9. Operations: Data Subject Rights Flashcards
Who are data subjects?
Identified or identifiable individuals whose PI is being processed by an organization
What are data subject rights?
Vary across juridictions and include:
- Right to know how PI will be used
- Right to opt out of certain processing activities
Who can place a data subject request (DSR)?
Data subject, their agent, or (under some laws and circumstances) organizations may need to assist customers with fulfilling DSRs
Do organizations need to inform data subjects about privacy practices?
Yes. transparency is a critical requirement under most privacy laws
What is a privacy notice?
An external statement directed at data subjects, it is a tool used to describe the organization’s privacy practices.
What is a privacy policy?
An internal document directed at employees or contractors that describe how the organization will process their PI.
What is a common feature of a privacy notice and policy?
Both describe how personal information will be collected, used, shared, and stored.
Does a privacy notice provide blanket protection from privacy litigation?
No. A privacy notice is a promise and if the organization breaks the promise or fails to adequately describe data processing activities, it can face litigation or regulatory action.
Against which companies did the FTC initiate enforcement actions for deceptive privacy practices?
Google and its subsidiaries, YouTube, Facebook and Snapchat.
What are common elements of privacy notices?
- Who the organization is and contact information (privacy office or DPO)
- What information is being collected (directly or indirectly)
- How the organization will use the information
- With whom the organization will share the information
- An overview of applicable data subject rights and the process for exercising those rights
- How the information is protected and processed securely
- Under what circumstances the organization acts as a processor for other organizations
- How the behaviours of the website users are monitored
What is a just-in-time notice?
A layered approach provided immediately before the data is collected.
E.g., when a mobile application asks to track location.
When is a just-in-time notice a WP29 and a CCPA requirement?
WP29: When providing information at various points throughout the process of data collection
CCPA: When a business collects PI from customer’s mobile device for a purpose that the customer would not reasonably expect.
What is a layered approach to notice?
A high-level summary of the various sections of the privacy notice.
*The EDPB states in guidance that “layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise on one hand and understandable on the other.
When are QR codes useful in privacy notices?
When there is limited space to provide privacy notice (e.g. an internet of things device or mobile screens).
What is a privacy dashboard?
It offers a summary of privacy-related information and metrics and is easy to access and navigate.
What does a privacy dashboard ensure according to WP29?
That access and use of the dashboard is intuitive and helps to encourage users to engage with information.
Do privacy notices solicit or imply consent?
No.
What must be done when relying on consent?
Keep legally admissible record that establishes what the individual consented to, the date it was completed, and establishes that the individual agreed to the consent.
Under the GDPR, other than consent, what other lawful basis are available to organizations for processing PI?
- Contract
- Legal obligations
- Vital interests
- Public interest
- Legitimate interest
What are dark patterns?
Any interface designed to substantially subvert an end-user’s autonomy.
Should consents be regularly reviewed?
Yes, and refreshed if necessary.
What are the two central concepts of choice?
Opt-in - active, affirmative indication of choice
AND
Opt-out - affirmative action by hitting an ‘unsubscribe’ link
What is Age Appropriate Design?
An ICO code that implements GDPR principles “in the context of children using digital services”.
What rules does the ICO code for age-appropriate design establish?
- Not sharing geolocation data by default
AND
- Differentiating an offering based on child-users’ age
What is a COPPA (US) requirement for information collected online from children under 13?
Organizations must obtain verifiable parental consent.
The law provides parents with:
- The right of access, modification, and deletion of their child’s PI
AND
- Opportunity to prevent and limit further collection and use of the child’s PI
What did the OPC state regarding privacy notices directed toward children?
“For minors able to provide meaningful consent, consent can only be considered meaningful if organization’s have reasonably taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
What is the WP29 suggestion for consent obtained from children?
Vocabulary, tone and style of language is appropriate to and resonates with children.
*UN Convention on the Rights of the Child in Child Friendly Language - resource
What is the age consent threshold under the GDPR?
16, however individual countries may set an age threshold between 13 and 16.
What is the COPPA purpose processing exemption?
Processing to support the operator’s internal operations, such as website maintenance and security.
What privacy rights does the Fair Credit Reporting Act (FCRA) (US) grant to customers?
- Right to customers with respect to how their data is used
- Access to all information a customer reporting agency has about them
- Request that credit reporting agency investigate inaccurate information within 30 days
- Removal of outdated negative information (civil suits, judgements, customer report liens 7 years after the statute of limitation expired)
- Removal of bankruptcies from credit reports after 10 years
- Customer notification from the financial institution before the submission of negative information to credit reporting agency
- Written consent requirement for background checks and inform the individual that the information in the background check may be used to make a decision about employment
What is the role of the Health Insurance Portability and Accountability Act (HIPAA) in the US?
- Regulates the use and disclosure of protected health information (PHI)
AND
- Provides individuals with rights relating to PHI
What are individual rights under HIPAA?
Individuals have the right to:
- Obtain a copy of their medical records (30 days)
- Change any incorrect information and add any information that might be missing or incomplete (60 days)
- Know how their information has been shared with others
AND
- Request restrictions on information they might not want shared.
