data protection Archives - Zasio

Virginia’s New CCPA-style Privacy Law: Powerhouse or Paper Tiger?

Zasio — Thu, 04 Mar 2021 21:16:29 +0000

Virginia has just become the second U.S. state to enact a comprehensive privacy protection law. After passage by overwhelming majorities in both the Virginia Senate and House of Delegates, the Virginia Consumer Data Protection Act[1] (“VCDPA”) was signed into law by Governor Ralph Northam on March 2. While lawmakers in several other states like New York and Washington have proposed their own privacy bills, those efforts so far have hit various snags and stumbling blocks while winding their way through the legislative process that has thus far stalled their final passage into law.

Growing Trend of State-level Privacy Laws

The VCDPA is now the first broad state-level privacy law enacted since California’s CCPA. However, it is just the latest in the ongoing push among states to pass their own privacy legislation, spurred by the absence of any federal privacy legislation on par with the EU’s GDPR. It remains to be seen whether the resulting patchwork of state laws can effectively substitute the need for a comprehensive federal privacy law. As a sign that it may not, the VCDPA’s enforcement mechanisms invite concern that the law may not be tough enough to meaningfully change company behavior.

Numerous CCPA & GDPR Similarities, Some New Features

The VCPDA borrows many of the same key principles as California’s CCPA and the European Union’s GDPR. For example, it relies on a similarly expansive definition of personal data that includes any data or information that can be linked to an “identified or identifiable natural person” and carves out sanitized de-identified data. It also contains a similar bill of individual rights that includes the right to:

know what personal data is being processed;
correct or delete that data;
obtain a portable copy of personal data;
opt-out from having your personal data sold.

The VCDPA is applicable to any company that does business in Virginia or serves Virginia consumers (defined as natural persons residing in Virginia and acting in a non-commercial and non-employment capacity) and processes over 100,000 consumers’ data. This figure decreases to 25,000 consumers if a company earns over 50% of its gross revenue from selling personal data. This is similar to the CCPA’s standard of 50,000 consumers or 50% of revenue from selling personal data. However, while the CCPA has a monetary trigger that brings any company with gross revenue of at least $25 million under its purview, the VCPDA has no monetary trigger, which will allow some companies earning over $25m to avoid compliance.

The VCPDA also requires a person’s affirmative consent (known as an “opt-in”) before a company can process sensitive data. Under the VCPDA, sensitive data is defined as data showing racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, immigration status, genetic or biometric data, data collected from minors, and precise geolocation data. In contrast to the CCPA, a person’s opt-in under the VCPDA is required regardless of whether personal data is being sold.

A novel feature under the VCPDA is the requirement that controllers conduct a precautionary data protection assessment of any IT systems processing personal data for targeted advertising, sale of personal data, consumer profiling, or systems containing sensitive personal data or data that might cause a heightened risk of harm to the consumer. These checks will add another layer of defenses to help protect against the ever-intensifying efforts of cybercriminals.

Light-Touch Enforcement & Penalties for Opt-Outs

The VCPDA departs significantly from the CCPA’s formula for privacy regulation by not including any private right of action. Under the VCPDA, individual consumers who have been harmed by non-compliance will not be able to personally sue for civil damages. Instead, the law will be enforced exclusively by the Virginia attorney general’s office, which will have the power to levy fines of up to $7,500 per violation. But like the CCPA, offenders can cure any violations during a 30-day period to avoid paying a fine.

Also, under the CCPA, lawyers can band together hundreds or thousands of CCPA-affected Californians to form class action lawsuits against an offending company, and collectively seek millions of dollars in damages. This serves as a major deterrent against non-compliance. In contrast, under the VCDPA, the class action lawsuit threat is not present. Further still, crafting a lawsuit requires a significant amount of time and expense to organize, but a curative action undertaken within thirty days can completely negate the lawsuit and make it disappear. This would tend to strongly disincentivize lawsuits and blunt the VCDPA’s enforcement heft.

Another key difference between the CCPA and VCDPA is while both laws prohibit overt discrimination against consumers who exercise their opt-out rights (a company cannot change the rates, prices, or quality of goods and services that are offered to a consumer), it explicitly allows this kind of discrimination when the consumer’s choice prevents them from getting targeted advertising or from enrolling in a voluntary loyalty program. In other words, if processing or selling a consumer’s personal data is a prerequisite to participating in a company’s loyalty rewards program or targeted marketing, an opt-out can potentially leave consumers out in the cold on special prices or promotional offers that their less privacy-conscious peers may enjoy.

