Privacy Program Framework - Section II.B. - Implementing a Privacy Program Framework Flashcards
The notion that individuals should not be surprised by having their information processed in a particular way prohibited by local law is sometimes referred to as what?
Surprise Minimization Rule
What type of international transfer mechanism is best described as a form of co-regulation?
Transfers made pursuant to codes of conduct of third-party certification authorities.
What did the European Court of Justice hold in the case Schrems v. Data Protection Comm’r?
The Safe Harbor program that most companies utilized to transfer data between the U.S. and E.U. was not compliant with the GDPR.
A determination that the information being transferred will be subject to an equivalent or greater level of protection in the transferee country is referred to as what?
Adequacy Decision
What are the two most prominent examples of self-regulatory authorities in the marketing industry?
(1) The Digital Advertising Alliance; and
(2) The Network Advertising Initiative.
Who is responsible for enforcing the self-regulatory principles developed by the Digital Advertising Alliance?
Both the Council of Better Business Bureaus and the Data & Marketing Association.
What is the primary reason that organizations attempt to funnel privacy-related media inquiries through a single point of contact?
To maintain a consistent message regarding an organization’s privacy practices.
What is the California Privacy Protection Agency (CPPA)?
The CPPA is an administrative agency created by the California Privacy Rights Act (CPRA), responsible for administering and enforcing the California Consumer Privacy Act (CCPA).
What made the California Consumer Privacy Act unique when compared with state and federal laws throughout the United States?
It was the first attempt in the United States to regulate information privacy with a comprehensive approach that applies to all market segments.
What types of conduct can result in a higher-level violation of the GDPR?
Higher level violations include violations of data subject rights and non-compliant cross-border transfers.
What are the ways in which information about an E.U. resident may be transferred outside of the E.U.?
(1) Adequacy decisions;
(2) Binding corporate rules;
(3) Standard contract clauses;
(4) Ad hoc contract clauses;
(5) Codes of conduct; and
(6) Derogations (or exceptions).
What countries has the E.U. determined have adequate data protection laws?
Andorra,
Argentina,
Canada,
Faroe Islands,
Guernsey,
Israel,
Ilse of Man,
Japan,
Jersey,
New Zealand,
Switzerland,
South Korea,
Uruguay, and the
United Kingdom.
In what situation(s) does the GDPR apply to data controllers and processors that operate within the E.U.?
The GDPR applies to all processing activities of data controllers and processors operating in the E.U. regardless of whether the processing occurs in the E.U.
What law requires organizations to include a “Do Not Sell My Personal Information” button on its website?
California Consumer Privacy Act (CCPA)
A well thought out and comprehensive privacy framework will be rendered useless if what happens?
There is a failure to effectively communicate that policy to internal and external stakeholders.
Can a data protection authority permanently ban a data controller from engaging in processing activities under the GDPR?
No. Although Article 58 grants data protection regulators the authority to temporarily ban processing activities, there is no authority to permanently ban processing activities.
What does the AdChoices program aim to achieve?
Providing consumers the ability to opt-out of online and internet-based advertisements.
True or False: As long as a company’s privacy notice is accurate, it does not have to worry about the FTC initiating a “deceptive” trade practice enforcement action.
False. A complaint about “deceptive” trade practices can result from any misstatement about a company’s privacy practices, including statements made in an organization’s binding corporate rules or other similar representations.
True or False: Data protection authorities are the first-line enforcement authority for organizations transferring data internationally pursuant to a code of conduct of a third-party certification authority.
False. Compliance monitoring is primarily carried out by the certifying authority, though a data protection authority retains the authority to bring an enforcement action.
True or False: The GDPR applies only to organizations that operate in the European Economic Area.
False. The GDPR has an extra-territorial reach.
What international transfer mechanisms under the GDPR need pre-approval by a supervisory agency?
Binding corporate rules and ad hoc contract clauses.
Data that is transferred internationally with the express consent of the data subject is transferred pursuant to what type of mechanism?
A derogation listed under Article 49 of the GDPR.
True or False: Binding corporate rules must be certified by a privacy supervisory agency within the E.U. before personal data can be transferred pursuant to those rules.
True
What are some examples in which an organization may have to communicate its privacy practices to data protection authorities?
To obtain approval for certain data practices (e.g., cross-border transfers), in response to an investigation or demand, and as part of breach notification requirements.
What are the primary concerns an organization must be aware of when transferring data across international borders?
(1) Transferring data into a new jurisdiction may result in an organization becoming subject to additional privacy and data security law; and
(2) Failure to implement appropriate procedures can result in legal non-compliance.
What is an external privacy organization?
A non-governmental organization that advocate for privacy protections.
What three elements must the FTC prove in order to establish an “unfair” trade practice?
A trade practice that results in
(1) a substantial injury
(2) with a lack of off-setting benefits and
(3) the injury is one that consumers themselves could not reasonably have avoided.
The Payment Card Industry Data Security Standard (PCI-DSS) and the Digital Advertising Alliance (DAA) are examples of what type of privacy protection?
Self-regulatory protections.
What three elements must the FTC prove in order to establish a “deceptive” trade practice?
(1) A material
(2) statement or omission
(3) that is likely to mislead consumers who are acting reasonably under the circumstances.
In order to establish that a party has engaged in “deceptive” trade practices in violation of Section 5 of the FTC Act, the FTC must establish that the company under investigation has made (1) a material (2) statement or omission (3) that is likely to mislead consumers who are acting reasonably under the circumstances. In order to meet this standard, the misstatement must be material. A material term is one that is likely to affect consumer decision-making. Whether information is handled in accordance with the Privacy Shield Framework is likely to meet this standard, while a misstatement about whether data is stored in New York or New Jersey is not likely to meet this standard.
What is the Digital Advertising Alliance?
A consortium of advertising and marketing trade groups that has developed the self-regulatory AdChoices program.
What are the two primary steps necessary to effectively implement a privacy framework?
(1) Effective communication to internal and external stakeholders; and
(2) Maintaining continuous alignment with applicable laws and regulations.
True or False: The failure to abide by self-regulatory programs does not have any consequences because participation is voluntary.
False. Failure to comply with voluntarily imposed self-regulation may have significant consequences, including exclusion from a program, fines, and government investigations.