What registry was created by the FTC as part of the revisions to the Telemarketing Sales Rule (TSR)?
The National Do Not Call (DNC) Registry
What organization oversees the DNC?
The Federal Communications Commission (FCC)
The FCC also has it’s own do-not-call rule and bridges gaps in the FTC’s jurisdiction.
What does the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) of 2003 prohibit?
Prohibits organizations subject to the law from sending many types of commercial messages.
What rights does the US’s Privacy Act (1974) guarantee?
The rights of individuals to:
- Access their own records from federal agencies (written request from the individual is required)
- Request amendments
AND
- Challenge the accuracy of information
What does the Privacy Act prevent?
Information collected for one purpose, may not be used for a different purpose.
What are federal agencies required to do under the Freedom of Information Act?
Disclose any federal agency records or information upon request by the public
UNLESS
the request falls under one of the nine exceptions and three exclusions that protect national security interests, personal privacy, and law enforcement interests.
What is the impact of the California Online Privacy Protection Act (CalOPPA)?
Applies to any website or online service operator in the US and possibly the world if the organization collects PI from California customers.
What does CalOPPA require?
The disclosure of specific information in the privacy notice (PI collected, description of process, and Do Not Track request disclosures)
How is the Delaware Online Privacy and Protection Act (DOPPA) different from CalOPPA?
CalOPPA applies to consumers and DOPPA applies to users and has brother application.
(DOPPA covers a brother range of entities that could be handling PI, including websites, cloud computing services, and online and mobile applications, while CalOPPA is limited to commercial websites and applications)
Which state has legislation similar to CalOPPA and DOPPA?
Nevada, however the disclosure requirement is less comprehensive under the Nevada law.
What is the Shine the Light Law?
Law that gives California residents the right to request and be notified about how businesses use and share their PI with other businesses for marketing purposes.
The law also gives customers private right of action.
Who does California’s Online Eraser Law protect?
Individuals under the age of 18.
It allows registered users under the age of 18 to request and remove content posted on the operator’s website or application.
What are the limits to the Online Eraser Law?
The operator is not required to respond to the request of the minor if the content about the minor was posted by a third party, who is a registered user of the website.
If the minor does not follow instruction on request of content removal or if the minor received compensation or consideration for the content, the service operator is not obliged to comply with the law.
What is the function of the California Consumer Privacy Act (CCPA), 2018?
Extends the existing privacy rights of California residents in the California constitution, including:
- Ability to request records of PI and use of PI
- Right to erasure
AND
- Opt out of having PI sold to third parties.
What is the function of the California Privacy Rights Act (CPRA), 2020?
Functions as an amendment to the CCPA and creates new data rights:
- Defines sensitive PI and limit the purposes for which sensitive PI can be used
AND
- Allows for opt out of sharing consumers’ PI (the definition of ‘sharing’ is quite limited and includes only disclosures of cross-context behavioural advertising)
What CCPA link will be changed as a result of the CPRA?
The ‘Do Not Sell my PI’ link will be replaced with ‘Do Not Share or Sell My PI’ link.
What are consumer privacy rights under Virginia’s Consumer Data Protection Act (CDPA)?
Consumers have the right to:
- Confirm whether a controller processes the consumer’s PI
- Correct inaccurate PI
- Delete PI provided by or obtained about consumer
- Access PI in a portable format
- Opt out of profiling, targeted advertising, and personal data sales
Does the CDPA regulate sensitive PI?
YES and controllers must obtain consent before processing sensitive PI.
When will the Colorado Privacy Act (CPA) take effect?
July 1, 2023, six months after Virginia’s CDPA.
What data right is guaranteed under the CPPA?
Right to access, correct, delete, and the sale, certain uses of PI, and opt out of the processing of PI for targeted advertising and sale of PI for targeted advertising.
What privacy rights do Nevadans have?
Right to opt out of the sale of their PI to data brokers and third parties.
(Nevada operators must make an email to toll-free number available to customers for opt out requests. Operators must respond to requests within 60 days)
Which states have biometric privacy laws?
Illinois, Washington, and Texas.
What is the requirement under the Illinois’ Biometric Information Act (BIPA)?
- Requires that a private entity notify an individual in writing of its intent to collect biometric information
- Inform individuals of the purpose and length of term for which biometric information is being collected and used
- Receive a written release authorizing the use
AND
- Obtain consent for further disclosure
Are there penalties under the BIPA?
Yes:
- $ 1,000 for negligent violations
- $ 5,000 for intentional violations
AND
BIPA grants individuals a private right of action.
What was one of the main ambitions of the GDPR?
Bolstering individuals’ rights.
Data subject rights are set out in Articles 12 - 23 and can have significant impact upon an organization’s core business processes and even business model.
Are controllers required to verify the identity of data subjects under the GDPR?
Yes, Article 12(2).
Where the controller has reasonable doubts as to a data subject’s identity, the controller may request the provision of additional information to confirm it.