Taken as a whole, the VCDPA reveals a markedly different and more permissive enforcement landscape for companies when compared to the CCPA. The VCDPA is set to go into effect on January 1, 2023.

Conclusion

Once two states have taken the plunge by enacting big-ticket privacy laws, expect that others will surely follow. Presently, more than a dozen states continue to work on their own privacy laws. As more states pass privacy laws with their own eccentricities, the growing complexity caused by an overlapping patchwork of state requirements may increase pressure on Congress to set a baseline to which all personal data processors must adhere. With single-party control of the White House and both houses of Congress, the likelihood of passing comprehensive federal privacy legislation now may be greater than ever.

[1] https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392+pdf

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney

The post Virginia’s New CCPA-style Privacy Law: Powerhouse or Paper Tiger? appeared first on Zasio.

Sanitize Everything From Your Hands to Your Personal Information

Zasio — Wed, 03 Mar 2021 21:19:19 +0000

If the last year has taught us anything, it is to sanitize, sanitize, sanitize. You are probably sanitizing your hands, your house, everything you touch, but what about the personal information you process?

Laws and regulations increasingly require entities to sanitize, pseudonymize or anonymize the personal information that they collect or process. Other than defining and requiring sanitization, these legal requirements often neglect to inform regulated entities what sanitization encompasses.

Pseudonymization, Anonymization, and Sanitization Defined

The GDPR has introduced a multitude of data protection-related terms. Pseudonymization, anonymization, and sanitization are terms that are often used interchangeably.

According to GDPR Article 4, subsection 5, pseudonymization is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information […] to ensure that the personal data are not attributed to an identified or identifiable natural person”[1].

Anonymization relates to “a data processing technique that removes or modifies personally identifiable information; it results in anonymized data that cannot be associated with any one individual.”[2] According to Google’s policies, their anonymization process “use[s] generalization to remove a portion of the data or replace some part of it with a common value.”[3]

Similarly, sanitization relates to “the process of removing sensitive information from a document or other message (or sometimes encrypting it), so that the document may be distributed to a broader audience”[4]. This process irreversibly removes or destroys personal information from a record, database, or memory device.

Each of the above definitions highlights that these processes make personal information unrecognizable. Once the initial purpose for processing is no longer necessary, organizations may continue to need other non-identifying information for other important purposes, such as internal metrics, continuing research, or transfer to other parties. These processes allow organizations to have access to this non-identifying information while minimizing the risk of breaching personal information.

What Must be Sanitized?

Most regulatory requirements relating to sanitization refer to specific regulated parties and specific types of information, typically within the realm of finance, medicine, or employment. As researchers continue to learn about the epidemiology of COVID-19, the next few years may also see an increase in personal information sanitization laws on the collection and transfer of health information. For example, California requires employers to keep a record of all COVID-19 cases. This requirement creates a caveat that personal identifying information be removed when medical information is made available to others.[5]

In contrast, few laws relate to general data processors or categories of data processing. One such example is the Australian state of Victoria’s Privacy and Data Protection Act, which requires organizations to “take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.”[6]

While current laws and regulations specify what information needs to be sanitized and who needs to sanitize it, organizations are left to determine where this information may be located. Some examples of where personal information requiring sanitization could be lurking are email, which may most easily be sanitized through encryption[7]; personally-owned devices; old systems or databases; or information being transferred to third parties.

Sanitization Policies

Creating and implementing a sanitization policy can be a good first step to mitigating your risk of a personal information breach. Sanitization policies identify persons or departments responsible for sanitization, as well as areas where personal information may be located. Sanitization policies also describe how and when to remove or modify personal information. Failure of organizations to create such policies may result in significant fines. For example, some of the first GDPR-related fines were for organizations retaining non-sanitized passwords which were later breached.[8]

Conclusion

The next time you reach for your hand sanitizer, consider how your business could benefit from a sanitization policy for personal information as well. To learn more about regulatory requirements regarding personal information, contact Zasio today!

[1] European Union Regulation 2016/679, “GDPR”.

[2] Google, Technologies, HOW GOOGLE ANONYMIZES DATA.

[3] Id.

[4] Wikipedia, Sanitization (classified information).

