The usual assumption of most US businesses is, “the GDPR is an EU regulation, hence it does not impact my organisation.” This belief results most often in unnecessary risk. The US equivalent of this misconception would be a company registered in Texas thinking its services don’t fall under the scope of the CCPA. 

The GDPR has extraterritorial effect, that is, it has effect on and more often than not, does affect organisations which are outside the European Union.

Note that since Brexit, the UK has maintained GDPR provisions but further adapted them to its body of laws, this is known as the UK GDPR which adds an additional but small level of complexity for transfers of data outside the UK. For the sake of simplicity, the term GDPR used in this article will also apply to the UK.

What is the GDPR and why it has global reach

The GDPR is the code name for the UK and the EU’s General Data Protection Regulation. It shields the personal data of individuals who are within the European Union, provides rights to the data owners (i.e. individuals) and lays out obligations for the organisations handling that data. It has a general territorial scope such that it may apply to organisations outside of the EU if certain conditions are fulfilled.

A US company may be controlled by the GDPR if it is:

1. Providing goods or services to data subjects in the European Union (EEA and UK)

This trigger is independent of payment or contractual terms. A business will be deemed to be targeting or envisaging an EU audience if it engages in any of the following activity:

• Sending physical goods or providing access to digital services into a member state of the EU/EEA/UK;
• Taking payments in a European currency such as Euros;
• Running campaigns that market to email recipients in the EU/EEA/UK; and
• Providing a website or service in a language that is widely spoken across the EU/EEA/UK.

2. Tracking the behavior of users in the European Union

This trigger is extremely applicable to digital-first companies today. If your business is tracking or profiling users in the European Union, the GDPR will most likely apply. This includes practices like:

• Tracking European Union website and app users with analytics tools;
• Placing cookies or other tracking tags on the devices of users in the European Union which triggers additional requirements from the ePrivacy Directive and other local laws; and
• Running targeted advertisement campaigns against users within the European Union on the basis of their online behavior.

Article 3 of the GDPR expressly sets out these conditions. These are detailed in additional guidance by the European Data Protection Board (Guidelines 05/2021). Registration of an organization outside of the EU does not necessarily remove a business from scope.

What constitutes personal data under the GDPR?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. This definition is deliberately broad. This is to encompass a wider range of data than the concept of “personally identifiable information” (PII) used in other jurisdictions. It is critical for any organisation to understand what information falls under this comprehensive definition to determine its compliance obligations.

Personal data includes, but is not limited to:

• Direct identifiers: A person’s name, email address, physical address, or telephone number.
• Online identifiers: An individual’s Internet Protocol (IP) address, browser cookies, and device identifiers (IP/MAC address, IMEIs, …).
• Pseudonyms like user IDs, vehicle numbers (VINs), randomly chosen usernames, hashes…
• Metadata in context like timestamps, 
• Special categories of data: Biometric data, such as fingerprints or facial recognition information. To learn more about sensitive data under the GDPR, that is addressed in Art.9 of the GDPR and our blog article detailing the differences between PII and personal data. 
• Other information: Video or photo recordings, and an individual’s location data.
• IoT data associated with a device purchaser, owner, user, maintenance person, etc…

If your organization collects any of this information from individuals in the European Union, it is processing personal data and must assess its compliance obligations under the GDPR.

What if my business doesn’t comply?

Non-compliance with the GDPR will result in massive financial and reputational losses. Supervisory authorities can impose fines of up to twenty million euros or four percent of the annual global turnover of an organization. This is decided by whichever is the greater. The GDPR has a highly structured framework of administrative fines, which can be applied in two tiers:

• Tier 1: Up to €10 million, or 2% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.
• Tier 2: Up to €20 million, or 4% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.

Enforcement is also a legitimate concern for U.S. companies. For example, Clearview AI, a U.S.-based firm, was the subject of enforcement action and fines by multiple EU data protection authorities for processing EU individuals’ personal data lacking a sufficient legal basis. 

Along with fines, organizations can anticipate loss of customer trust, damage to their reputation, and legal restrictions on their data processing activities. Enforcement action against household names demonstrates that regulators are willing to act against organizations outside the European Union when the GDPR applies. 

A simple checklist for your U.S. company

To allow you to consider at a glance whether the GDPR applies to your business, ask yourself the following questions:

• Does your company’s website, app, or service deliver goods or services to individuals in the European Union?
• Do you use instruments that monitor the online behavior of individuals in the European Union?
• Does your company process the personal data of any of your staff members working in the European Union?
• Do you implement any vendor tool to carry any of that data processing for you?

If you answered yes to any of these queries, then it is highly likely your company is subject to the GDPR.

Real-life examples of when the GDPR applies

• An online store in the United States accepting payment in euros and shipping goods to customers in the European Union;
• A company processing payroll for a remote employee working in the European Union;
• A marketing company running targeted campaigns aimed at audiences within the European Union.

Conversely, a strictly internal website with no European customer targeting and only incidental EU visits generally will not be subject to the GDPR.

Special Case: United States companies with EU-Based employees

The processing of employees’ personal data in the European Union triggers GDPR obligations. Some examples are maintaining personal records, processing sensitive information, and monitoring work performance. Paying an employee in the European Union without additional data processing might not necessarily trigger full GDPR compliance requirements. That being the case HR processes need to be carefully reviewed. Please check out our blog article on how the GDPR and effects HR data for non EU-companies for further information. 

Your next steps toward compliance

If your business is subject to the GDPR, it’s essential to be forward-leaning with regards to compliance.

• Carry out a data mapping exercise: This will lead to Records of Processing Activities, the details of which are outlined in Art. 30 of the GDPR. Record all personal data your organization gathers and processes, the reason for the data, and where it is stored;
• Determining a lawful basis for all your data processing activities: This provides a documented and valid legal rationale for collecting and using personal data. This could be e.g., user consent, contractual necessity with the person, or legitimate interest of your organization, EU legal obligation;
• Drafting accessible  privacy notices: Provides an intelligible and accessible privacy notice describing data collection, purposes, storage, and data sharing practices;
• Respecting the rights of data subjects: Enable individuals to exercise their rights under the GDPR. These rights include access, rectification, erasure, restriction, and objection;
• Appointing a Data Protection Officer (DPO): Appoint a DPO where required. This could be due to processing vast volumes of sensitive personal data or conduct systematic monitoring of individuals;
• Consider an EU Representative: If your business is established outside of the European Union, you may need to have a representative within one of the member states under Article 27; and/or
• Seek expert advice: The GDPR is complex. For complete compliance, it would be ideal to obtain a professional GDPR compliance audit.

Conclusion

Whether the GDPR affects an American business or not is not a matter of a business’s physical presence, but if it has a connection with individuals in the European Union. If your business offers goods or services to EU residents or monitors their activities, then it is very likely the GDPR will affect you. The penalty for failure to comply can be extremely high, both financially and with regard to one’s reputation.

It is suggested that all U.S. businesses conduct an internal examination of data processing operations. If unsure, securing a professional GDPR compliance assessment can guarantee a clear and secure path forward.

The post Does the GDPR apply to my US company? appeared first on TechGDPR.

When does the GDPR apply?

The GDPR applies when public or private organization process personal data. These assume one of two distinct roles, either as a data controllers and data processors. When discussing role distribution in supplier or customer relationships, we label one or the other as data controller or processor, respectively. However, one logically determines this at the level of a single processing activity.

The law is extremely clear about the territoriality, targeting and offering of goods and services. Thus, the GDPR applies to your non-EU company if: 

1. you establish a company or a subsidiary in the EU.
   No matter your product or service, your employees are people too and their data is protected by law. This places you under data controller obligations.
2. you provide goods and services (for a fee or not) to people in the EU.
   Since processing their personal data is a requirement to provide said goods and services, you are under data controller obligations.
3. you provide processing services (SaaS, PaaS) to a company to which the GDPR applies by virtue of the above points.
   The GDPR becomes applicable when handling personal data for a company established in the EU. In this case you likely assume data processor obligations.

Supplying services to end users

Beyond the letter of the law, your sales teams faces demanding questions from client procurement teams and end users alike. This is the case whether you offer B2B, B2B2C or B2C goods and services. Sales teams need to understand what procurement teams asked of them. At the very least, it communicates a sense of preparedness. In practice, they should only occasionally forward less obvious questions to the tech, product or legal teams.

Your internal or external data protection officer (DPO) or chief privacy officer (CPO) should sit comfortably astride legal and tech. If they do, have them train sales to reduce back and forth communication. These individuals see data processing from the technical perspective of data flows. Importantly, they understand risk from the perspective of risk to the data subject.

Leveraging privacy

Being able to address data subject requests (DSRs) in a timely manner, ensures you remain a contender in your client’s procurement shortlist. Some clients operate in a highly regulated field so compliance is crucial to them. Others show high ethical drive and understand non compliance as a risk to their operations. For clients who don’t care, your common relationship will deteriorate at the first privacy pinch from data subject requests. Pressure will come from their own vertical relationships in the supply chain, or enquiries by supervisory authorities.

If your business enjoys a direct relationship with people in the EU, you likely assume a data controller role. This is the case with the provision of B2C goods and services. The full requirements of transparency, security and accountability apply, so do the performance of data subject rights. Subjects are savvier now about exercising their rights. You can expect their privacy experience with you to make it onto social media if they don’t trust your practices.

Supplying services to other organizations

When supplying SaaS or PaaS solutions, the B2B / B2B2C scenario likely makes you a data processor. The requirements for security and accountability apply to both controllers and processors. Yet, transparency obligations are fulfilled by the data controller. This is done through their own channels or via a notice your platform allows them to provide to their end-users. However, your ability to be forthcoming with demonstrations immediately satisfy your customers’ expectation that you are set up to help them demonstrate how they comply.

Transparency is not the only obligation you will help your customer fulfil. Say you provide a platform that corporate customers can use to create user retail experiences. They remain responsible for collecting proof of consent to the data processing resulting from triggering your platform features (e.g. shopping cart memory or reward schemes). Your platform being the front-end of user interaction for your customers, ask yourself whether your platform

• provides your customers with consent collection mechanisms, collecting proof of consent and allowing for user revocation of consent;
• provides APIs to push data from your platform to your customer’s ERP, therefore triggering data transfers and access right management;
• helps generate records of processing activities that satisfy GDPR Article 30 requirements;
• helps generate a privacy notice based on the factual data processing caused by the user’s choice of features.

Engaging a non-compliant SaaS solution remains the data controller’s statutory responsibility. Yet remember that their DPO and legal counsels can be powerful show-stoppers when signing procurement contracts. No one appreciates manual work, much less when it involves getting it from the less responsive solutions providers out there.

Are employees people too?

You bet they are. Tunnel vision is frequent when focusing on exporting your product. Yet, when setting up a subsidiary to manage staff locally or remotely contracting staff in the EU, the data you process about them for employment and project management purposes is subject to regulation. Job boards and recruiting agencies allow you to tap into talent but the nature of the services you use may vary. Yet your obligations on the underlying data remain those of transparency, lawfulness and retention.

When onboarding and during the employment lifecycle, employees yield and generate tons of personal data. Some of that data may be highly sensitive, such as that associated with sick leave and disabilities. Remember that your HR systems may not be contracted in the EU and likely plug into other tools. That is often the case with payroll management, training and employee development. As you would expect, this tool landscape comes with additional challenges for complex organizations sharing services across multiple jurisdictions. Due diligence should take place before onboarding a tool and continuously while feature testing.

What about applicants?

No evidence suggests that merely looking at profiles on LinkedIn triggers GDPR obligations. The GDPR refers to that data as publicly available. However, the moment you make use of a third party tool or structure information, requirements are triggered. This customarily takes the form using spreadsheet trackers for driving applicants through a conversion funnel or sharing them for assessment. Not all applicant tracking software is created equal. Identifying a supplier based in the EU does not guarantee that its compliance is up to par. At the very least, you should expect them to know what compliance you need their solution to offer. 

Don’t take their word for it, challenge their assertions and document their response.

What does it take for non-EU companies to become compliant?

How is compliance defined and measured?

At its heart, compliance is about developing and maintaining the ability to demonstrate awareness of risk and risk control. Note that in data protection we do not measure risk in financial terms, nor in terms of corporate reputation. We see privacy risk through the lens of impact to the data subject. However, whether you rely on staff that is good at understanding ISO norms or legal officers good at interpreting legal provisions, your compliance essentially relies on whether your product owners understand:

• what data they need (data);
• what they are doing with it (purpose);
• to whom they have provided access to -e.g. through APIs- (recipients);
• where it comes from (source & confidentiality),
• how they legitimize its handling (legal basis), and
• what rights can be exercised against that data (DSRs).

This inventory is not established in a week. Not unless employees actually speak to one another and have nothing else on their plate. Needless to say, the inventory is never perfect. Worse, it is often erected on erroneous assumptions. For instance, ruling too quick on what is not personal data or failing to register the implementation of an API as triggering a processing activity. Have you ever had an awkward discussions with partner procurement teams?

For organizations making use of the ISO27001 security management cookbook. The 27701 extension is the cherry on top to help demonstrate, to customers and authorities, the organization is serious about compliance. Serious enough that it allows a third party to independently audit its compliance management system (ISMS and PIMS respectively). 