Is the controller obliged to collect additional PI to link data it holds to a specific data subject (GDPR)?
No
Under the GDPR what is the time frame set out to honour data subject requests?
Article 12(3): one month starting from the receipt of the request and it can be extended by further two months in specific situations and for complex requests.
What must an organization do if it decides to not process a data subject request (GDPR)?
Inform the data subject and inform them of their right to lodge complaints with regulators.
What is the GDPR Article 12(1) requirement?
Transparency.
Any information communicated by the organization should be provided in a concise and transparent, intelligible, and and easily accessible forms.
What right do data subjects have under GDPR Article 13?
To be provided with certain pieces of information that describe their relationship with the controller:
- Controller’s identity
- Contact details
- Reasons or purpose for processing
- Legal basis for processing
- Recipient of the data
Controller must identify the source of the data if collected or obtained from a third party.
What right do data subjects have under GDPR Article 15?
Right of access:
- Purposes of processing
- Categories of PI
- Recipients to whom the PI has been or will be disclosed
- Retention period
- The right to request erasure or processing restrictions
- Right to lodge a complaint
- Source of the PI collected
- The existence of automated decision making (Article 23(1) and (4)
Does the GDPR define the term ‘accuracy’?
No.
Individuals can place rectification requests and organizations must react within one calendar month and requests can only be refused under limited circumstances.
To what principle is the ‘right to rectification’ linked under the GDPR?
Accuracy: Article (5)(1)(d)
What GDPR right is the most actively scrutinized?
Right to erasure OR right to be forgotten (Article 17(1)
Under what circumstances can individuals request to have their data errased (GDPR)?
- The data is no longer needed for its original purpose and no lawful purpose exits
- Data subject withdraws processing consent
- The data subjects objects to the processing and the controller has no overriding grounds
- The data has been processed unlawfully
- Erasure is necessary for EU or national law compliance
What does GDPR Article 17(2) require?
Where the controller has made PI public (e.g., phone book or social network) and subject exercises right to erasure, controller must inform third parties that are processing published PI.
What are the exceptions to the right of erasure under GDPR Article 17(3)?
- Exercising the right of freedom of expression and information
- Compliance with legal obligation for processing
- The establishment of, exercise of defence against legal claims
What is a GDPR Article 19 requirement?
Where controller has disclosed PI to third parties and data subjects requested rectification, erasure, or blocking, the controller must notify the third party.
Recital 66: extension of the right to erasure especially in the online environment.
What GDPR article establishes ‘blocking’ of data?
Article 18
Data subjects have the right to restrict the processing of their PI if:
- The accuracy of the data is contested (and only for as long as it takes to verify the data)
- The processing is unlawful and data subject requests restriction instead of erasure
- The controller no longer needs the data for their original purposes but the data is still needed by the data subject to defend legal rights
- Verification of overriding grounds is pending in the context of an erasure request
What is a new term in European data protection law?
Data portability (Article 20)
The right aims to empower data subjects regarding their own PI and it facilitates their ability to move, copy or transmit PI easily from one IT environment to another.
Do data subjects have objection rights under the GDPR?
Yes. Article 21(1) allows data subjects to to object to processing whenever a controller justifies the processing based on its legitimate interest.
What is a controller required to do when faced with a valid data processing objection (GDPR)?
Stop processing the data unless it can demonstrate compelling and legitimate grounds for processing.
The GDPR does not define ‘compelling and legitimate’.
What is a limitation on the right to object under the GDPR?
Article 21(6): If the data is processed for scientific and historical research purposes, the right to object exits as far as the processing is not considered necessary for the task carried out in the interest of the public.
What does GDPR Article 21 establish?
A general prohibition for decision-making based solely on automated processing and it applies irrespective of the data subject’s actions.
Does GDPR Article 22 have a narrow application?
Yes. The right not to be subjected to automated decision making applies only if such a decision is based solely on automated processing and produces legal effects concerning the data subject or significantly affects them.
Do EU countries have the right to impose national privacy and data protection rights?
Yes, they may provide additional guidelines on the principles of Article 5, insofar as its provisions correspond to the rights and obligations provided for in Articles 12 to 22.
What may an organizations procedures around withdrawal of consent address?
- When and how consent may be withdrawn
- Rules of communicating with individuals
- Methods for withdrawing consent
- Documentation of requests and actions taken
How should DSR complaints be handled?
All employees who may come across such requests should be trained on how to recognize them and instructed on how to quickly send them to the person responsible for handling such complaints.
Training should include:
- Differentiating between sources and types of complaints
- Designating proper recipients
- Implementing a centralized intake process
- Tracking the process
- Reporting and documenting resolutions
- Redressing
How many Latin American countries have comprehensive privacy legisltaion?
13 (as of December 2020)
In Mexico, ARCO rights grant right of access, rectification, cancellation, and opposition to processing.
What does Korea’s Personal Information Protection Act prohibit?
Denying goods and services to a data subject on the basis that such individual denied consent to certain processing (e.g., receiving marketing emails).