[5] 8 California Code of Regulations 3205.

[6] Privacy and Data Protection Act 2014, Schedule 1, Principle 4.2.

[7] GDPR.EU, “How does the GDPR affect email?”.

[8] Security Boulevard, “4 GDPR Violations that Multiple Companies have been Fined for”.

The post Sanitize Everything From Your Hands to Your Personal Information appeared first on Zasio.

Personal Data Transfers Post-Privacy Shield

Zasio — Thu, 13 Aug 2020 20:34:01 +0000

The European Court of Justice’s recent move to strike down the US-EU privacy shield agreement has upended the bilateral personal data transfer framework and pulled the rug out from under numerous American businesses who work with European customers’ personal data. But although the agreement was invalidated, there remain several steps to take and options to pursue that can enable US businesses to help maintain their operations.

The 2016 bilateral US-EU Privacy Shield agreement allowed US companies to agree that they would adhere to the privacy and personal data rules and standards of the EU, thereby providing an equivalent level of protection to EU citizens and facilitating personal data transfers between the two. However, the European Court of Justice has now rejected that principle. In its decision(1), the court explained that the Privacy Shield agreement failed to provide adequate protection because it could not stop US intelligence services from accessing the personal data even for companies who were Privacy Shield compliant. Furthermore, it was quite difficult for an EU citizen to file a complaint about a potential violation.

Although the decision did strike down the legal validity of the Privacy Shield agreement, one key observation is that the decision notably did not eliminate privacy standard contractual clauses (SCCs). These are cookie-cutter contractual clauses drafted and pre-approved by European regulators for use in privacy-related service agreements with customers. The court allowed SCCs to remain a valid tool in principle because courts have the authority to potentially strike them down and invalidate them on a case-by-case basis if they determine that they are problematic. With the elimination of the Privacy Shield, SCCs will likely be the primary legal tool that US companies rely upon to achieve compliance with EU GDPR and the transfer of EU citizens’ data overseas, and this is an option many companies will want to pursue.

Binding corporate rules (BCRs) are another arrow in the quiver that remains legally viable. While SCCs provide coverage for transfers to third parties, BCRs provide a legal framework for organizations to transfer data internally among affiliate organizations. BCRs are tailored to the operations of each company, who must apply to have each BCR approved by a local supervisory DPA. Although the process is usually expensive and can take a considerable time to achieve approval, the advantage to BCRs is that once in place they can cover a wide variety of transfer activities, whereas separate SCCs are needed for each individual data transfer. New BCR applications will likely need to address in detail how US affiliates will maintain privacy in the context of government surveillance activities. Companies that have the necessary time and resources may find pursuing a BCR to be a comprehensive alternative for achieving data transfer adequacy.

Furthermore, even though the legal effect of the privacy shield agreement in the EU has passed, the Privacy Shield hasn’t completely bitten the dust. The Privacy Shield List of self-certifying companies remains intact, and the companies who have self-certified compliance with its standards should not presume to immediately halt compliance with it. Even without the force of law, following the Privacy Shield standards on a voluntary basis does demonstrate a level of commitment to privacy that would in any case be appreciated by customers and business partners. In addition, businesses who have made commitments that they will abide by Privacy Shield may remain legally bound to continue implementing the standards despite the EU invalidation. US companies are probably well-served by continuing to adhere to the Privacy Shield standards as a matter of good business practice.

Finally, companies can take comfort in the fact that any personal data transfers that are necessary to fulfill a contract with the customer continue to be permissible. If an essential component of the product or service you’re offering to an EU person requires the sending or receiving of their personal data, this remains allowed post-Privacy Shield. The court’s decision does not destroy the ability of companies to continue providing core services and fulfilling their obligations to their EU customers just because the Privacy Shield is no longer valid, so companies probably will not need to worry that their core lines of business could be eliminated by this ruling.

While each of these facts does serve to blunt the impact of the court’s decision, US companies are still likely to face ongoing challenges when dealing with EU citizens’ personal data for the foreseeable future. This situation will persist unless and until an updated agreement can be reached between the EU and US which fully accounts for and remediates the deficiencies that the court identified within the old Privacy Shield agreement.

(1) https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney

The post Personal Data Transfers Post-Privacy Shield appeared first on Zasio.

