Cyber-security & Privacy | My Assignment Tutor

BUSL315 Cyber-security & Privacy: Week 9Privacy Regulation Outside of Australia (A brief sampling) OverviewEuropean Union’s General Data Protection RegulationCalifornia’s Consumer Privacy ActIndia: Aadhaar & High Court Recognition of a Constitutional Right to PrivacyGDPR: Transfers of EU Data to Third CountriesData can only be transferred outside the EEA if it is transferred: to an adequate jurisdiction (Australia has not been judged to be “adequate”);into the US via the Privacy Shield (at risk due to Schrems2);Via another appropriate safeguard (e.g. Binding Corporate Rules, Model Clauses); orpursuant to a derogation (e.g. litigation; explicit consent).GDPR: Sensitive Personal DataNow known as Special Category Personal Data: Racial / ethnic originPolitical opinionsReligious / Philosophical beliefsTrade Union membershipGenetic or biometric dataHealthSex life / sexual orientationCriminal offences / convictions not now included but separated out and similar extra safeguards put in place at Article 10GDPR: Data Controllers and Data ProcessorsController says how and why personal data is processedProcessor acts on controller’s behalfProcessing includes:CollectingStoringUsingDeletingSharingGDPR: Data CollectionData shall be:collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)accurate and, where necessary, kept up to date (accuracy)kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)GDPR: Processing DataData shall be processed lawfully, fairly and transparentlyLawful – must not be in breach of other laws (e.g. HRA, PECR, common law duty of confidentiality) & must be lawful in accordance with Article 6 & 9 – Lawfulness of processingFair & Transparent – data subjects made aware (privacy notices etc); must ‘feel’ fair.Data shall be processed with appropriate security, including protection against:Unauthorised or unlawful processingAccidental loss, destruction or damage (Integrity and confidentiality)GDPR: Data Controllers are accountableData Controllers must:Implement appropriate technical & organisational measure to ensure and demonstrate compliance (e.g. training, policies, audits etc)Maintain relevant documentation (controller info, Purposes of processing, categories of data subjects / personal data, recipients of data, transfers to 3rd countries, retention schedules, and security )Implement data protection by design (e.g. minimisation, pseudonymisation, transparency, security)Use Data Protection Impact Assessments / Risk AssessmentsAppoint a Data Protection OfficerGDPR: What is Consent?“Consent” means: “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”GDPR: What is Consent?Different types of uses require separate consent. Bundling multiple requests for consent may not be permitted.Implied consent or requiring consumers to “opt out” is insufficient.Silence, pre-ticked boxes or inactivity are not consent.Must have the right to refuse or withdraw consent at any time.Must be as easy to withdraw consent as to give it.GDPR: Consent vs Legitimate InterestsOrganisations might be able to rely on legitimate interests for print communications only and for holding the data in the first placeConsent is necessary for marketing by email or textMixture of legitimate interests and consent for marketing calls GDPR: Applicable to Australian organisations? The GDPR extends to controllers and processors not established in the EU if they process data which relates to data subjects in the EU. Australian organisations need to comply with the GDPR if they: are established within the EU;offer goods or services to individuals in the EU; orMonitor the behaviour of individuals in the EU (e.g. by tracking or profiling those individuals). GDPR: How does it extend beyond Australian privacy law? Right to erasure of data (“right to be forgotten”)Right to object to processing (including automated decision-making, direct marketing / profiling)Right to data portabilityPrivacy by Design and by DefaultFines up to 20 million euro, or 4 percent of annual worldwide turnover (whichever is higher) GDPR: Responding to Data Breaches Personal data breach is a breach of security leading to the destruction, alteration, unauthorised disclosure or, or access to, personal data If Data Processor breached, they must notify the Data Controller When a breach occurs, the Data Controller must: notify an EU national data regulator (e.g. UK ICO) where it is likely to result in a risk to the rights and freedoms of individuals (within 72 hours of being aware of the breach)notify individuals where it is likely to result in a high risk to the rights and freedoms of individuals GDPR: Collective (~Class) Actions Brussels subway advertisements: 30 936 people have joined a “collective action” against Facebook Each seek Euro200+ compensation Article 80 permits representative actions for privacy breachesUS investor class action already lodged against Neilsen for failure to make a timely disclosure of its GDPR non-compliance Californian Consumer Privacy Act of 2018 Effective: Comes into force on 1 January 2020Grants Rights to: All natural persons resident in California, except those visiting for temporary or transitory purposes. Residents domiciled in California who are temporarily or transiting outside the State also have rights.What does it cover: broad definition of PI: any information that relates to a particular consumer or householdExclusions: publicly available information; commercial conduct that takes place wholly outside California Californian Consumer Privacy Act of 2018 Thresholds: (includes parents & subsidiaries)$25M turnover (California or worldwide?); orPI on 50 000+ Californian residents; or50%+ of annual revenue from selling PI of Californian residentsChallenge: can you prove your company is not “doing business in California”?Penalties: up to $7500/intentional violation & up to $750 per resident / actual damages in class actions Amendments to the CCPA in 2019 Tech lobby (and others) have been trying to water down the CCPA’s privacy protections: see Assembly Bill 1355 – subject to Governor’s veto powersAssembly Bill 25: A bill to exclude job applicants, employees, contractors or agents personal information from being protected – Status: compromise of partial exclusion PASSED but 2021 sunset clause, so this will be re-visitedAssembly Bill 1416: A bill to ensure the CCPA doesn’t restrict a business’ ability to comply with a civil, criminal or regulatory inquiry AND expands protections for businesses to avoid complying with consumers’ rights – Status: PASSEDPI collected in the context of B2B transactions is exemptedAssembly Bill 1202: A bill requiring data brokers to register with the state’s Attorney-General, pay a registration fee and to honour consumer request to opt-out of the sale of their PI – Status: PassedOther bills seeking to increase consumer protections (such as adding a private right of action and set 45-day breach disclosure requirements) have been blocked in the SenateTech lobby’s end-game: lobby federal congress for a weak federal privacy law (which could over-rule any additional protections granted to Consumers under the Californian CCPA) Is GDPR Compliance Sufficient for this Californian Law? In short, NOAdditional Californian Law obligations:Prescribed disclosures and communication channels (incl toll-free numbers)Broader definition of PIDirect deletion rightsBroader access rights (e.g. disclosures that would implicate the privacy interests of third parties)More rigid restrictions on data sharing for commercial purposesCompanies may offer financial incentives for the collection or sale of PI, but only with prior OPT-IN consent which is revocable at any timeMandated OPT-IN before sale of PI for a person


Leave a Reply

Your email address will not be published. Required fields are marked *