GDPR, Year One Gary Audin May 24, 2019 Telemarketing, promotional emails, and video surveillance are among the most common complaints, the European Commission has found. Identifiers — these include names, aliases, addresses, and IP addressesCharacteristics of protected classifications — as specified under California or federal lawCommercial information — records of personal property, products or services purchased, or consuming histories or tendencies fall in this categoryBiometric informationInternet or other electronic network activity information, including browsing historyGeolocation dataAudio, electronic, visual, thermal, olfactory, or similar informationProfessional or employment-related informationEducation informationAny inferences drawn from any of the information identified to create a consumer’s profile Five years ago, students, most of whom are mid-career, were apoplectic about Snowden, quick to call him a traitor among other unkind words. With time, however, this has changed. This past Spring term, students, while perhaps still disturbed by Snowden’s release of classified information, acknowledged, almost to a person, that what he did by revealing the extent of government surveillance opened our eyes to the extent to which our private information isn’t really private. Further, students also recognized that he took this action, which has changed the way we view information that we thought was private and clearly wasn’t, at great personal cost. Privacy Matters: Enterprises at an Inflection Point Dave Michels July 29, 2019 Our digital breadcrumbs are all over enterprise communications and collaboration apps. What will become of all this data? California Leading the Way… HereIn the U.S., unlike in the European Union, privacy isn’t a guaranteed right. The California Consumer Privacy Act (CCPA) of 2018 is the closest we’ve come on this side of the pond to the EU’s Global Data Protection Regulation, enacted more than a year ago to secure individual privacy rights. The act specifies that PI includes, but isn’t limited to: GDPR: A Boring but Important Update Martha Buyer July 25, 2019 As the highest EU court reviews whether certain data export/import strictures are adequate, U.S. companies should be on high alert. GDPR 101: What’s a Data Protection Representative? Gary Audin June 28, 2019 If you collect, process, or control EU citizen data, you need a data protection representative. Like all laws, the CCPA has exceptions, but there’s not room here to address them (click here for more information). The law applies to information collected by brick-and-mortar businesses as well as by electronic or Internet-based operations — and while California is the first state to take such action, other states will follow. Although privacy watchers expect that any new pieces of legislation will look very much like California’s, each will be slightly different, making state privacy regulation a management a looming nightmare for enterprises. The CCPA, which will take effect this coming January, will apply to consumers who are California residents (including households and individuals), and to three types of businesses: those that operate in the state with gross revenues in excess of $25 million; those that buy, receive, or otherwise obtain the PI of 50,000 or more consumers, households, or devices for commercial purposes; or those that derive 50% or more of their annual revenues from selling consumers’ personal information. Although there’s enough here for an entire new column, the CCPA broadly defines PI to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” To that latter point, if you need access to government services or support, you must disclose private information in order to receive assistance. Health and medical information? Financial information? Address information? Social Security numbers? Granted, no reputable bank is going to lend money to a borrower without first obtaining some personal and otherwise confidential information, but it’s clear that the more socially and personally vulnerable an individual may be, the more likely it is that their private information will be “out there.” As a direct consequence of their vulnerabilities, the personal information (PI) of these individuals that could be expected to be private, isn’t. See All in Privacy & Compliance » Log in or register to post comments The big takeaway is this: Those who are most vulnerable for any number of reasons (economic, social, education, age, race, gender) are at greater risk of victimization when data breaches occur because they tend to have been required to share more personal information to receive any number of services they might require. The more personal data that’s out there, the greater the opportunity for hackers and miners to access, share, and abuse, and the greater the risk to those who have shared information, wittingly or not. State regulation is a positive step, but with each state crafting its own nuanced legislation, privacy management for enterprises will become… um, challenging. The answer lies in federal regulation, but with lots of constituencies arguing for their own points of view don’t expect that to happen anytime soon.Tags:News & Viewsprivacy lawCCPAPrivacy & ComplianceNews & ViewsRegulationSecurity Articles You Might Like GDPR 102: Implementing the DPR Role Gary Audin July 05, 2019 Sorting out the complexity involved with employing a data protection representative Striking a BalanceAs states hash out their privacy laws, the balance between privacy and security will remain a topic of discussion in business, government, academia, and certainly the military. It’s a delicate balance (think “head of pin”) to be sure, and opinions change with the wind. I’ve seen this firsthand, among students of a graduate-level class in IT ethics I’ve taught for the past five years. Students from across the world, many of whom have military experience and strong opinions on the topic, attend this class. Near the end of the term, we discuss the balance of privacy and security, and invariably end up talking about Edward Snowden, the CIA employee who blew the whistle on the National Security Agency back in 2013. Early this month, I had the opportunity to participate in continuing legal education on the future of privacy and privacy law. As I prepared to listen and learn, I wasn’t expecting to be jarred by an issue that, in all honesty (and said with a bit of guilt), had never crossed my mind. That is: Privacy isn’t a right in the U.S., and your position in society says a great deal about how much actual privacy you have. privacy-policy.jpg

Leave a Reply

Your email address will not be published. Required fields are marked *