GDPR & Others
Companies exempt from CCPA
- small companies - public agencies - non-profits - outside CA - any entity that controls/ is controlled by covered CCPA applicable business shares common branding
Challenges of Preventing & responding to Data Breaches
- sophisticated organizations experience breach - reassess notifcaiton rules --> little meaningful improvement --> places burden on individuals - most data breaches do NOT result in financial harm for companies
Patchwork
--> US lacks single comprehensive federal law that regulates collection & use of PD (only sectors) Health Insurance Portability & Accountability Act (HIPAA) - Separate privacy laws govern specific areas of health care ---> student immunizations covered by family educational rights & Privacy act conflicts w/ Children's online Privacy Protection Act (only of children under 13 yrs)
Article 15; right of access by data subject
1. Access; - purpose of processing - categories of PD concerned - recipients - envisaged period for which PD is stored - right to lodge complaint - any available info as to their source - existence of automated decision making 2. PD transferred to 3rd party or international org 3. controller provide copy of PD 4. right to obtain copy
Article 82; right to compensation & Liability
1. Any person who has suffered damage as a result of an infringement shall have the right to receive compensation from the controller/processor for the damages suffered by filing a complaint where he/she lives or where the alleged infringement occurred 2. Controller involved shall be liable 3. Processor involved shall be liable 4. Each has the right to defend themself based upon proof that they didn't cause the damage or doesn't violate 5. Joint & Several liability: each controller/ processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject California: comparative fault Defendant 1 is 35% responsible etc. Defendant is responsible for 95% ----> They are each liable for their portion and jointly liable for everything 6. Indemnity rights apply:
Article 5; Principles relating to processing of personal data
1. Personal data shall be; - lawful, fair, transparent - collected for legitament purpose - adequate & relevant (data minimisation) - accurate/ up to date - permits identification for no longer than necessary - appropriate security 2. Controller = accountability
Article 3; Territorial Scope
1. Reg applies to processing of PD in context of activities of an establishment in the Union (regardless of whether processing takes place in Union) 2. applies to data subjects in a union established by outside union - offering goods/ services in union - monitoring behavior takes place in union 3. applies to controller not established in union, but where member state law applies by virtue of public international law
Personal Data Processing Restriction of processing
1. any information related to an identified or identifiable person 2. any operation performed on PD 3. aim of limiting future processing
Article 8; Child consent
1. at least 16 years old ---> under= parental 2. consent is authorized by parent 3. not affect general contract law of member state
Article 20: The right to data portability
1. data subject right to receiving PD - based on consent - carried out by automated means 2. right to have PD transferred from one controller to another 3. w/o prejudice (not apply to public interest, authority) 4. not affect rights & freedoms of others
Article 7; conditions for consent
1. demonstrate consent 2. clearly distinguishable from other matters 3. right to withdraw consent 4. inter alia (performance of contract) is conditional to consent
Controller Processor Recipient Third party
1. entity determines purpose & means of processing PD 2. entity processes PD on behalf of controller 3. entity in which PD is disclosed (3rd party or not) - NOT public authorities 4. under DIRECT authority of controller or processor are authorized to process PD
Main establishment Representative enterprise Group of undertakings
1. established in more than one member state - place of central admin in Union 2. represents controller & processor 3. economic activity (partnerships or associations) 4. controlling undertaking & its controlled undertakings
Supervisory authority Supervisory authority concerned cross-border processing
1. independent public authority established by a member state 2. concerned by processing PD b/c - controller/ processor established in same member state as supervisor - data subjects of supervisor are substantially affected - complaint lodged w/ supervisory authority 3. PD processing in more than one member state - Affects members of more than one state
Genetic data biometric data data concerning health
1. inherited/ genetic characteristics 2. PD resulting from specific technical processes related to physical, physiological, behavioral characteristics (facial images) 3. related to physical/ mental health
Article 6; Lawfulness of Processing
1. lawful so one of following complies... - data subject consent - necessary for performance of contract - necessary for compliance w/ legal obligation ---> union law or member state law - protect vital interests - public interest - legtiament interest of controller/ 3rd party (not public authorities) 2. Member states --> specific provisions 3. Purpose (not consent) - link b/w purpose & PD - context - nature of PD - possible consequences - existence of appropriate safeguards
Consumer Privacy Bill of Rights Fair Information Practice Principles
1. ongoing interest on how info is used 2. processes & procedures
Article 1; Subject Matter Objectives
1. protection of personal data 2. free movement of PD w/n Union shall NOT be restricted/ prohibited for reasons connected to personal data protection
Article 22; automated individual decision making, including profiling
1. right to not be subject to decision based solely on automated process 2. NOT apply if.... - is necessary for contract of subject & controller - authorized by union/ member state (safeguard_ - based on subject's explicit consent
Article 21; Right to object
1. right to object marketing 2. explicilty brought to data subject's attention 3. object automated means 4. UNLESS carried out for public interest
Recommendations
1. single comprehensive data-protection framework 2. Meanignful federal laws: resolve state & fed differences 3. Baseline privacy regime a. cover all institutions b. harmonize gap from sectoral approach c. incentives skew toward prevention d. legal framework --> address harms - defitiion of privacy harm should expand - private right of action to hold companies accountable - regulators should have ability to penalize entities that flout - Jack Balkin; information fiduciaries - duty of care for Pi in exchnage for legal certainty
Article 17; right to erasure
1. to be forgotten - PD no longer necessary - consent withdrawal - objects to processing - unlawfully processed - erased for legal obligation - offer of inform society services 2. NOT APPLY - exercising 1st amend - legal obligation - public interest
Profiling Pseudonymisation Filing System
1. use of PD to evaluate personal aspects - analyze/ predict/ economic situation, health, interests, behavior 2. processing PD in manner that PD can NO LONGER be attributed to specific data subject w/o additional info 3. any structured set of PD accessible according to specific criteria
1st Data Breach Notification Law
CA + 48 states
GDPR: - every compliant business must have data officer and pull data assessments - companies can be sued if data seems vulnerable (proactive)
CCPA: - does not need data dedicated officer or data assessments - ONLY violation if data breach is not fixed within 30 days
GDPR: Penalties - 4% of annual turnover OR $20 million (whichever is greater) OR - 2% of global, annual turnover OR $10 million (whichever is greater)
CCPA: - $2500 per record for each unintentional violation - $7500 (or actual damages for each intentional violation
GDPR: OPT & Rights - OPT IN - right to rectification, erasure, restrict processing, data portability to object to processing, to be informed, of access, in relation to automated decision making & profiling - child at least 16 yrs or else parental consent
CCPA: OPT & Rights - OPT OUT - right to request info, data portability, opt out, access data, deletion, disclosure - only access to data collected in last 12 months - b/w 13 & 16 yrs --> must opt in for sale of personal info - under 13 yrs --> parental consent
GDPR: WHO - any org that processes personal data of EU even if org. is outside EU - any business collecting data from EU residence - personal data: any info relating to an identifiable person (name, ID number, location data etc)
CCPA: WHO - Businesses that have either $25 million in revenue OR PD of 50,000 consumers or more OR have at least 50% of revenue from the sale of PD - Only CA businesses that collect data on CA individuals or households - Personal Data: any info that identifies, relates to, describes, linked directly or indirectly with a particular consumer or household (real name, postal address etc)
California Consumer Privacy Act (CCPA)
Gives consumers more control over personal info that businesses collect ab them - right to know - right to delete - right to opt-out - right to non discrimination
EU Law
Protects all personal data regardless of how tis processed
Article 18: Right to restriction of processing
a. accuracy contested b. unlawful process c. controller no longer needs PD d. object processing (by subject) 2. when restricted --> ONLY processed under consent 3. informed before restrict processing lifted
Federal trade Commission
data security baseline - limited jurisdiction over banks, insurance companies, nonprofit entities some internet service providers
relevant & reasoned objection
object a draft decision whether controller complies w/ reg.
Article 16; right to rectification
right to obtain from controller w/o undue delay the rectification of inaccurate PD concerning him/her