Privacy is complex. Even the most seasoned privacy experts would agree. Companies are tasked with staying on top of ever-changing privacy regulations that are often multifaceted and cumbersome to understand and place into action. More recently, as the workforce went remote due to COVID-19, companies relied heavily on third-party technologies in order to continue day-to-day business activities. This immediately raised concerns about third-party risk and vendor risk management. Returning to work has raised additional privacy issues as many employers were now dealing with the risk of handling sensitive employee data, such as body temperature data or testing results. Securing budget had traditionally been a mammoth task for teams responsible for privacy management, however we are now seeing a clear shift as companies are starting to invest in their privacy programs, not out of fear of regulators, but because they see the advantage of treating privacy as a core value instead of an afterthought. In fact, the 2020 TrustArc Global Privacy Benchmarks Survey found that while the COVID-19 pandemic put a dent in privacy spending, still 41% expect to maintain increased privacy budgets.
So why should your company embrace privacy?
To Build Consumer Trust
TrustArc recently used third-party customer validation tool TechValidate to ask our customers why having a strong privacy program was important to their company. The overarching sentiment was that a strong privacy program means their customers can trust their data handling practices without fear of breaches or misuse. While regulatory fines can be devastating to a company financially, reputational damage can be just as crippling. Consumers care about how their data is used, now more than ever. In the TechValidate survey, a Data Protection Officer with a medium enterprise consumer products company that works with TrustArc stated that, “A strong privacy program goes beyond regulation and is built on a culture of data ethics. It is part of building and sustaining customer and employee trust.” Companies are now seeing that their privacy budget doesn’t just go into checking a box for compliance, but instead fosters a deep layer of trust between the customer and the company.
Because Privacy is not a Fad
From the GDPR to the CCPA to the LGPD to the CPRA, there’s a lot of acronyms to be aware of in the privacy space. It’s clear that countries are moving in the direction of more privacy laws and regulations, especially as technology advances and raises privacy concerns that hadn’t existed previously. In fact, 76% of surveyed companies say the greatest challenge their company faces with privacy management is keeping track of new laws and regulations. Privacy is not a trend that is going to fade. The days of allowing companies to do whatever they want with customer data are gone. Companies must embrace this change and stay ahead of the regulatory changes in order to quickly adapt, maximize consumer trust and minimize risk.
Privacy is now a Major Competitive Differentiator
As mentioned previously, we are seeing more and more companies aligning themselves with privacy and embracing a strong culture of proper data privacy ethics. In 2019, Apple put privacy at the forefront of their marketing campaigns. Early that year, they placed a banner in Las Vegas during CES, putting a twist on the infamous Sin City catchphrase and touting the message “What happens on your iPhone, stays on your iPhone.” Later that year, they also created a well-produced TV ad which displayed all the ways in which we expect privacy in our daily lives (curtains, tinted car windows, locks, shredders, etc.) and confidently stated “If privacy matters in your life, it should matter to the phone your life is on.” Followed by, “Privacy. That’s iPhone.” Apple was not only saying they care more about consumer privacy than their competitors do, but also recognizing that privacy factors strongly into a consumer’s purchasing decision. As data privacy matters to more people, companies should take an approach that considers privacy during every stage of product development in order to ensure privacy is deeply rooted in the end product. Let privacy be a source of innovation, instead of an innovation killer.
Privacy is Complex. TrustArc Can Help.
TrustArc helps companies to stay ahead of the ever expanding privacy landscape, build consumer trust and turn privacy into a competitive advantage. Learn more by scheduling a demo today!
This past week in privacy law saw several unexpected developments. When this podcast started back in January, the intention was to record a series of conversations between K Royal and Paul Breitbarth with an occasional guest or recorded conference panel discussion. They would discuss what had happened in a week, place privacy and data protection developments around the world in context and provide insights based on their experience… And then COVID-19 happened, the podcast quickly became popular and guests became ubiquitous.
On this episode, Paul and K return to their roots of covering privacy news and developments, because so much happened recently. We’re in the middle of a privacy zone, with laws being lobbed all round us, guidance coming at us from all directions, and opinions shooting left and right – it’s like privacy officers need hazard pay. Listen to this episode on our website or stream the episode below.
The onset of COVID-19 has been a tremendous challenge for companies. Employee safety, closures, shifts in demand – all have tested businesses. Companies have scrambled to put in place measures to respond, including monitoring employee health, shifting to remote working, and safeguarding workplaces. Unfortunately, many of these new actions have raised serious questions about privacy.
