actions taken

Question 81

How should DSR complaints be handled?

Answer 81

All employees who may come across such requests should be trained on how to recognize them and instructed on how to quickly send them to the person responsible for handling such complaints.

Training should include:

1. Differentiating between sources and types of complaints
2. Designating proper recipients
3. Implementing a centralized intake process
4. Tracking the process
5. Reporting and documenting resolutions
6. Redressing

Question 82

How many Latin American countries have comprehensive privacy legisltaion?

Answer 82

13 (as of December 2020)

In Mexico, ARCO rights grant right of access, rectification, cancellation, and opposition to processing.

Question 83

What does Korea’s Personal Information Protection Act prohibit?

Answer 83

Denying goods and services to a data subject on the basis that such individual denied consent to certain processing (e.g., receiving marketing emails).