What do you need in order to demonstrate compliance?

You’ll need Records of Processing Activities (RoPA) to start with. That will put everyone on the same page; from your tech teams, to your legal teams, your product owners, your sales and procurement teams. It will allow you to update your privacy notices, enter (and exit!) sales discussions comfortably. You’ll need to review all your 3rd party contracts to identify where Data Processing Agreements (DPAs) and international transfer mechanisms are missing. You may also need to perform impact assessments based on whether your activity is blacklisted.

You might need to drop vendors with appalling documentation or those refusing to provide it. For instance, consent management platforms will lur your into thinking you don’t process personal data. If you are not willing to change suppliers, then maintain a list of vendors to deprecate for compliance issues and communicate it to upper management. You’ll need robust security documentation, and a fair share of training and awareness raising at all levels of the organization. Perhaps least discussed but most wanted on your compliance journey, is an organizational appetite for change management.

Much like that of ISO27001, whether your company is EU or non-EU-based, what helps you demonstrate GDPR compliance is the amount of available, relevant, readable, useful [and used !] documentation that demonstrate accountability. Compliance and product teams are already getting creative with MS copilot, allowing it to read through emails, repositories and spreadsheets. Are your ready to let an algorithm adjudicate on your company’s compliance and leave you none the wiser? AI is likely to become an audit support tool in first and second party audits. It is however unlikely to replace the auditor’s judgement and decisional independence any time soon for third party audits that rely on market-leading certification bodies.

The post Embracing the GDPR as a non-EU company appeared first on TechGDPR.

A multitude of new regulations are either in the ordinary legislative procedure or already in force. These include the Data Act, the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Cyber-Resilience Act, European Health Data Space Regulation, the Artificial Intelligence Act. Data regulations in the European Union (EU) are becoming more complex and challenging for businesses to comply with. The increasing number of administrative burdens and compliance requirements in these regulated areas are a valid concern for businesses. Supervisory enforcement, for enacted regulations will be a wake-up call for organizations that are not prepared. Tech players operating in the EU and authorities overseeing those activities face the similar challenge of adapting to legislative overlap. New fines, new supervisory authorities and new compliance requirements are expected. To better understand this burst of regulation, the EU’s strategic policies must be carefully examined.

What is the EU aiming for?

• The United States (US) and China (CN) have different advantages in the field of technological competitiveness. 
• The US has a strong private sector with abundant financial resources, while CN has a state-sponsored private sector. 
• The EU meanwhile wants to shape its own digital future, and create a competitive Digital Single Market while enforcing European democratic values. In a short span of time, the European Commission has implemented digital transformation policies to become more competitive in the global economy, reduce the carbon footprint that arises from the red-tape bureaucracy and go digital. 
• Better public services and comprehensive scientific research will be strengthened by the re-use of data envisaged in the European Strategy for Data. 

Understanding the distinct European view on data 

Greater productivity for IoT and data-enabled products are also on the list. But greater accessibility to data is needed to enable innovation in a data-driven economy. This explains why data intermediaries are expected to play a key economic role, as envisioned in the Data Governance Act. Making more data available to smaller players will be made possible by creating common European data spaces in strategic sectors. There are multiple underlying reasons for the data spaces, all of which align with the strategic data policies of the European Union.

• The new regulations are in line with the existing strategic objectives, allowing for organizations to get ahead of the game by embracing the EU’s strategic data policies. 
• The industrial data space and co-generated industrial data is part of the Data Act. 
• The common European health data space is also regulated with the upcoming European Health Data Space Regulation. 
• Green Deal data space, financial data space, energy data space, agricultural data spaces, are also mentioned in the “European Strategy for Data”.

EU strategic goals

• The digitalisation of public services and the digital transformation of businesses are of high priority in the 2030 Digital Compass: the European way for the Digital Decade. 
• The Digital Compass goals are consistent with the rising amount of data being created in the EU. 
• The EU is determined to maintain its regulatory norms and standards in its relations with international partners. 
• By 2030, the EU aims to build an interconnected data processing ecosystem conscious of fundamental rights and in full compliance with legal requirements. As stated in the 2030 Digital Compass policy, the EU will continue to promote the ethical use of AI, establish strict cybersecurity and resilience requirements, tackle disinformation and illegal content online, ensure the operational security of digital finance and facilitate transformation of e-government. Respectively, these strategic policies are being covered by the Artificial Intelligence Act, the NIS2 directive and Cyber-Resilience Act, the Digital Services Act, the Digital Operational Resilience Act for the financial sector and European Health Data Space Regulation.

Implications for the future

These new regulations pave the way for the EU to achieve its new industrial strategy of climate neutrality and digital leadership. They help to reduce the carbon footprint and prevent red tape bureaucracy. 

• The digital transformation is essential for a greener EU.
• The reuse of data is also critical. 
• As stated in the EU Strategy for Data, this includes greater productivity and competitive markets, as well as improvements in health and well-being. 

The emergence of data-driven ecosystems can prove itself in the long run but it may take years for the EU to figure out the interplay of new regulations within the existing legal frameworks, the preparation of new guidelines and the appropriate degree of coordination between supervisory authorities. 

The EU will need to ensure that data and data-enabled products and services are available throughout the single market. Considering the EU’s goal of building a legal digital framework and becoming an international market leader, similar regulations may spread over time to different continents through the Brussels Effect. The key intention is to create a European data ecosystem that is respectful of fundamental rights. Whether these strategic intentions will be translated into the regulatory scope as intended remains to be seen. 

The post Making sense of new EU-wide data regulations, the red thread behind the digital single market appeared first on TechGDPR.

On 7th October, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO) in order to oversee that the obligations of the US under the EU-US Data Privacy Framework are carried out. The EO is divided into 5 sections consisting of general provisions, definitions, purpose, redress mechanisms and activities of Signals Intelligence.

For the purpose of this document, significant provisions of the EO will be highlighted. To clearly understand the provisions, it is important to first understand what signals intelligence means. Signals intelligence describes a form of intelligence gathering by intercepting electronic signals. In the context of the US, signals intelligence involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials. They then use the information to help protect our troops, support our allies, fight terrorism, combat international crime and narcotics, support diplomatic negotiations, and advance many other important national objectives. 

