Privacy and AI weekly - Issue 8

This Friday on Privacy and AI weekly

Privacy

? Singaporean DPA updates guidelines on anonymisation

? Utah Consumer Privacy Act (UCPA)

? PCI SSC Publishes PCI Data Security Standard v4.0

? Apertura Officine Dati

? IAB Europe Guide to the Post Third-Party Cookie Era

Artificial Intelligence

? Artificial Intelligence As a Risk Vector

? FTC on algorithmic disgorgement

PRIVACY

Singaporean DPA updates guidelines on anonymisation

Any business that handles data would know the significance of anonymisation, but not all may be familiar on how to appropriately do so.?In today’s context where data collection and use are increasingly prevalent, businesses may find themselves at more risk of potential data breaches, and anonymising data is one sure way to reduce that risk. Businesses who are able to appropriately perform data anonymisation will be able to extract value from their datasets while reducing the risk of regulatory non-compliance or breaches in data security.

To help businesses, especially those who are new to anonymisation, the PDPC has updated their Guide to Basic Anonymisation to provide more practical guidance on how to perform basic anonymisation and de-identification of various datasets through a simple 5-step anonymisation process. This includes providing clear standards for safeguards and controls where anonymised data is used, and recommendations for when using k-anonymity.

When anonymisation is done right, both businesses and individuals can confidently exchange data in a way that meets their business needs while ensuring their data is safeguarded, hence encouraging greater participation in the digital economy.?

The chapter on?Anonymisation?in their Advisory Guidelines on the PDPA for Selected Topics has also been updated to provide clarity to businesses on the requirements for anonymising data.

Access the guidelines here

Utah Consumer Privacy Act (UCPA)

On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law. This Act is the latest addition to the state privacy laws in the USA, together with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA).

The UCPA has many similarities with the provisions found under the CCPA, CPRA, CDPA, and CPA, like the application threshold, exemptions for employee data, and the inclusion of sensitive personal information.

One difference to consider is the UCPA’s definition of ‘sale’ which includes an exemption for personal data being disclosed to a third party if the disclosure is consistent with the ‘reasonable expectations’ of the consumer. The definition of sale also excludes the term ‘other monetary consideration’ – something that is seen in the CCPA, CPRA, and CPA.

The UCPA will take effect on December 31, 2023.

The UCPA applies to organizations that conduct business in the state of Utah or produce a product or service that targets consumers who are residents of the state.

Organizations will fall under the scope of the UCPA if they have annual revenues of over $25,000,000, and either:

• control or process the personal data of 100,000 or more consumers annually, or
• derive over 50% of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

The incoming privacy law in Utah will provide consumers with similar rights to those found under existing state privacy laws, such as:

• The right to be informed
• The right to access
• The right to erasure
• The right to data portability
• The right to opt-out of processing

The new privacy law in Utah outlines several requirements for covered organizations to comply with. Many of these requirements fall under familiar topics including transparency, purpose specification, data minimization, consent, and security.

PCI SSC Publishes PCI Data Security Standard v4.0

The?PCI Security Standards Council?(PCI SSC), a global payment security forum, published version 4.0 of the PCI Data Security Standard (PCI DSS).

PCI DSS is a global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.

The current version of PCI DSS (v3.2.1) will remain active for two years until it is retired on 31 March 2024. Once assessors have completed training in PCI DSS v4.0, organizations may assess to either PCI DSS v4.0 or PCI DSS v3.2.1. The standard also provides additional time for organizations to implement many of the new requirements.

Updates to the standard focus on meeting the evolving security needs of the payments industry, promoting security as a continuous process, increasing flexibility for organizations using different methods to achieve security objectives, and enhancing validation methods and procedures.

Examples of the changes in PCI DSS v4.0 include:

• Updated firewall terminology to network security controls to support a broader range of technologies used to meet the security objectives traditionally met by firewalls.
• Expansion of Requirement 8 to implement multi-factor authentication (MFA) for all access into the cardholder data environment.
• Increased flexibility for organizations to demonstrate how they are using different methods to achieve security objectives.
• Addition of targeted risk analyses to allow entities the flexibility to define how frequently they perform certain activities, as best suited for their business needs and risk exposure.

Access the PCI DSS v4.0 and the summary of changes here

IAB Europe Guide to the Post Third-Party Cookie Era

The Guide has been developed by experts from IAB Europe’s Programmatic Trading Committee (PTC) to prepare brands, agencies, publishers and tech intermediaries for the much-anticipated post third-party cookie advertising ecosystem.

The updated edition of the guide provides the latest insights into the many alternative solutions that are being developed to replace third-party cookies when they are depleted in 2023, including context, identity, the use of telco data, and the Google Topics initiative, and expands into new challenge areas to answer questions around measurement and attribution.

Access the guide here

Apertura Officine Dati

Officine Dati è un laboratorio di idee sulla protezione dei dati personali, la cybersecurity, l'economia digitale e l'intelligenza artificiale.

Nata dall'iniziativa di?Rosario Imperiali,?Anna Cataleta,?Luca Bolognini,?Cristina Cabella,?Nicola Fabiano,?Diego Fulco,?Riccardo Giannetti,?Arianna Greco,?Federico Marengo,?Rocco Panetta,?Pierluigi Perri,?Fabio Rastrelli,?Tommaso Stranieri,?Marianna Vintiadis,?Giovanni Ziccardi.

Tra le prossime novtià:

? Rosario Imperiali (Presidente di Officine Dati), insieme a Diego Fulco e Rocco Panetta (entrambi fondatori di Officine Dati) interverrano al convegno Privacy Symposium a Venezia, dal 5 al 7 aprile 2022 nel panel “Privacy and the Market: Overlapping between Data Protection and Other Sectoral Regulations”. Luca Bolognini (uno dei fondatori di Officine Dati) participa nell'organizzazione di?Privacy Symposium

? Il primo evento interamente organizzato da Officine Dati sarà Intelligenza Artificiale e Umanesimo Europeo (21 Aprile 2022, ore 17.00 – 18.30). Participeranno?Massimo Attoresi?(EDPS), Tommaso Stranieri, Marianna Vintiadis e Federico Marengo e sarà moderato da Rosario Imperiali e Anna Cataleta.

Seguite?Officine Dati?per scoprire tutte le novità e le iniziative dell'Associazione!

Artificial Intelligence

Artificial Intelligence As a Risk Vector

This week I had the pleasure to participate in PrivSec Risk in Focus the panel Artificial Intelligence As a Risk Vector

We considered the main risks presented by?AI systems?and explore best-practice tips to mitigate them.

More about the event here

FTC on algorithmic disgorgement

The?Federal Trade Commission?orders WW International and?Kurbo, Inc.?to destroy the algorithms built with unlawfully collected data.?

WW International and Kurbo placed into the market a weight loss app addressed to children (as young as 8 years old) and collected personal data without the consent of the holder of parental responsibility.?

From 2014 to 2019 Kurbo offered a weight-management and tracking service designed for use by children ages eight and older, teenagers, and families. Kurbo app tracks the individual food intake, activity, and weight, and also collects personal information such as names, email addresses, and birth dates.

From its launch in 2014 through February 2020, over 279,500 people used the Kurbo, and at least 18,600 were children >13.

COPPA Rule requires that websites, apps, and online services that are child-directed or knowingly collect personal information from children notify parents and get their consent before collecting, using or disclosing personal information from children under 13.

? On the notice. The App did not provide any notice to parents until Nov 2019, and even then did not solicit parental consent. The notice Kurbo provided on the website in Nov 2019 was deficient because it did not clearly and completely?specify the categories of information collected from children.

? On the parental consent. Kurbo did not institute a method for obtaining verifiable parental consent. Until late 2019, users could sign up for Kurbo by indicating that they were a parent signing up for their child or a child <13 signing up for themselves. Kurbo's signup process encouraged younger users to falsely claim they were over the age of 13. In fact, from 2014 to 2019, hundreds of users who signed up for the app claiming to be over the age of 13 later changed their birthdates on their profiles to indicate they were really under 13.?

? On retention periods.?Until August 2021, Kurbo kept children’s personal information indefinitely

The settlement

In March 2022 the companies and the FTC settled the dispute and it was agreed that Kurbo must:

? pay a $1.500.000 penalty

? erase data collected from children under 13 for more than a year after the last time a child uses Kurbo

? destroy all personal information previously collected that did not comply with the COPPA Rule’s parental notice and consent requirements

? destroy any affected work product (algorithm) that used data illegally collected from children in violation of COPPA within 90 days. Affected Work Product means any models or algorithms developed in whole or in part using Personal Information Collected from Children through the Kurbo Program

Conclusion: be mindful of your privacy obligations

More information here

About Qubit Privacy

Qubit Privacy?is a boutique consultancy firm that provides data protection and AI governance services. Qubit Privacy helps your organization to stay compliant with privacy regulations like the GDPR, to protect you against cyber-attacks and data breaches and to manage and assess algorithmic risks through a range of affordable professional solutions.

Federico Marengo is the founder of Qubit Privacy. He is a PhD student (in data protection and AI) and the author of “Data Protection Law in Charts. A Visual Guide to the General Data Protection Regulation“.

For inquiries, feedback or collaborations, please contact me at [email protected]