Privacy Program Framework - Section II.B. - Implementing a Privacy Program Framework Flashcards
The notion that individuals should not be surprised by having their information processed in a particular way prohibited by local law is sometimes referred to as what?
Surprise Minimization Rule
What type of international transfer mechanism is best described as a form of co-regulation?
Transfers made pursuant to codes of conduct of third-party certification authorities.
What did the European Court of Justice hold in the case Schrems v. Data Protection Comm’r?
The Safe Harbor program that most companies utilized to transfer data between the U.S. and E.U. was not compliant with the GDPR.
A determination that the information being transferred will be subject to an equivalent or greater level of protection in the transferee country is referred to as what?
Adequacy Decision
What are the two most prominent examples of self-regulatory authorities in the marketing industry?
(1) The Digital Advertising Alliance; and
(2) The Network Advertising Initiative.
Who is responsible for enforcing the self-regulatory principles developed by the Digital Advertising Alliance?
Both the Council of Better Business Bureaus and the Data & Marketing Association.
What is the primary reason that organizations attempt to funnel privacy-related media inquiries through a single point of contact?
To maintain a consistent message regarding an organization’s privacy practices.
What is the California Privacy Protection Agency (CPPA)?
The CPPA is an administrative agency created by the California Privacy Rights Act (CPRA), responsible for administering and enforcing the California Consumer Privacy Act (CCPA).
What made the California Consumer Privacy Act unique when compared with state and federal laws throughout the United States?
It was the first attempt in the United States to regulate information privacy with a comprehensive approach that applies to all market segments.
What types of conduct can result in a higher-level violation of the GDPR?
Higher level violations include violations of data subject rights and non-compliant cross-border transfers.
What are the ways in which information about an E.U. resident may be transferred outside of the E.U.?
(1) Adequacy decisions;
(2) Binding corporate rules;
(3) Standard contract clauses;
(4) Ad hoc contract clauses;
(5) Codes of conduct; and
(6) Derogations (or exceptions).
What countries has the E.U. determined have adequate data protection laws?
Andorra,
Argentina,
Canada,
Faroe Islands,
Guernsey,
Israel,
Ilse of Man,
Japan,
Jersey,
New Zealand,
Switzerland,
South Korea,
Uruguay, and the
United Kingdom.
In what situation(s) does the GDPR apply to data controllers and processors that operate within the E.U.?
The GDPR applies to all processing activities of data controllers and processors operating in the E.U. regardless of whether the processing occurs in the E.U.
What law requires organizations to include a “Do Not Sell My Personal Information” button on its website?
California Consumer Privacy Act (CCPA)
A well thought out and comprehensive privacy framework will be rendered useless if what happens?
There is a failure to effectively communicate that policy to internal and external stakeholders.
Can a data protection authority permanently ban a data controller from engaging in processing activities under the GDPR?
No. Although Article 58 grants data protection regulators the authority to temporarily ban processing activities, there is no authority to permanently ban processing activities.
What does the AdChoices program aim to achieve?
Providing consumers the ability to opt-out of online and internet-based advertisements.
True or False: As long as a company’s privacy notice is accurate, it does not have to worry about the FTC initiating a “deceptive” trade practice enforcement action.
False. A complaint about “deceptive” trade practices can result from any misstatement about a company’s privacy practices, including statements made in an organization’s binding corporate rules or other similar representations.
True or False: Data protection authorities are the first-line enforcement authority for organizations transferring data internationally pursuant to a code of conduct of a third-party certification authority.
False. Compliance monitoring is primarily carried out by the certifying authority, though a data protection authority retains the authority to bring an enforcement action.
True or False: The GDPR applies only to organizations that operate in the European Economic Area.
False. The GDPR has an extra-territorial reach.
What international transfer mechanisms under the GDPR need pre-approval by a supervisory agency?
Binding corporate rules and ad hoc contract clauses.
Data that is transferred internationally with the express consent of the data subject is transferred pursuant to what type of mechanism?
A derogation listed under Article 49 of the GDPR.
True or False: Binding corporate rules must be certified by a privacy supervisory agency within the E.U. before personal data can be transferred pursuant to those rules.
True
What are some examples in which an organization may have to communicate its privacy practices to data protection authorities?
To obtain approval for certain data practices (e.g., cross-border transfers), in response to an investigation or demand, and as part of breach notification requirements.