Legitimate objectives for signal intelligence

Signal intelligence will not be carried out randomly. According to section 2.b.i.A, this type of intelligence is to be carried out only for the following reasons –

1. To assess the capabilities or activities of a foreign government/military/political organization or any entity acting on its behalf in order to protect the national security of the USA and its allies/partners.
2. To assess the activities of international terrorist organisations that pose a current or potential threat to the national security of the US or allies and partners.
3. To assess transnational threats impacting global security such as climate change, public health risks, humanitarian threats, political instability and geographic rivalry
4. To protect against foreign military capabilities and activities
5. To protect against terrorism, taking of hostages conducted by or on behalf of a foreign government
6. To protect against espionage
7. To protect against threats from the development and proliferation of weapons of mass destruction conducted by or with the assistance of a foreign government, organization or person.
8. To protect against malicious cybersecurity threats.
9. To protect against threats to the personnel of the US or its allies or partners
10. To protect against transnational criminal threats including illicit finance and sanctions evasion related to any of the objectives stated in this list.
11. To protect the integrity of government property, US physical and electronic infrastructure and political processes such as elections from activities conducted by a foreign government, organization or person.
12. To advance operational capabilities in order to further any of the reasons stated in this list.

Prohibitions to the conduct of signal intelligence activities. 

The exceptions to signal intelligence objectives are found in section 2.b.i.B of the EO:

1. Suppression of criticism or the free expression of ideas or political opinions
2. Suppression or restriction of legitimate privacy interests
3. Suppression or restriction of the right to legal counsel
4. Discrimination of persons based on ethnicity, race, gender, gender identity, sexual orientation or religion.

It is further stated in the EO that collection of foreign private commercial information or trade secrets to afford a competitive advantage to US companies or the US business sector is not a legitimate objective and therefore, can only be conducted with authorisation and in order to protect the national security of the US or its allies or partners.

The EO provides thus “Signals intelligence collection activities shall be as tailored as feasible to advance a validated intelligence priority and, taking due account of relevant factors, not disproportionately impact privacy and civil liberties.  Such factors may include, depending on the circumstances, the nature of the pursued objective; the feasible steps taken to limit the scope of the collection to the authorized purpose; the intrusiveness of the collection activity, including its duration; the probable contribution of the collection to the objective pursued; the reasonably foreseeable consequences to individuals, including unintended third parties; the nature and sensitivity of the data to be collected; and the safeguards afforded to the information collected.”

With respect to bulk collection of signals intelligence, the EO states that when it is determined that bulk collection is necessary to advance a validated intelligence priority, reasonable methods and technical measures shall be applied to limit the data collected to only what is necessary in order to achieve legitimate objectives.

Handling of personal information collected through signals intelligence

The EO also provides for handling of personal information collected through signals intelligence. Elements of the intelligence community handling personal information shall ensure that policies and procedures are put in place to minimize the dissemination and  retention of personal information. The provisions on retention of personal information provides equal level of protection to ‘non-United States persons’ as with United States persons. For instance, under ‘Retention’ in section 2.c, the Intelligence community “shall delete non-United States persons’ personal information collected through signals intelligence that may no longer be retained in the same manner that comparable information concerning United States persons would be deleted.”

With respect to data security and access, appropriate protection and the prevention of unauthorized access consistent with applicable safeguards for sensitive information in relevant EOs and Directives are to be ensured.

Worthy of note is the savings clause in section 2.e which states that nothing in the EO shall be construed to limit any signals intelligence collection technique under the Foreign Intelligence Surveillance Act of 1978 as amended (FISA). It should be remembered that one of the considerations for the invalidation of the privacy shield framework was section 702 of FISA. This allowed for surveillance of electronic communication service providers which term is commonly broadly interpreted by the American courts.

Redress Mechanism

Section 3 of the EO provides for the establishment of a process for the submission of qualifying complaints from qualifying states for any covered violation of US law, appropriate remediation where and if necessary, investigation, the establishment of a Data Protection Review Court (DPRC). The designation of qualifying state is dependent on a number of factors under section 3.f.i of the EO, one of which is that the country, regional economic integration organization or its member countries permit or intend to permit the transfer of personal information for commercial purposes between the territory of the country or member countries and the territory of the US. This means the application of the principle of reciprocity. The designation of qualifying state can also be revoked if the countries or member countries do not permit the transfer of personal information for commercial purposes between the countries and the US.

What does this mean for EU-US data transfers?

You are probably wondering how this impacts your business operations and EU-US data transfers. The EO brings a ray of hope as it promises an ease in data flows between the EU and the US. What is important to keep in mind, however, is that an Executive Order in the USA is just that and has no direct effect on EU territory. It is for this reason that the European Commission has published a Q&A on the EU-US data Privacy Framework. 

In this publication, it is stated that the European Commission will take steps to propose a draft adequacy decision and launch the procedure for its adoption. The final adequacy decision will only be adopted after scrutiny by the European Parliament and after which there should be a free and easy EU-US data transfers between the EU and US companies that have been certified by the Department of Commerce under the new framework. 

Until these formalities have happened, nothing is required from businesses in the EU. If you hope to commence data transfers to the US, note that an adequacy decision is not the only way to achieve this. One mechanism adopted by the European Commission for international data transfers is the use of modernized standard contractual clauses which businesses can include in their commercial contracts. In the future, the European Commission has stated that all the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.

Summary

Undoubtedly, the EO appears to be a laudable effort in creating an environment of trust for EU-US data transfers. For instance, the establishment of a Data Protection Review Court is a progressive step because it provides a redress mechanism for so-called qualifying complaints from qualifying states. According to the White House, the provisions of the EO are intended to provide a basis for the European Commission to adopt a new adequacy decision aimed at restoring an accessible and affordable data transfer mechanism under EU Law. 

Despite being a commendable effort, the EO gives with a hand and takes with the other. The savings clause states that the EO does not limit any signals intelligence collection technique authorized under the Foreign Intelligence Surveillance Act (FISA) amongst other laws. 

Furthermore, the process for lodging a qualifying complaint appears cumbersome, especially for non-US persons. This is because the CLPO  will have to first review the complaints and inform the complainant through the appropriate public authority in the qualifying state on whether  a covered violation was identified or not. This means that complainants cannot lodge complaints directly or bring an action before the DPRC. 

After the CLPO has reviewed a complaint, the DPRC (to be constituted by judges selected by the Attorney General in consultation with the Secretary of commerce amongst others) shall further review the decision of the CLPO where necessary. If the complainant applies for a review by the DPRC, an advocate will be selected by the DPRC to advocate regarding the complainant’s interest in the matter (section 3.c.i.E). This brings to mind a latin maxim, nemo judex in causa sua, which means no one should be a judge in their own case. Would an advocate employed by the DPRC really serve the interest of a complainant or that of its master? Time will tell.

The EO is loudly silent on the rights of the complainant. At best, it creates only an ‘[…] entitlement to submit qualifying complaints to the CLPO and to obtain review of the CLOP’s decisions by the Data Protection Review Court[…]’ according to section 5.h. This section clearly states that the Order ‘… is not intended to, and does not, create any other entitlement, right, or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.’