Whether you’re bringing employees back to the workplace, extending remote work, or considering a hybrid of both models, companies of all industries and sizes need to address new privacy concerns as they react to the pandemic. In this in-depth webinar designed for privacy professionals, Hilary Wandall, SVP, Privacy Intelligence and General Counsel at TrustArc and David Thomas, CEO of Evident, will dive into the new challenges created by the global COVID-19 outbreak.
Topics will include:
– Implementing a pro-privacy approach to COVID-19: managing health surveys and responses, tracking symptoms, and contact tracing
– Effectively implementing remote work policies to manage privacy risk
– Developing expectations for employee privacy to increase trust and retention during the pandemic
The “Privacy & The Pandemic: Managing Risks Created by COVID-19” webinar will take place on 9/17 at 11:30am PST / 2:30pm EST. Register for the webinar now!
August has come and gone, and the European institutions are back from their summer break. The coming weeks will likely bring more clarity on the consequences of the Schrems-II decision of the Court of Justice of the European Union at the start of the summer. The European Data Protection Board (EDPB) has announced further guidance on the required “additional appropriate safeguards” is forthcoming, and the European Commission is in the process of finalizing a whole new set of Standard Contractual Clauses (SCCs). The first indications of what is coming were given on Thursday, during a hearing of the European Parliament committee on Civil Liberties, Justice and Home Affairs (LIBE). The LIBE committee heard from Commissioner Didier Reynders (Justice), EDPB Chair Andrea Jelinek as well as from Max Schrems himself. All three commented both on the judgment itself and on the way forward.
Mr. Reynders recognised the Schrems-II ruling is an important political and geopolitical issue, that will not be easy to solve. Conversations with the U.S. on a possible new data transfer framework have commenced, but it is impossible at this stage to provide a clear timeline. Especially the upcoming U.S. elections, as well as the likely need for Congress to be involved in any new agreement, exclude any quick fix. The Commissioner explained that the Commission wants to get it right this time, which also includes a completely new set of model clauses, that will take into account the conditions set by the Court. Mr. Reynders indicated that the draft standard contractual clauses – which will also align the clauses with the GDPR – are likely to be published in the coming weeks as part of a consultation procedure, with the aim to have them adopted by the end of the year. Apart from Controller-to-Controller and Controller-to-Processor clauses, also Processor-to-Processor clauses are expected to be published.
The EDPB Chair explained the Board is fully committed to support the Commission in developing a new, compliant ‘framework’ for EU-U.S. data transfers. What that will look like, is as yet unclear. In the meantime, the Board will provide as much guidance as possible to ensure businesses can continue to transfer personal data from the EU to third countries, not just the U.S. What is clear however, Mrs. Jelinek said, is that in the short run, there is no one-size-fits-all solution that will allow all data transfers to continue as if nothing has happened. Companies will need to take their responsibilities seriously, and start their case-by-case analysis. In the coming weeks and months, the Board will publish building blocks that can serve as further guidance for the required ‘additional appropriate safeguards’. In addition, the existing opinions related to international data transfers (think of the opinions on Binding Corporate Rules [1, 2, 3], the Adequacy referential and the use of the Article 49 Derogations, but also the working document on the European Essential Guarantees), will be updated to reflect the Schrems-II decision.
Mr. Schrems very quickly made clear he does not believe a solution to the EU-U.S. data transfer challenges could be found in another executive agreement. This has been tried twice, and both times the Court of Justice has made clear the agreements offered insufficient safeguards to protect our fundamental rights. This means there are two options: change how the European Union looks at fundamental rights, or change the U.S. surveillance laws interfering with those fundamental rights. Giving up our fundamental rights for most in Europe would be a no-go, meaning that the only remaining option is to talk to the U.S. about their government surveillance programs, how hard that may prove to be. Furthermore, Mr. Schrems expressed concerns that U.S. industry actors do not seem to be taking the CJEU ruling seriously. From industry calls he attended, he got the impression many companies are not expecting strict enforcement of the transfer modalities by DPAs and therefore are not committed to update their SCCs with additional safeguards.
During the question round with the members of the European Parliament, a lot of disappointment was expressed on the inactivity of the European data protection authorities. The GDPR has been in force for almost 2,5 years, but the enforcement of the rules is falling behind. As one MEP put it, it is thanks to diligent citizens like Mr. Schrems, who are willing to court over and over again, that there is still some protection of the fundamental right to data protection. Mr. Schrems added to this, that he has received indications from the Irish Data Protection Commission that, despite the clear conclusion of the Court that DPAs have a duty to enforce the GDPR, a decision in his case is not expected imminently.