Artificial Intelligence: The Final Frontier in Records and Information Management

Zasio — Wed, 05 Aug 2020 21:38:11 +0000

According to the European Commission’s Artificial Intelligence for Europe, “Artificial intelligence (AI) is already part of our lives – it is not science fiction.” From smart speakers to customer service, AI has found its way into our homes and businesses. One area of business where AI use is emerging is records and information management [RIM]. As opportunities to use AI in RIM increase, what privacy implications, what unnecessary classification or retention, and what laws or regulations can information governance and privacy professionals expect to find in the future?

As the amounts of data increase, so does the headache in trying to manage such data. AI systems and software can assist RIM professionals to capture and classify their records and information through the use of auto-classification tools. These tools implement AI through defined, encoded rules based on keywords or phrases to classify and sort the input information. Self-learning or machine learning technologies, AI systems that enable computers to learn from their environment without being explicitly programmed, can increase the efficiency and accuracy of auto-classification of information.

While these tools do speed up the classification and sorting processes, they are not foolproof. Some oversight is needed to make sure that the AI systems are correctly classifying information as records or non-records. Additionally, a mislabeled record can result in over-retention, leading to discovery or breach concerns. Because AI software can require integration of multiple systems or third-party vendors, data security risks can also increase.[1] If RIM professionals use AI software to classify their information, they will need to implement policies and procedures to conduct this oversight and review these procedures regularly, just as they would their records retention schedules and data protection practices.

As this area of business and way of life increases, so too does the need for regulated governance. Currently, there is no specific AI legislation in relation to information governance or data protection. The EU’s General Data Protection Regulation “applies to the processing of personal data wholly or partly by automated means”[2]; however, it only regulates automated processing, or the use of AI in automated decision making, by requiring data controllers to inform the data subject and allow her/him the right to object to processing or decisions based solely on automated processing.[3] Similarly, Illinois’ Artificial Intelligence Video Interview Act only requires disclosure to and consent from applicants by employers using AI analysis in job interviews.[4] Both the EU and the US have seen the need to increase their AI communities and workers, but neither have yet to enact legislation specific to AI usage in information management.[5]

Governments and data protection authorities are beginning to see the need for more concrete guidance in the area of AI. The United Kingdom’s Information Commissioner’s Office recently published Guidance on AI and Data Protection which provides more comprehensive guidelines for companies using AI to implement good practices in the area of data protection. Specifically, the ICO Guidance addresses the “need to align your internal structures, roles, and responsibilities maps, training requirements, policies and incentives to your overall AI governance and risk management strategy.”[6] The ICO Guidance also recommends human oversight. “[H]uman reviewers must be involved in checking the system’s recommendation and should not just apply the automated recommendation to an individual in a routine fashion”.[7] These recommendations may prompt businesses to implement their own AI policies and procedures before such requirements become more concrete.

As AI becomes a common facet of doing business, will AI be the new undiscovered frontier that RIM professionals need to consider when creating and implementing records retention schedules? Those are the voyages of RIM professionals. Their mission: to explore new ethical issues surrounding AI, to seek out new aspects of RIM practices, and to boldly manage information where no one else can.

Contact Zasio today for information on how AI systems can affect your RIM and data protection practices.

[1] Information Commissioner’s Office, Guidance on AI and Data Protection, How should we assess security and data minimization in AI? What’s different about security in AI compared to ‘traditional’ technologies?.

[2] Regulation (EU) 2016/679 General Data Protection Regulation (2)(1).

[3] Id. at (13)-(15), (21).

[4] 820 ILCS 42/15.

[5] European Commission Artificial Intelligence for Europe; Ex. Ord. No. 13845. Establishing the President’s National Council for the American Worker.

[6] Information Commissioner’s Office, Guidance on AI and Data Protection, What are the accountability and governance implications of AI?, How should we approach AI governance and risk management?.

[7] Id. How do we ensure individual rights in our AI systems?, What is the role of human oversight?

The post Artificial Intelligence: The Final Frontier in Records and Information Management appeared first on Zasio.

