Privacy Program Framework: Applicable Privacy Laws and Regulations

Question 1

Common elements of global laws and regulations

Answer 1

Notice
Choice and consent
Purpose limitation
Individual rights
Data retention limits
Data transfers

Question 2

Foundational privacy principles

Answer 2

Collection limitation
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability

Question 3

GDPR overview

Answer 3

*Framework for data protection with increased accountability for organizations
*Has become a global standard for data protection
*In force as of 2018

Question 4

GDPR Objectives, material scope, territorial scope

Answer 4

*Protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data
* Protects fundamental rights and freedoms of natural persons and their right to the protection of personal data
*Applies to the processing of personal data wholly or partly by automated means and other than by automated means of personal data which form part of a filing system
*Does not apply to the processing of personal data:
-in the course of an activity which falls outside the scope of Union law;
-by a natural person in the course of a purely personal or household activity;
-by competent authorities for the purposes of prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal
penalties
*Applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union regardless of whether the processing takes place in the Union
*Applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to:
-the offering of goods or services regardless of payment requirement to such data subjects in the Union or
-The monitoring their behavior if it takes places within the Union

Question 5

GDPR consumer rights

Answer 5

*Withdraw consent for processing
*Request a copy of all their data
*Request the ability to move their data to a different org.
*Request to delete all their data
*Object to automated decision-making processes including profiling

Question 6

GDPR organization requirements

Answer 6

*Implement privacy by default and privacy by design
*Maintain appropriate safeguards
*Notify data protection authorities (DPA) and consumers of data breaches within 72 hours from detection
*Get appropriate consent for most personal data collection and provide notification of personal data processing activities
*Get parental consent to collect data for children under 16
*Keep records of all processing of personal information
*Appoint a data protection officer (DPO) if over a certain volume or if data is sensitive
*Take responsibility for the security and processing activities of third-party vendors
*Conduct data protection impact assessments (DPIA) on new or high-risk processing activities
*Institute safeguards for cross-border data transfers
*Consult with regulators before proceeding with certain processing activities
*Be able to demonstrate compliance on demand
*Provide appropriate data protection training to personnel having permanent or regular access to personal data

Question 7

GDPR regulators can…

Answer 7

*Ask for records of processing activities and proof of steps taken to comply
*Impose temporary data-processing bans, require data breach notification or order erasure of personal data
*Suspend cross-border data flows
*Enforce penalties of up to 20M euros or 4% of annual revenues for noncompliance

Question 8

California Consumer Privacy Act (CCPA) overview

Answer 8

*First comprehensive privacy law in the US
*Took effect 2020

Question 9

CCPA consumer rights

Answer 9

*Request a record of what types of data an org hold about them and what is being done with their data in terms of both business use and third-party sharing
*Request erasure and/or opt-out of sale, with carve-outs for completion of a transaction, research, free speech and some internal analytical use

Question 10

CCPA organization requirements

Answer 10

*Have a verification process so consumers can prove their identity for requests
*Respond to DSARs within 45 days
*Provide methods for receiving consumer requests
*Disclose to whom they sell data and put a link on websites to opt-out
*Disclose what personal information is collected and how it will be used and provide an online privacy notice
*Cannot discriminate against a consumer based on the exercising of any rights granted in the regulation
*Request express opt-in for sale of children’s data by child if 13-16 or parent if under 13
*Train certain employees on consumer rights pursuant to the law

Question 11

CCPA enforcement

Answer 11

*Enforced by attorney general
*Failure to address and alleged violation within 30 days fined of $7500 per intentional violation or $2500 per unintentional violation

Question 12

Brazil General Data Protection Law (LGPD) overview

Answer 12

*In effect 2020
*Similar to GDPR

Question 13

LGPD data subject rights

Answer 13

*Confirm the existence of processing
*Access their data
*Correct incomplete, inaccurate or out-of-date data
*Anonymize, block or delete unnecessary or excessive data or data processing in violation of the law
*Export data to another service or product provider
*Delete personal data processed pursuant to consent
*Obtain info about entities with which data is shared
*Obtain info about denying consent
*Review decisions made solely based on automated processing
*Oppose non-consent-based processing when in violation of the law

Question 14

LGPD organization requirements

Answer 14

*Implement privacy-by-design and -default processes
*Develop incident response and remediation plans
*Maintain appropriate data security
*Notify data subjects and regulators of data breaches
*Follow special rules for directly processing children’s data
*Provide notice of intention to process personal info
*Appoint a DPO (for controllers)
*Take responsibility for processing activities of third-party vendors
*Create personal data protection impact report (RIPD)
*Ensure adequacy of appropriate safeguards for data transfers
*Keep records in most circumstances and demonstrate compliance
*Comply with international data transfer requirements

Question 15

LGPD regulators can

Answer 15

*Ask for records of compliance
*Apply sanctions
*Penalties of up to 2% of revenue in Brazil up to total max of 50M reals per infraction

Question 16

People’s Republic of China Personal Information Protection Law (PIPL)

Answer 16

*In effect 2021
*Doesn’t protect central govmt. from accessing data.
*Fines for violations between $7.7M or up to 5% of previous year’s business revenue

Question 17

Strategies for emerging laws

Answer 17

*Remain aware of emerging laws in those jurisdictions where the org does business to understand the scope and reqmts.
*Know when new legislation is scheduled to take effect
*Monitor on a regular basis to take accounting of new laws/regulations to add to / adjust program scope