On 13th December, 2022, the European Commission published a draft adequacy decision for EU-US data transfers, thus, signaling the start of the adoption procedure for the EU-U.S. Data Privacy Framework following the US Executive Order. According to the European Commission through its official website, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.

Summarily, while the Executive Order is a step in the right direction, it still begs the questions about government surveillance and enforceability of data subject rights in the USA. The coming months will present with interesting events as more processes are put in place to comply with this Executive Order and adopt a final adequacy decision for EU-US data transfers. Until then, it is advisable that businesses in the EU maintain the status quo and continue to limit as much as possible data transfers to the US or rely on lawful mechanisms for such transfers.

The post EU-US data transfers: US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and the impact on organizational GDPR compliance. appeared first on TechGDPR.

Territorial applicability

The territorial applicability of the GDPR is outlined in Article 3 and is conditional on three criteria:

1. the location of the controller/processor
2. the offering of services to individuals in the EU/EEA (through targeting them)
3. the monitoring of the behavior of data subjects in the EU.

Human Resources (HR) data also includes personal data (i.e name, email address, physical address, bank account, …) and hence the processing of these data falls under the scope of the GDPR. 

According to GDPR Art. 3.1

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

When a company is located in the EU/EEA and its employees or contractors are also located in the EU/EEA, Art.3.1 of the GDPR applies. Therefore, any handling of employees personal data should be performed in a GDPR compliant manner. This can range from setting the legal bases for the processing to adhering to the data protection principles (GDPR Art. 5) and ensuring the exerceseability of the employees rights (Articles 15-21 GDPR). 

The situation becomes less clear when the company is located outside of the EU/EEA but has employees located in the EU/EEA. GDPR Art. 3.2 regulates the extraterritorial effect of the GDPR and foresees that when a company is not established in the EU, it will fall under the GDPR only if:

1. it offers services to data subjects based in the EU/EEA (through targeting them and not incidentally)
2. it monitors EU-based data subjects behavior.

The EDPB has stressed in its 03/2018 Guidelines on the territorial scope of the GDPR that employment doesn’t constitute an offering of service. Indicatively, one can read from its example of a US company processing personal data of its employees while they were on a trip in the EU for human resources purposes:

“In this situation, while the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service and is therefore not subject to the provision of the GDPR as per Article 3(2)a.”

It is possible however that an employer monitors its employees. This could include, among others, 

1. Application usage monitoring, 
2. CCTV monitoring, 
3. email monitoring and, 
4. geolocation through company-issued equipment. 

In this case, any personal data of employees located in the EU, collected through this monitoring activity, will fall under the GDPR even if the employer (controller) is located outside of the EU/EEA and has no subsidiary in the EU/EEA, under the GDPR Art. 3.2. 

Concluding applicability of the GDPR for HR data for non EU companies

We can therefore conclude that if the company doesn’t monitor its employees based in the EU/EEA, then any processing of their personal data for HR related purposes (issuing of payroll, insurance, drafting of their employment contracts) will not fall under the scope of the GDPR. This seems also to be in line with the EDPB 3/2018 Guidelines on the extraterritorial effect of the GDPR.

If the company is located outside the EU/EEA and has no EU/EEA based employees or contractors then any employee personal data processing even through monitoring would fall outside the scope of the GDPR.

The post GDPR and HR data for non EU-companies appeared first on TechGDPR.

GDPR and POPIA are fairly similar overall, albeit with some differences in terminology, organisation of the respective articles, and greater specificity on the part of GDPR.

Key Definitions in GDPR and POPIA

A key difference between the Information Regulator (POPIA) and the Supervisory Authority (GDPR)

Responsible parties under POPIA must obtain authorisation from the Regulator in order to:

• process:
  • unique identifiers of data subjects for a purpose other than the one specifically intended at collection and with the aim of linking the identifiers with those processed by other responsible parties
  • information on criminal behaviour or on unlawful/objectionable conduct on behalf of third parties
  • information for the purpose of credit reporting
• transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
• The above provisions may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.

In comparison, the GDPR’s Supervisory Authority only monitors GDPR compliance

What are the Conditions (principles) for processing personal information in GDPR and POPIA?

For both the GDPR and POPIA, accountability is the central principle for processing personal information. Under accountability, both regulations specify that the controller/responsible party demonstrate compliance with the following conditions (principles):

How does the scope of application of POPIA compare with that of the GDPR?

POPIA and GDPR apply when the responsible party is:

• Domiciled (established) in the Republic/EU
• Not domiciled in the Republic, but makes use of automated or non-automated means in the Republic with the exception of forwarding personal information.

This scope is comparable to the EU’s pre-GDPR Directive-1995. However, the GDPR also applies when the data processed belongs to EU citizens, regardless of the headquarters of the controller/processor, and when EU member state law applies due to international agreements.

What are the exceptions to the prohibition on processing special personal information under POPIA and GDPR?

Under both POPIA and GDPR, responsible parties/controllers may process special personal information if processing is:

• Carried out with the consent of a data subject
• Necessary for the establishment, exercise or defence of a right or obligation in law
• Necessary in order to comply with an obligation of international public law
• Forhistorical, statistical or research purposes to the extent that
  • the purpose serves a public interest and the processing is necessary for the purpose concerned
  • it appears to be impossible or would involve a disproportionate effort to ask for consent
  • sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent
  • Information has deliberately been made public by the data subject
  • Regulator has granted an authorisation upon application by the responsible party on the basis of public interest and established safeguards
•  

How does POPIA’s justification of processing compare with the GDPR’s legal bases

Under POPIA and GDPR, processing is justified when:

• Consent is obtained by the data subject or a competent person when the data subject is a child
• processing is:
  • necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party
  • complies with an obligation imposed by law on the responsible party
  • necessary for the proper performance of a public law duty by a public body
  • protects a legitimate interest of the data subject. This might be interpreted to cover the data subject’s vital interest, a term the GDPR uses, but this is unclear.
  • necessary for pursuing the legitimate interests of the responsible party to whom the information is supplied. POPIA additionally covers the legitimate interests of third bodies here.

Rights of data subjects

How does POPIA compare with GDPR in the following circumstances?

Processing for the purpose of direct marketing

In POPIA and GDPR, the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited. Exceptions to this prohibition are when the data subject has consented to the processing or is a customer of the responsible party subject to subjection. In other words, the responsible party has obtained the contact details of the data subject in the context of the sale of a product/service and they are marketing similar products/services.

Additionally, it is essential that the data subject be given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to direct marketing related use of their electronic details. Direct marketing communication must accordingly contain the details and identity of the sender in addition to an address or other contact information to which the recipient may request that such communications cease.

Transfers outside of Republic under POPIA

The responsible party must not transfer personal information to a third party in a foreign country aside from the following exceptions.

Additional Remarks

• The Regulator may exempt any responsible party from compliance with POPIA for the purpose of satisfying public interest or for the benefit of the data subject.
• Automated decision making is not based on the data subject’s consent but rather on a contract or law/code of conduct. Moreover, POPIA safeguards for automated decision making are narrower than in the GDPR. While POPIA provides only a possibility to make representations, GDPR provides a trio of rights related to automated decision making: obtain human intervention, express the point of view, and appeal the decision.
• Responsible parties under POPIA are able to process personal data in the event that the processing is deemed to be in the data subject’s legitimate interest. However, the phrasing of this concept is ambiguous. Consequently, it will likely become a source of abuse. For instance, a clear line of defence for businesses is to argue that they have actually evaluated the data subject’s interest. Similarly, customary assessments of interests done by marketing departments are reflected in cookie banners like this one.

In the long run, as a cultural shift towards more privacy takes place, friction will increase between individuals who want more privacy and organisations who want more data. Accordingly, regulations like POPIA and the GDPR are essential for working through this friction.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

The post A Comparison of POPIA and GDPR in Key Areas appeared first on TechGDPR.

This calls for some explanation. 

What is PII?

Personally, identifiable information is defined by the US Office of Privacy and Open Government as :

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

To distinguish an individual is to identify an individual by discerning one person from another and to trace an individual is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Following this definition, name, email address, postal address, phone number, personal ID numbers (e.g., social security, passport, driver’s license, bank account) are considered PII.

Information is designed as linked if any piece of personal information can be used to identify an individual. (e.g.: birth name). Information is categorized as linkable information if, on its own, it may not be sufficient to enable to identify a person, but when combined with another piece of information, it could identify, trace, or locate a person (e.g.: birth date).

Take for instance two datasets containing different PII. When both datasets are accessible to the same person, it becomes possible to identify individuals from combining the datasets or accessing additional information about the subject. This is where information security comes into play. If controls designed at keeping the data sources separate are insufficient, then data is considered linked. When an additional source of information remains external or at a distance -the case with siloed databases within organisations or via a search engine on the internet for publicly accessible information, then that data is thought to be linkable.

What is sensitive PII?

PII is considered as sensitive if the loss, compromission, or disclosure without authorization of this data could result in harm, embarrassment, inconvenience, or unfairness to an individual. For instance, the following information is considered to be sensitive PII: 

• medical
• educational
• financial
• employment information

What is personal data under GDPR?

The GDPR in article 4, defines personal data as follows:

“Personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity ».

In this definition we see four main elements: “any information”, “relating to”, “an identified or identifiable” and “natural person”.  

First element: “any information”

The term “any information” contained in the Directive clearly calls for a wide interpretation of the concept. Regarding the nature of the information, this means that both objective and subjective information of a person can be considered as personal data. Regarding the content, personal data covers any sort of information. The definition is also technology neutral, It does not matter how the personal data is stored (e.g.:  alphabetical, numerical, graphical, photographic, acoustic). As an example, images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable.

Second element: “relating to”

In general terms, information can be considered to“relate” to an individual when it is about that particular individual. In order to consider the data related to someone, one of the three flowing features should be present: content, purpose, or result. These three features should be considered as alternative conditions and not as cumulative ones. Accordingly, the same piece of information may relate to different individuals at the same time, depending on what element is present with regard to each one.

Third element: “identified or identifiable”

“Identified” when, within a group of persons, he or she is “distinguished” from all other members of the group. The natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it.  

What information can be an identifier? The GDPR provides a non-exhaustive list of common identifiers that, when used, may allow the identification of the individual to whom the information in question may relate (e.g., name, identification number, location data, online identifier). 

The concept of “directly” or “indirectly” identifiable implies that the extent to which certain identifiers are sufficient to achieve identification is something dependent on context.

Some characteristics are so unique that someone can be identified with no effort. If I mention “our boss”, you’ll know exactly who I am speaking about.

Fourth element: “natural person”

The concept of a natural person refers to Article 6 of the Universal Declaration of Human Rights, according to which “Everyone has the right to recognition everywhere as a person before the law”. The right to the protection of personal data is, in that sense, a universal one that is not restricted to nationals or residents in a certain country. Thus, a natural person deals with the requirement that « personal data » is about « living individuals ». Under the GDPR, the personal data of deceased individuals are not covered but may still indirectly receive some protection in certain cases, in particular when that personal data involves data subjects who are still alive.

What is sensitive data under the GDPR?

The following personal data are considered as special categories of personal data and are subject to specific processing conditions according to the Art. 9 of the GDPR:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
• trade-union membership;
• genetic data, biometric data processed solely to identify a human being;
• health-related data;
• data concerning a person’s sex life or sensitive data. 

What about online identifiers?

Recital 30 of the Regulation clarifies the definition of “online identifier” mentioned

in Article 4: 

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” 

Device IDs, IP addresses and Cookies are considered as personal data under GDPR. According to the definition of the PII, they are not PII because there are anonymous and cannot be used on their own to identify, trace, or identify a person. 

What about pseudonymised data?

A personal data is considered as anonymized if it does not relate to an identified or identifiable natural person or if it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Are pseudonymised data still considered as personal data?

According to the Article 29 of the Working Party opinion, personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

PII  includes any information that can be used to re-identify anonymous data. Information that is anonymous and cannot be used to trace the identity of an individual is non-PII. Device IDs, cookies and IP addresses are not considered PII for most of the United States. But some states, like California, do classify this data as PII. California classifies aliases and account names as personal information as well.

In a nutshell, PII refers to any information that can be used to distinguish one individual from another. The GDPR definition of personal data is – deliberately – a very broad one. In principle, it covers any information that relates to an identifiable, living individual. 

The post What is the difference between personally identifiable information (PII) and personal data? appeared first on TechGDPR.

Cold calling individuals is like throwing a rock in a pond with the hope of catching a fish. Obviously, the success rate is high enough to justify manning the phone with a single person all the way up to outsourcing a floor’s worth of call center advisers. But how can you continue making cold calls when you have purchased personal data?

With lots being said about the GDPR signalling death of sales and marketing as we know it, it’s hard to make sense of how much room remains for your organisation to call up an unsuspecting prospect in a compliant way. While you can’t avoid raising suspicion as to where the data subject’s number originated from, there is a wide spectrum of practices ranging from downright non-compliance data collection to the fully-fulfilled duty to inform. Though it is limiting to approach the Regulation with a single use case it remains the best way to avoid opening the floodgates to exceptions. For the purposes of this post, I’ll cite the following example:

Can personal data be sold and bought under the GDPR?