Data Protection Legislative Updates

Zasio — Wed, 05 Aug 2020 20:40:40 +0000

Since the GDPR passed in 2018, we have seen an ongoing worldwide ripple effect, as other jurisdictions have begun passing their own data protection laws that mirror, or in many respects comply with GDPR requirements. Here are a few such new or upcoming laws worth noting:

Brazil – General Data Protection Law (LGPD) (Law No. 13,709/2018) – Approved in August 2018, the law originally was supposed to take effect on August 15, 2020. However, due to COVID-19 concerns, the majority of the law will not go into effect until May 2021, with the enforcement of sanctions beginning August 1, 2021. Similar in many respects to the GDPR, the LGPD is Brazil’s first comprehensive data protection law bringing clarification and consolidation to data protection requirements spread across a variety of Brazilian laws and regulations. It has the stated purpose of safeguarding “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

This law sets forth the rights of data subjects and covers many of the same issues covered in the GDPR, including setting up an enforcement authority and penalties for those who don’t comply.

The LGPD broadly applies to natural persons as well as legal entities (including any public or private business or organization) that process personal data of people in Brazil, even if the processing entity is based outside of Brazil.

Link to the law (English version): https://www.lgpdbrasil.com.br/wp-content/uploads/2019/06/LGPD-english-version.pdf

Dubai International Financial Centre (DIFC) – Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020: In effect on July 1, 2020, this law replaces DIFC Law No. 1 of 2007. Due to COVID-19 considerations, it grants a three-month grace period for companies to start complying by October 1, 2020. This law (and its accompanying regulations) is intended to help make sure the DIFC, which is a major financial hub in the Middle East, Africa, and South Asia, stays up-to-date with data protection best practices. It incorporates various provisions from the GDPR and the CCPA (California Consumer Privacy Act) to achieve this objective. This new law also helps ensure the DIFC has adequate data protection in place to receive “adequacy” recognition from the UK and European Commission, which eases compliance requirements for personal data being transferred to the DIFC.

Among other things the law beefs up the accountability of data controllers and processors, clarifies enhanced rights of individuals, removes permit options for cross-border data transfer and special category personal data processing, allows data sharing between government authorities, and introduces new penalties and fines.

The law applies to companies both incorporated in the DIFC, and those incorporated elsewhere who process personal data in the DIFC as a part of “stable arrangements.”

Link to the enacted law: https://www.difc.ae/files/6115/9358/6486/Data_Protection_Law_DIFC_Law_No.5_of_2020.pdf

Egypt – Personal Data Protection Law (“PDPL”): Passed on July 13, 2020, this law comes into effect on October 14, 2020, with its attached Executive Regulations expected to follow in April 2021. Largely modeled off the GDPR, the PDPL aims to “keep pace with the current international standard for the protection of personal data”, as stated in its preamble. It aims specifically to protect online or electronically processed personal data of persons/consumers. This law is a major development in Egypt’s data protection framework, as prior to its passage, Egypt had no specific legislation regulating the protection of personal data.

Taking cues from the GDPR, the PDPL law introduces a number of compliance requirements and penalty provisions for data processors and controllers, with respect to any personal data or “sensitive” data processed. It prohibits processing personal data except with the consent of the data subject or where otherwise permitted by law. It sets forth various rights of data subjects. It also appoints a data protection authority and implements significant sanctions for non-compliance.

The PDPL applies to Egyptian citizens and non-Egyptian citizens who reside in Egypt.

Link to the law (in Arabic): https://www.cc.gov.eg/i/l/404171.pdf

Thailand – Personal Data Protection Act (PDPA) B.E. 2562: This law was passed on May 28, 2019, but has granted deferred compliance for certain data controllers (as enumerated in the Royal Decree on Agencies and Business Not Subject to the PDPA B.E. 2563) until May 31, 2021, giving organizations another year to come into compliance with the law. The law aims to protect data owners (similar to “data subjects” referred to in the GDPR) in Thailand and applies to data processors located both inside and outside of Thailand, that process personal data of individuals in Thailand.

Most provisions in the PDPA are similar to GDPR requirements. It includes various requirements such as setting forth lawful purposes for the processing of personal data, rights of data owners, obligations of data controllers, restrictions on cross border data transfer, breach notification requirements, and penalties for non-compliance. The PDPA also sets up a Personal Data Protection Committee (PDPC) to enforce and provide guidance for the PDPA.

Link to the law: https://www.etda.or.th/app/webroot/content_files/13/files/The%20Personal%20Data%20Protection%20Act.pdf

Contact Zasio today to see how our host of software solutions and consulting services can help you stay compliant with your data retention policies and practices.

Author: Jared Walker, JD

Senior Research Analyst, Team Lead / Licensed Attorney

The post Data Protection Legislative Updates appeared first on Zasio.