Question 18

Sectoral privacy laws

Answer 18

*Health care - special protection for health data
*Finance - monitor confidentiality, financial and terrorism/anti-money laundering)
*Telecom - protection of content but also metadata and location info to which law enforcement often wants access
*Online - issues presented by online transactions, lure of information to law enforcement, marketers and criminals, global nature of online privacy concepts
*Government - courts are constantly reevaluating definitions of public records; govmts. often have specific obligations regarding transparency that often conflict with privacy
*Education
*Video - originally designed to protect renters and purchasers of videos, now applied to online streaming services
*Energy - emerging area w/smart grid technologies
*HR - confidentiality vs. technology; during pandemic, had to address privacy and security impacts of WFH

Question 19

US sectoral laws (federal)

Answer 19

*Federal Trade Commission Act: Enforced by FTC; Concerned with unfair or deceptive acts or practices in or affecting commerce
*Fair Credit Reporting Act (FCRA): Enforced by FTC and Consumer Financial Protection Bureau (CFPB); Protects info collected by consumer reporting agencies; accuracy and fairness of credit reporting; reporting agencies have reasonable procedures for credit info, collection and access to credit reports
*Family Educational Rights and Privacy Act (FERPA): Enforced by Dept. of Edu; Concerned with improper disclosure of PII derived from education records and unfair and deceptive trade practices
*Federal Privacy Act of 1974: Enforced by DOJ; Establishes a code of fair info practices that governs the collection, maintenance, use and dissemination of info about individuals that is maintained in systems of records by federal agencies
*Electronic Communications Privacy Act (ECPA): Enforced by state or law enforcement agency; Concerned with federal wiretapping and electronics eavesdropping; unauthorized govmt. access to electronic communications
*Video Privacy Protection Act (VPPA): Individual private right of action?; Prevents disclosure of personally identifiable rental records or prerecorded video tapes or similar
*Telephone Consumer Protection Act (TCPA): Enforced by FC, Federal Communications Commission (FCC) and state attorneys general; Limits the use of automatic dialing systems, artificial or prerecorded voice messages, SMS text messages and fax machines
*Driver’s Privacy Protection Act (DPPA): Enforced by state attorneys general; Concerned with privacy and disclosure of personal info gathered by state dept. of motor vehicles
*Health Insurance Portability and Accountability Act (HIPPA): Enforced by Health and Human Services (HHS) Office for Civil Rights (OCR): Concerned with health insurance, medical records, PHI, specific category data, medical research
*Children’s Online Privacy Protection Act (COPPA): Enforced by FTC; Concerned with regulating information collected from minors; prohibits online companies from asking for PII from children 12 and under unless there’s verifiable parental consent
*Gramm-Leach-Bliley Act (GLBA): Enforced by FTC, federal banking agencies and other federal regulatory authorities as well as state insurance oversight agencies; Requires financial institutions offering consumers financial services or offerings to explain sensitive information sharing practices
*Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM): Enforced by FTC; Establishes requirements for those who send unsolicited commercial email
*Fair and Accurate Credit Transactions Act (FACTA): Enforced by FTC, Board of Governors Federal Reserve System, Federal Deposit Insurance Corp (FDOC), Nation Credit Union Admin Office of the Comptroller of the Currency and Office of Thrift Supervision; Enhances consumer protections, particularly in relation to identity theft
*National Do Not Call Registry: Enforced by FTC; Gives consumers a choice about whether to receive telemarketing calls
*Health Information Technology for Economic and Clinical Health Act (HITECH): Enforced by OCR; provides HHS with the authority to establish programs to improve healthcare quality, safety and efficiency through the promotion of health IT including electronic health records and private and secure electronic health information exchange

Question 20

Industry standards and codes of conduct

Answer 20

*Payment Card Industry Data Security Standard (PCI DSS): Scope is any org that accepts , transmits or stores any cardholder data branded with one of the five card association/brand logos
*DMA Guidelines for Ethical Business Practice: Scope is individuals and entities involved in data-driven marketing in all media
*Verisign, TrustArc, McAfee, PayPal trust marks: Scope is online vendors’ ecommmerce sites
*Children’s Advertising Review Unit (CARU) Advertising Guidelines: Scope is National advertising primarily directed to children under the age of 12 in any medium
*Network Advertising Initiative (NAI) Code of Conduct: Scope is NAI members approach to privacy and data governance in connection with the collection and use of data for interest-based advertising
*EU Code of Conduct: Scope is B2B cloud services where the cloud service provider is acting as a processor under Article 28 of GDPR

Question 21

Cross-border Data Transfers

Answer 21

*Many regs require orgs to have protective mechanisms to govern data transfers
*Xfers of personal data to countries outside the European Economic Area (EEA) can take place if the countries are deemed to ensure an adequate level of protection.
*For other countries, other methods such as Standard Contractual Clauses (SCC) can be used.
*SCCs should assess data transfers on a case-by-case basis for systems that xfer personal data out of the EU = data xfer impact assessment (DTIA)

Question 22

DTIA

Answer 22

*Map where data resides and where it is xfered to
*Identify the mechanisms used for xfer
*Assess effectiveness of xfer mechanisms
*Adopt additional safeguards as needed
*Ensure additional measures align w/biz reqmts.
*Monitor for ongoing compliance

Should include:
*What is the likelihood of govt. access to the data
*Is the data w/in scope of intelligence and law enforcement activities
*Are proper protective measures in place
*What are applicable privacy and security standards of receiving country
*What are the general human rights ratings of the receiving country

Question 23

EU approved options

Answer 23

1. Adequacy decision: