PRIVACY LAW—EU
Perspective: EU member states comment on GDPR's application
In preparation for requirements in Article 97 of the EU General Data Protection Regulation, a host of member state delegations submitted comments to the Council of the European Union on their evaluation and review of the application of the GDPR. In all, 19 member states commented in a 72-page document released 9 Oct. Of course, there's a lot in there to chew on, but IAPP Senior Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, has gone through the comments to assess how member states regard the application of the GDPR so far. Article 97 "has already prompted member states, supervisory authorities and other European institutions to deeply reflect upon the problems, obstacles and hindrances to the GDPR’s implementation and to share and discuss their observations and experiences with its application since it came into force last year," she writes. In this post for Privacy Perspectives, Fazlioglu offers her thoughts on the member state commentary and why privacy pros should pay attention to the process moving forward.
Full Story
TRANSBORDER DATA FLOWS—EU & U.K.
New proposed Brexit deal reached, but what about data transfers?
More than three years after the U.K. voted in a referendum to leave the EU, a proposed Brexit deal is on the table just weeks ahead of an 31 Oct. deadline. U.K. Prime Minister Boris Johnson said it is a "great new deal" and that the U.K. Parliament will vote on it this Saturday, 19 Oct. The draft text of the deal released Thursday includes a section near the top on data protection, though it is far from certain if the U.K. Parliament will pass the current deal this Saturday. Bird & Bird Partner Ruth Boardman, IAPP Country Leader for the Netherlands and Privacy Management Partners' Jeroen Terstegge, CIPP/E, CIPP/US, and Hogan Lovells Partner Eduardo Ustaran, CIPP/E, offer their insights on this latest development in the Brexit saga in this post for Privacy Tracker.
Full Story

ENFORCEMENT—GERMANY
German DPAs release GDPR fining guidelines
Germany’s Data Protection Conference, Datenschutzkonferenz, has announced it published guidelines for the country's new EU General Data Protection Regulation fine regime. In a post for his law firm, Latham & Watkins Partner Tim Wybitul, CIPP/E, wrote the guidelines will help make fines more "consistent and predictable" while fines will be higher, with larger organizations subject to steeper penalties. Wybitul adds that DSK will seek to have the European Data Protection Board adopt the new fine regime for all EU member states. (Articles are in German.) Editor's Note: Wybitul previously wrote for The Privacy Advisor on German DPAs seeking a new GDPR fine model.
Full Story
ENFORCEMENT—EU
EDPB releases guidance on processing data for online services
The European Data Protection Board has published its guidelines for the data processing related to contracts for online services in the context of Article 6(1)(b) of the EU General Data Protection Regulation. The EDPB wrote that the guidelines aim to "outline the elements of lawful processing under Article 6(1)(b) GDPR and consider the concept of 'necessity' as it applies to 'necessary for the performance of a contract.'" The guidance addresses specific situations for how the law is applied, including processing for service improvement, fraud prevention, online behavioral advertising and personalization of content.
Full Story

PRIVACY LAW—SPAIN
Spanish AEPD releases PbD guidelines
The Spanish Agency for Data Protection has released “Privacy Guide from the Design” guidelines to incorporate data protection principles and privacy requirements into new products or services from conception, CEPYME News reports. The document is divided into nine sections, including defining the foundational principles of PbD and privacy engineering, as well as different strategies for the practice. The guide notes "establishing a framework that guarantees data protection does not represent an obstacle to innovation, but rather offers advantages and opportunities for ... organizations, market and society as a whole." (Original articles are in Spanish.)
Full Story
EMPLOYEE PRIVACY—EU
How to conduct background checks under GDPR
Employees are often considered the weakest link in organizational security, and in order to potentially mitigate risk brought on by staff, an entity may wish to conduct a background check to vet the people they ultimately hire. In this piece for The Privacy Advisor, HCL Technologies Privacy Office Senior Manager Piotr Foitzik, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, looks at how to perform a background check under the EU General Data Protection Regulation. Foitzik breaks down what organizations should do when they process special categories of data and the role local laws play in the process.
Full Story

ENFORCEMENT—U.K.
ICO looks at considerations for using AI to fulfill DSARs
As part of its ongoing call for input for its framework for auditing artificial intelligence, the U.K. Information Commissioner's Office looks at the challenges organizations may face as they craft AI systems designed to help fulfill data subject access requests. ICO Research Fellow in Artificial Intelligence Reuben Binns writes about the use of AI systems for access, erasure and rectification requests under the EU General Data Protection Regulation and where potential exemptions may pop up. Meanwhile, ICO Executive Director for Technology Policy Simon McDougall offers his takeaways from the recently concluded TechSprint event hosted by the Financial Conduct Authority.
Full Story
PRIVACY RESEARCH—APAC & EU
Study: Ireland tops list for protecting privacy of citizens
A Comparitech survey shows Ireland tops the list of 47 countries in protecting the privacy of its citizens, the Bangkok Post reports. The study assessed privacy protection and the state of surveillance in the countries surveyed, examining several categories, including the use of biometrics and data sharing and retention laws. Ireland scored 3.2 out of 5, topping the list due to its Data Protection Commission’s active role and general resistance toward the introduction of biometrics on ID cards. China, Russia, India, Malaysia and Thailand ranked among the worst in privacy protection, with China being the worst with a 1.8 out 5.
Full Story
Sponsored Content
Reduce time to compliance using push knowledge with Nymity’s Research & Alerts solution — Learn More
Stay current with accurate and relevant privacy law information from regulators, courts and law makers. Minimize time to CCPA, GDPR and global compliance with daily updated interactive maps and charts, privacy and cybersecurity law trackers, Nymity Frameworks & Thought-Leadership, annotations, and operational impact summaries.
Book a Demo
BIG DATA—FRANCE
French minister offers warning about European use of AWS
French Junior Economy Minister Agnes Pannier-Runacher said Europe is running out of time if it ever wishes to wean itself off Amazon Web Services, Reuters reports. She added if Europe cannot find an alternative to AWS within 24 months, the region runs the risk of "a loss of sovereignty. This is what I’m hearing from experts, including French people in Silicon Valley, who underline how worrisome this situation is."
Full Story
PRIVACY LAW
Roundup: Canada, EU, Sri Lanka, UK, US and more
In this week’s Privacy Tracker global legislative roundup, the pieces to the California Consumer Privacy Act puzzle began falling into place. Also in the U.S., the Federal Trade Commission continued its review of the Children’s Online Privacy Protection Act, a group of House Democrats is throwing support toward a new federal privacy bill, and California has put a ban on police using facial-recognition software. The European Data Protection Board offered new guidance on a particular form of data processing, and Sri Lanka has drawn up a final draft of its data protection law. (IAPP member login required.)
Full Story
Sponsored Content
2.0 CCPA Master Class
Over 12,000 people have joined the CCPA Master Class series where we dive into key areas of the CCPA, including consumer rights, do not sell, targeted data discovery, the latest attorney general guidance and what to expect now that the amendments have been signed. Watch prerecorded webinars or join live to stay informed as we approach the January 2020 implementation deadline.
Learn More
PRIVACY LAW—EU
Brave calls for strong ePrivacy Regulation in letter to EU governments
In a blog post on the company's website, Brave Chief Policy & Industry Relations Officer Johnny Ryan publicized a letter sent to EU governments that pitched for strong privacy protections in any ePrivacy Regulation proposals. "Brave’s letter, sent this morning, summarizes why a prohibition on cookie walls is necessary," Ryan wrote in the post. "It also supports the 'privacy by default' requirement for web browsers and operating systems." European Digital Rights also announced it joined four advocacy groups in sending their own letter to EU member states regarding a stringent ePrivacy Regulation.
Full Story
ENFORCEMENT—IRELAND
Op-ed: Does Ireland’s DPC funding breach EU rules?
In an op-ed, The Irish Times asks if a recent decision to fund Ireland’s Data Protection Commission at 27% of its requested increase for 2020 is a breach of EU rules. In a complaint filed with the European Commission, Castlebridge Founder and Managing Director Daragh O'Brien argued the state may have breached its obligations under the EU General Data Protection Regulation, Law Enforcement Directive and EU Charter of Fundamental Rights. The commission requested the additional funds due to the “increased volumes and complexities” of the GDPR. The Irish Times column says the underfunding potentially puts the government at risk “by leaving the commission without proper resources.”
Full Story

BIG DATA
Apple defends data-sharing practices
MediaPost reports Apple has defended its sharing of private search browser data, which was reported last week by Reclaim the Net. The prior report claimed Apple was sharing browser data with Google and Chinese tech company Tencent. The embedded sharing function, which is built into the Safari browser on Macs, iPhones and iPads, is mentioned in Safari's privacy policy. Login passwords for banks, email addresses and social media accounts are among the information that can allegedly be accessed and shared. Meanwhile, Fast Company reports Google's auto-delete tools are not as privacy-friendly as perceived, and The Hill reports Instagram announced a new feature to give users more control over their data.
Full Story
INTERNET OF THINGS
Nest implements tighter privacy protections
Google and Nest are working to rein in the risks of home automation, implementing a tighter set of rules for partner devices to prevent third-party-driven data breaches, The Verge reports. In a blog post Tuesday, Google laid out three ways to integrate devices, combined with protections to keep user data private and secure. A limited set of “Home Routines” can perform basic tasks that can be activated without sharing data, a new developer program will allow individuals to reprogram their own Nest devices, and the “Device Access” program allows users to control which systems have access to devices in their home. Nest has put restrictions on the companies that can participate in the program.
Full Story

MARKETING PRIVACY
Google’s machine learning-based frequency proposal raises concerns
Google is experimenting with changes to online targeting and tracking of consumers with privacy in mind, but not everyone is satisfied, Adweek reports. Google recently proposed a machine learning feature to help advertisers manage ad frequency without the use of third-party cookies. The company introduced updates to its Chrome web browser that enhance privacy and its recently unveiled Display & Video 360 feature that "can create models to predict traffic patterns" without a third-party cookie. Smart AdServer Chief Marketing Officer Michael Nevins said managing frequency while respecting privacy is laudable but primarily serves Google’s interests as it only provides value to Google's advertisers, while others say third-party verification will be needed for machine learning models.
Full Story
BIG DATA
Google's Osterloh speaks on Pixel data collection, regulating facial recognition
In a one-on-one interview with BBC News, Google Senior Vice President of Devices and Services Rick Osterloh discussed various privacy topics related to the Pixel 4 smartphone. Osterloh addressed recent allegations of improper data collection by a Google contractor that worked on weeding out bias with the Pixel 4's facial-recognition software. Regarding the retention of data despite a potential improper collection and lack of proper consent, Osterloh said, "The best approach here would be to discuss it once we've actually looked into the facts and understood what has happened." Later in the interview, he said he hopes potential facial-recognition regulations will "be clarified quickly" but "thoughtfully navigated."
Full Story

HEALTH CARE PRIVACY
Researchers rolling out privacy-preserving AI learning system for medical analysis
ZDNet reports artificial intelligence researchers from big tech company Nvidia and King's College London will debut a new federated learning system that will allow doctors to collaborate on cases without sharing patient data. The new system will help neural networks function on decentralized data that follows an algorithmic model at different locations. The anonymized data is created through partial system contributions from network participants and the injection of white noise.
Full Story
BIG DATA
Microsoft's Smith: Privacy has reached a 'crisis point'
Microsoft President Brad Smith is calling for antitrust laws to be updated for the digital age, CNN reports. Smith said in an interview businesses should calculate how much consumer data it has instead of calculating market share when trying to determine if it's a monopoly. He also said privacy has reached a "crisis" point, "and it would benefit us to treat it that way," calling for a federal U.S. privacy law similar to the EU General Data Protection Regulation. He recommended U.S. businesses get ahead of the curve and offer those rights to customers now rather than later.
Full Story
INFOSECURITY
Cyberattacks target nearly half of small businesses
CNBC reports nearly half of small businesses are targets of cyberattacks, yet only 14% can defend against the attacks, according to a new study from Accenture. Additionally, insurance carrier Hiscox revealed the attacks cost small businesses $200,000 in damages, causing 60% of them to close within six months after the initial attack. Despite the increased attacks and cost they inflict, key decision-makers "believe they're unlikely to be targeted by online criminals," according to the report. MedReview Chief Technology and Security Officer Dan McNamara noted, "It’s important to take a multi-faceted approach to cybersecurity."
Full Story
PRIVACY OPINION
Snowden: Encryption is vital to privacy
In an opinion piece for the Guardian, U.S. National Security Agency whistleblower Edward Snowden says without encryption, "our public infrastructure and private lives will be rendered permanently unsafe." The primary method of keeping digital communications safe, Snowden says, is at risk with governments of the U.S., U.K. and Australia attempting to undermine the process. Security leaders have co-signed an open letter demanding Facebook abandon its proposals that incorporate end-to-end encryption in its Facebook Messenger and Instagram messaging app. If successful, "the communications of billions will remain frozen in a state of permanent insecurity: users will be vulnerable by design," Snowden writes.
Full Story
PRIVACY OPINION
Op-ed: Protect your privacy with ‘obfuscation’
In a world where people are tracked by cameras, cellphone data, travel logs, online purchases and more, the costs of "opting out" of surveillance and data-collection systems are "high and getting higher," New York University Department of Media, Culture, and Communication Assistant Professor Finn Brunton and Cornell Tech Information Science Professor Helen Nissenbaum write in an op-ed for Quartz. They write that while it is not possible for everyone to opt out, there are ways to carve out "resistance" to the constant tracking of surveillance. "There is no simple solution to the problem of privacy," but an "obfuscation approach" offers "ways to carve out spaces of resistance, counterargument, and autonomy," they write.
Full Story