Data Privacy Highlights

Happy Holidays from Red Clover Advisors!

???? EU-US draft adequacy decision arrives, EU process begins in earnest

The European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards, paving the way for finalization of the DPF and unimpeded data flows.

Osborne Clarke Partner Julia Kaufmann, CIPP/E, read the draft and saw an effort by the European Commission to explain the U.S. treatment of and work involving proportionality, but ultimately, it lacks more expansive detail on how it draws equivalence to EU standards.

"We in the EU must acknowledge that the U.S. has a different legal system, but the U.S. is still a democratic society," Kaufmann said. "The U.S. is definitely trying to reach out to the EU and show that they want to address the deficiencies identified by the CJEU to continue commerce. … And the European Commission has taken that into account by looking behind the curtain of the U.S. legal system and trying to understand how the U.S. can address those deficiencies within the boundaries given by their legal framework."

What should US companies involved in EU-US transfers actually be doing now? Review the new EU-U.S. Data Privacy Framework Principles’, including the Supplemental Principles and start addressing any gaps in your compliance. Though they are still in the draft phase it is highly unlikely that these regulations will get any less stringent so identifying any gaps as soon as possible is a great way to get ahead.

Want more insight into the key changes and what you need to do? Read Odia Kagan's overview: https://www.dhirubhai.net/pulse/nothing-schremsx-what-should-companies-do-while-eu-bodies-odia-kagan/

More from IAPP on the EU-US draft adequacy decision: https://iapp.org/news/a/eu-us-draft-adequacy-decision-arrives-eu-process-begins-in-earnest/

Read the Adequacy decision for the EU-US Data Privacy Framework: https://commission.europa.eu/document/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en

?Indiana Sues TikTok for Security and Child Safety Violations

Indiana’s attorney general has sued TikTok for “deceiving users about China’s access to their data and for exposing children to mature content”. The state is seeking up to $5,000 per violation and has asked that TikTok be ordered to “stop false and misleading claims about its handling of data” and to stop marketing itself as an appropriate app for children and young teenagers.?

The claims against ByteDance, the Chinese company that owns TikTok, include:?

1. The company failed to disclose the Chinese government’s ability to tap sensitive consumer information.?
2. TikTok has deceived parents and young users with its age rate of 12+ in app stores when it is extremely easy to find inappropriate sexual and substance abuse related content?

This comes after 2 years of U.S officials’ fight to ban the app or force an ownership change to decrease ties with China.?

TikTok’s chief executive, Shou Zi Chew, has said that the data of U.S. users would be hosted on servers controlled by the American cloud computing company Oracle and disputes that the Chinese government could access that data.

For more on this lawsuit and the complicated environment surrounding TikTok: https://www.nytimes.com/2022/12/07/technology/tiktok-lawsuit.html

?? Most School Districts Still Lack Data-Privacy Personnel

The need for school districts to mandate data privacy officers to protect the privacy of students is rising. A number of states have implemented this position or are strongly considering but it is still unusual to see school districts with a dedicated person for data privacy.

Even in states like California and Illinois—where such positions are required by law—data privacy jobs are often given as extra duties to an already busy staff where they are not given adequate resources for these positions nor explains what a strong privacy program consists of. In some cases, state laws aren’t even clear about what the privacy officer job’s definition is. This results in people in positions of protecting student data without much training while also juggling another job.?

The need for districts to devote resources and personnel specifically to data privacy has become apparent over the last couple of years, as high-profile ransomware attacks and?data breaches?have made headlines. And the?COVID pandemic brought?a wave of new technology and increased technology use in schools across the country.

Learn more: https://www.edsurge.com/news/2022-12-05-most-school-districts-still-lack-data-privacy-personnel

??? Apple advances user security with powerful new data protections

Apple has introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.

These security features include:

1. iMessage Contact Key Verification: users can verify they are communicating only with whom they intend
2. Security Keys for Apple ID: users have the choice to require a physical security key to sign in to their Apple ID account
3. Advanced Data Protection for iCloud: which uses end-to-end encryption to provide Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

“Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation,” said Ivan Krsti?, Apple’s head of Security Engineering and Architecture.

For users who choose to enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23 from 14. This includes the addition of iCloud Backup, Notes, and Photos. The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.

Enhanced security for users’ data in the cloud is more urgently needed than ever before. Increasingly, companies across the technology industry are addressing this growing threat by implementing end-to-end encryption in their offerings.