Inheriting personal data sets from a third party with no proper documentation (e.g.: legal basis for initial collection, records of the duty to inform being fulfilled by the initial controller, recorded consent or readily available consent matrix) is a liability for both the personal data broker and the purchaser. At the very least, records of processing activities should establish a trace of the transaction since personal data sold to a third party is a data transfer to a recipient. Additionally, your organisation will need to prove that subjects were informed this transfer would take place or that you informed them within a month of purchasing their personal data that your organisation now processes it. More on this further on. 

Failing to document what information was communicated and what legal base apply violates both the data protection principles of lawfulness and transparency and that of purpose limitation, exposing you to the heaviest of fines: 4% of annual turnover. If your organisation had purchased personal data from a third party source, don’t hide that information. Should your staff turn down a data subject request to know what the origin of that data is, make sure the staff has been trained to recognize the request as a genuine data subject request. Article 14.2.f) makes it compulsory for organisations to inform data subjects if requested as to the source of the data that was not collected from them directly.

The worst scenario on your call-center floor is for an agent to downplay that request and respond that the subject’s phone number was communicated by their line manager. You may need to review your processes, knowledge base and staff training as to how to handle data subject requests. You would be surprised how many people use built-in or third party app call recorders on their phones

While you can sell and purchase personal data, you have to be very clear about it. Unlike the CCPA, the GDPR does not make it a requirement to disclose that the data will be sold, instead it makes it a requirement to disclose who will be receiving it.

In that respect, the CCPA more explicitly acknowledges the commercial uses of personal data. It makes it a requirement to disclose such uses, to provide subjects to opt their data out of the sale. To that respect, it allows for slightly more traceability in the data supply chain than the GDPR does. Keep in mind that small print at the end of a 10-page privacy policy will not impress authorities. Requirements of concision and clarity can be found in Article 12.1.

Can our organisation cold call data subjects?

Yes, it can.

Central to data protection is your duty to inform. Fulfilling it puts your organisation in line with GDPR’s principle of lawfulness, fairness and transparency (GDPR Art.5.1).

It is likely that the applicable legal basis for processing personal data in your case is legitimate interest. Yet having determined an applicable legal base is not compliant unless the purpose and the legal base are formally communicated to the data subject.

Can data subjects refuse to be the target of your direct marketing?

Yes, under Article 21.1 of the GDPR, an individual has the Right to Object. While, typically this right designed to put the burden of proof on the controller that its processing of personal data is done in the controller’s legitimate interest, the data subject also has the right to outright object to the use of data for direct marketing. This means that your company will have to mark the personal contact data to prevent it from being used for that purpose. This is one of the only technical and organisational measures explicited in the GDPR. Apply it if the data is nonetheless required to serve other purposes such as the performance of a contract. Should the data serve no other purpose, the best practice principles of data minimization and purpose limitation dictate the complete deletion of the personal data.

As hinted above, do not expect the data subject to officially formulate a deletion or objection request via your data protection officer. Treat their request on the phone as officially as you can. Which naturally increases expectation on staff compliance training.

Must I perform my duty to inform during the call?

Where the CCPA does not makes it compulsory for organisations to disclose having transferred or sold their data unless the subject requests to know, the GDPR makes it a requirement to inform proactively about the transfer of personal data to a third party or recipient.

While a strict reading of the GDPR might lead you to believe that you should read your complete privacy policy on the phone, in reality the situation is not that extreme but needs to be broken down at little.

If, prior to the call, you have collected the contact information from the data subject, you will have already informed them, and collected consent (if such is your legal basis), on the purpose of processing. On the call itself, you might be inclined to remind the data subject of the legal base on which you are currently operating but there is no GDPR provision making this a requirement other than building trust and plain courtesy.

If you have not collected data from the data subject but amassed their contact details from a different source, or third party, then, you should inform data subjects of your full identity and contact details, what data you have collected, under what legal base(s) you have done so, what retention period governs that data processing and what rights the data subjects can exercise. GDPR. Art.14.3a) sets the duty to inform time frame to within a reasonable period after obtaining the personal data and no more than one month.

Should you place a call to the data subject before having informed them of the above, you should understandably be prepared to read this information out to them and facilitate the exercise of their data subject rights (GDPR Art.12).

A full list of elements your communication should include is available in Articles 12 to 14.

What if the data subject actually consents to their data being used when on call?

Technically, you could record the call to document consent but consent for that form of data collection -audio recording- would first be needed. Recording a call is nothing short of collecting biometric and personal data and, in many cases, transferring that data to servers or cloud services across the Atlantic. If your cloud provider is not listed under the EU-US / Swiss-US Privacy Shield and no other legal instrument allows for that transfer, the call recording would fail the compliance test on many levels.

A best practice often witnessed involves sending an opt-in email immediately after the call which recaps the essence of your phone conversation, what you agreed to share, the data the subject consented to disclosing and which were the purposes stated. You might want to consider including the date at which the conversation took place in the body of the text, i.e.: not relying on the email client’s automated time stamp.

Yes, your organisation can sell or purchase persona data and place cold calls.

The GDPR only prohibits both forms of personal data processing unless they are done unlawfully.
Unlawful data processing in the case of direct unsolicited marketing by phone is characterized by depriving data subjects of their rights, violating data protection principles of fairness, transparency and accountability, failing to inform them upon acquisition or collection of their data, depriving them of information when you first come in contact with a subject’s personal data and not supporting them in the exercise of their rights. If you have these items under control, you’re good to proceed with a fair degree of confidence in your compliance.

If you need help with reviewing your data protection practices, your data flows, your compliance documentation and call center staff or management training, get in touch.

TechGDPR specialises in digitised environments and products including AI, machine-to-machine / IoT transactions and Blockchain applications. We offer consulting packages, hourly support, staff training and workshops.

The post Personal data and cold calling under the GDPR appeared first on TechGDPR.

On Confidentiality

Before getting into the details, I first want to emphasize that TechGDPR works with a wide variety of clients, and we approach our specialized consulting for each client with the utmost confidentiality–unless, that is, a client states otherwise. Zcash is among our clients that have taken steps to publicly discuss this GDPR-compliant assessment. It is with permission of both Zcash and Least Authority that TechGDPR released our report.

Zcash GDPR assessment on the P4 protocol

In October 2018, TechGDPR conducted a GDPR compliance assessment of the P4 protocol specification on behalf of the Zcash Company and Least Authority. This assessment reflects important conversations among regulators, compliance advisors, and implementers of blockchain and other cutting edge technologies in the context of the GDPR and other privacy-protecting regulations.

Data gathered while utilizing the P4 protocol is mostly anonymous, and only a few types of data could potentially be flagged as personal, and therefore in scope of the GDPR. The risk of identifying natural persons through the use of Least Authority’s S4 storage service is significantly mitigated by the use of zero knowledge proofs in Zcash’s shielded transactions. Other regulations, such as financial regulations, anti-money laundering regulations, and know-your-customer regulations, may be triggered by anonymous online services. And although new regulations around the world are attempting to make services providers responsible for their users’ content, Zcash has been favorably received by financial regulators.

TechGDPR’s Findings

The assessment conducted by TechGDPR (PDF available here) asserts that implementation of P4 does not likely raise any major issues regarding GDPR compliance, apart from the consideration whether or not to allow customers to use S4 for data processing under GDPR, and how to effectively prevent this (see finding #11: “Possible role of data processor”). A few matters require highlighting as they may become an issue in the future as the usage of the service changes (finding #2: “File deletion, garbage collection”), or the interpretation of the GDPR evolves further (findings #1: “Logging IP Address” and #3:”Consequences of maintaining a full node”). The biggest concerns are related to the processing of data within S4, not within P4. The P4 protocol itself only presents concerns if subscribers insist on paying from transparent addresses.

TechGDPR also concluded that as long as Zcash transactions cannot be linked back to a natural person, because they are private or because no link between the t-address and the user exists, the transaction within Zcash and payment information itself should be considered anonymous and therefore out of scope of the GDPR.

In our opinion, the P4 service allows for as close to anonymous usage as you can get with current technology, with important caveats regarding user practices and user volume. The full benefits of P4 can only be realized if the user is extremely cautious with how they use it, as is the case with most privacy-preserving solutions today. Least Authority has tried to make it harder for users to make mistakes (i.e., by requiring Tor), however, it is still possible to gather some information through leaked metadata or trivial mistakes by the user that may, over time, be enough to link the usage back to a person. As the user base grows, maintaining anonymity will become easier to establish a relationship between specific users and their data or metadata will become increasingly difficult.

Privacy-enhancing technology, including P4, is not perfect. It is difficult to use, and requires perfect handling by both the user and Least Authority. Still, technologies like P4 go a long way toward challenging the advertising-surveillance model of the modern internet, and illustrate how blockchain-based technologies could show a new way forward.

Zcash looks forward

A statement released on Friday by Zcash declared, “We are at the beginning of what promises to be a longer journey toward privacy-by-design in the realm of blockchain technology.”

Total anonymity may not be possible, but the policies outlined in the GDPR show legitimate demand and P4 demonstrates that we can get pretty close.

The post Is total privacy GDPR compliant? Zcash report shows how “Privacy by Design” handling of personal data gets us close. appeared first on TechGDPR.

The California Consumer Privacy Act: Another GDPR?

The California Consumer Privacy Act incorporates several aspects of the GDPR into its legislation. It has a broader definition of personal data, and it emphasizes transparency with respect to the processing of data. Additionally, the law promotes subject access requests, the right to be forgotten, and data portability. It will enable data subjects to request the categories, sources, and business purposes of personal data collected by a company, and the data subjects can request what categories of personal data are being sold to different classifications of third parties.

Furthermore, a company must disclose information as to what specific personal data is collected, how it is collected, its purpose, and to whom it is shared and sold within 45 days of a data subject’s request. The company must have a way of verifying the identity of the individual making the request. Also, the business must publish its privacy policy online and include a conspicuous link saying “Do not sell my personal information” if it sells personal data.

Despite the obvious regulatory hurdles, the positive side for many tech companies is that much of what they have already undertaken to comply with the GDPR will serve them well once the California Consumer Privacy Act becomes Law.  Companies still not prepared for GDPR regulation, on the other hand, may now be under twice the pressure – and possibly suffer twice the scrutiny.

Data Privacy in California: Who is Affected?

The law protects any data subject who is a “natural person who is a California resident,” and it creates regulations for companies that conduct business in the state of California and collect consumers’ personal information for profit. Also, it must meet at least one of the following criteria: it has a gross revenue of more than $25 million annually, “alone or in combination, annually buys, receives for the business’[s] commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices,” or 50% or more of annual revenue comes from selling consumers’ personal data.

Just as companies outside of Europe who are handling the personal data of Europeans must comply with GDPR mandates, companies not within California’s borders are similarly compelled to comply with the state’s new data privacy requirements.  With the state set to surpass 40 million residents by the time the law comes into effect, it’s also fair to say that nearly all companies who handle the personal data of American consumers will be affected by this legislation to some degree.

A Different Approach from the GDPR

The penalties of the California Consumer Privacy Act reflect an American style compared to GDPR penalties. First off, the law allows consumers to sue the business for a violation. It is also possible for a company to be prosecuted by the California Attorney General if the violation is not corrected within 30 days. An organization could also be required to pay damages of up to $750 per consumer after a data breach, and if a company intentionally violates the law, they may be fined up to $7,500 according to each violation. Under the GDPR, a company faces a fine of €20 million or 4% of annual global turnover. Comparing penalties, the GDPR places much harsher penalties on companies, but the California legislation still indicates a significant shift in the U.S. perception of data privacy and consumer rights.

Under the GDPR, data processing requires a legal basis for the processing of personal data. If there is not a legal basis, consent is required from the data subject; without this consent, their personal data cannot be lawfully processed. However, a data subject’s consent to the processing of their personal data under the California Consumer Privacy Act appears to be assumed. The data subject can decide to opt-out of the sale of their personal data, rather than what would be seen as “opting-in” under the GDPR. Although consumers would be protected from a business discriminating against them for this reason, the businesses are still allowed to offer a financial incentive for allowing the sale or collection of personal data. Additionally, the right to opt-out will be honored for a minimum of one year before a company asks again. Nevertheless, assumed consent of data subjects in California highlights that although this is a progressive law in the United States, it still lacks much of the privacy rights gravitas established by the GDPR.

Consumer Privacy: 2020

The California Consumer Privacy Act will go into effect on  January 1, 2020, allowing businesses less than 18 months to prepare for the new regulations. While the Act is the first key example of data privacy legislation in the United States, it will not be the last. California’s significant influence over the technology sphere will quickly establish the importance of data protection—one that is likely to have an impact at both the the state and national level.  Even under current legislation, it’s unlikely that all consumers will remain happy with a company providing one set of superior privacy services to California residents and another set of services to everyone else.  Additionally, once a company has the capability, why not enable the same privacy process for all of their users and customers? Whether the incentives are political or for profit, the requirements for companies to provide advanced privacy options for consumers are becoming increasingly unavoidable.

Pierson Klein joined TechGDPR’s team as Legal Intern this summer. She is majoring in Law, Jurisprudence, and Social Thought at Amherst College (2020) in the U.S.A.

Follow TechGDPR on Twitter.

The post California Residents Gain Strongest Data Privacy Rights in US appeared first on TechGDPR.