Members of the Parliament furthermore called for improved legal certainty, especially for small and medium enterprises, more guidance and international agreements to solve these challenges, both on common privacy standards and on no spying between allies. An open question, that the European Commission will need to take up with their U.S. negotiating partners, is to what extent FISA 702 also covers the EU entities and data centres of U.S. companies, since that can further complicate any future deal.
The recording of the LIBE committee meeting is available on the website of the European Parliament. All of TrustArc’s guidance on the consequences of the Schrems-II decision, is available on our Privacy Shield microsite.
Privacy professionals as cosplayers – maintaining a sense of identity away from the hectic life of a privacy professional or managing stress in a healthy direction? In this episode of Serious Privacy, we move away a little from data protection and over to the broader right of privacy. The right to be left alone, or the right to ensure you can be whoever you want to be, without your choices coming back to haunt you for the rest of your life.
Listen in as Paul Breitbarth and K Royal talk about cosplay and the various underlying elements with their two guests, Ralph O’Brien and Marie Penot – two European privacy professionals with their own love of cosplay. They discuss such topics as managing stress and staying true to oneself, making personal connections, pitching job proposals, and livening up training sessions. This episode can be heard on our website or streamed below.
After a number of postponements and many discussions about further delay, the Brazilian Lei Geral de Protecção de Dados Pessoais (General Data Protection Law, LGPD) is on the verge of entering into force. In a surprise move, the Brazilian Senate on Wednesday 26 August decided not to agree to a further postponement, but to let the law enter into application immediately. Enforcement of the law will start in August 2021. Possibly, the only remaining wait is for the signature of president Bolsonaro, which is due within 15 days of the vote*. Immediately after the vote, the decree establishing the Brazilian data protection authority was already published.
While waiting for the official start sign of the law, this seems to be the right moment to take another look at what the LGPD requires from organizations doing business in Brazil. When looking at the new Brazilian law, it is immediately clear that there is a fair amount of overlap between the LGPD and the GDPR. This is no surprise – the LGPD is an omnibus data protection law as well, modeled after the GDPR. It explicitly recognises that data protection is linked to the respect for privacy, to informed self-determination and human rights, but also to free enterprise and free competition.
The LGPD stipulates in Article 6.X that accountability is one of the key principles to which data processing operations by controllers and processors shall be subject. According to the provision, this requires the controller or the processor to be able to demonstrate “the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures”. A similar requirement can be found in Chapter IV, Section II, for public authorities. Both requirements are rather similar to the accountability requirement that can be found in the EU GDPR, and also comes with an obligation in Article 37 to maintain a processing activities register. The rules related to mandatory impact assessments, as well as to any exceptions to the mandatory appointment of a data protection officer, will be defined by the DPA.
Article 7 et seq. of the LGDP contain the legal bases for data processing in Brazil. These include compliance with a legal obligation, the processing in a public interest, or to protect health, but also consent and legitimate interest. For the latter two, the burden of proof is on the data controller – this means an organization will have to properly document what consent was received, or how the company’s interests are balanced against the rights of the individual. For sensitive data, which is defined as personal data concerning racial or ethnic origin, as well as for children’s and adolescent’s data, additional requirements apply.
A large part of the LGPD is dedicated to the rights of individuals. According to Article 17, each “natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed”. Everyone therefore has the right to get confirmation that their data are being processed. In addition, the law foresees the rights of access, correction, deletion, and data portability, as well as the possibility to block the processing of contested data. Controllers and processors are furthermore obliged to provide transparent information on their data processing activities.
The deadlines for dealing with individual requests are short. A simplified response (which is not defined in the law, but could for example include the statement that no data is held on the individual) needs to be provided immediately. For a more detailed response “that indicates the origin of the data, the nonexistence of record, the criteria used and the purpose of the processing, subject to commercial and industrial secrecy” the law foresees 15 days.
Chapter V LGPD contains the rules related to international data transfers from Brazil to third countries. Transfers may take place to countries that have been declared as adequate by the Brazilian DPA, on the basis of sufficient guarantees the data will be protected (which includes the use of standard contractual clauses or ad hoc agreements, but also “global corporate rules”, which would likely include BCRs and CPBRs). Also transfers for a range of public interests, on the basis of consent or following approval by the DPA are allowed.
Controllers and processors that do not meet the requirements of the LGPD may be confronted with serious fines. Apart from possible warnings, the blocking of processing activities and the publication of the contravention, the law foresees fines of up to 2% of the company’s revenue in Brazil in the previous year (either at company, group or conglomerate level), with a maximum of 50 million reais (~ $9 million). In more serious situations, that maximum would apply to a daily fine, which could likely be imposed until the contravention is ended.
* The Brazilian LGPD officially went into effect on 18 September 2020, following the approval of the relevant legislation by President Bolsonaro.