Read the rest of Apple's press release here: https://www.apple.com/newsroom/2022/12/apple-advances-user-security-with-powerful-new-data-protections/

?? Advocates Seek Lame-Duck Vote On Bill That Would Ban Behavioral Targeting

Consumer advocacy groups and calling for the House to vote this month on a comprehensive privacy bill that would outlaw a common form of online ad targeting.?

Twenty-three organizations including the Center for Democracy & Technology, Electronic Privacy Information Center and Public Knowledge sent a letter to House Speaker Nancy Pelosi seeking a floor vote on the American Data Privacy and Protection Act.?

The bill is set to:?

1. Impose numerous restrictions on data use and collection?
2. Ban on the collection or processing of data about web users' cross-site activity for ad purposes
3. Allow companies to continue to draw on data collected from their own sites in order to serve targeted ads to adults on an opt-out basis
4. Prohibit companies from serving targeted ads to children or teens younger than 17

Nancy Pelosi has indicated she will not support the bill in its current form, due to the provisions that would render California's law unenforceable.

The groups who sent the letter to Pelosi believe “there is a narrow window in which to act,” and the proposed law would “usher in real meaningful privacy protections for all consumers.”

Even if the House passes the bill before the end of this year, proponents appear to face an uphill battle in the Senate, where no committees have held hearings on the bill.?

“We believe that if a House vote happened, it would be overwhelmingly bipartisan,” Public Knowledge senior policy counsel Sara Collins tells MediaPost. “Having that on record could change the calculation in the Senate.”

For more on this topic: https://www.mediapost.com/publications/article/380535/advocates-seek-lame-duck-vote-on-bill-that-would-b.html\

?? Six ways data privacy and security teams can work together

Chief Privacy Officers (CPO) and Chief Information Security Officers (CISO) have an opportunity to work together toward a common purpose.

Let’s look at six ways that privacy and security teams can work together to tackle some of the shared challenges of data governance.

1. Knowing what you have (so you can protect it)

Data inventories are generally one of the first and easiest shared goals to identify.

Organizations must have a living record of systems, business processes, and data. In today’s dynamic digital environment, combining efforts is the best way for privacy and security teams to maintain a living data record.

This record not only identifies sensitive data, but also classifies it according to its level of sensitivity—a helpful distinction for both teams.

2. Demonstrating compliance

When privacy and security teams have a shared data inventory, they can more easily collaborate on data mapping. Data mapping helps the privacy team to demonstrate compliance with regulations and offers the security team a complete picture of the data they need to protect.

Establishing standards for data controls including encryption, backups, retention, and destruction processes is a shared task that addresses both teams’ concerns.

3. Managing access to sensitive data

Confidentiality is a key principle in information security. Managing access to data is one way to protect confidentiality, but it can be challenging.

A requirement of privacy regulations is that personal data is accessed only by those who require the information—the heart of “need-to-know.” Privacy teams must demonstrate that access is managed effectively. This is where collaboration happens.

Together, the privacy and security teams should identify access requirements and relevant data storage locations.

4. Effectively managing data breaches

No organization expects to experience a data breach, but they do need to have a plan in place for that possibility.

By proactively working together to outline the response process and plan ways to meet regulation timelines, privacy and security teams can ensure they are maintaining compliance, even when faced with an actual incident.

5. Cross-populating steering committees

Why not increase efficiency by having both the privacy and security programs represented on each other’s steering committees and governance efforts?

If possible, some organizations may want to consider combining multiple steering committees into a broader information protection committee that represents the goals of both teams.

6. Identify impactful projects to collaborate on

Once you get privacy and security working in tandem with one another, take that collaboration business-wide.

All areas of your business operations benefit from privacy and security insights. They need privacy and security to contracts that reflect regulatory requirements and include provisions that protect your business' best interests from a privacy/security standpoint.

Marketing? Privacy and security can help ensure that data collection follows best practices, or that marketing projects don’t pose security risks.

When privacy and security team up to support an entire organization, they can provide more value, increase organizational buy-in, and ultimately ensure that privacy and security needs are woven into the fiber of business operations.

More on the Why Privacy and Security Teams Should Collaborate here: https://redcloveradvisors.com/2022/12/13/why-privacy-and-security-teams-should-collaborate/