The evolution of privacy requirements and risks has progressed at lightning speed; we’re a far cry from listing “dumpster diving” as a critical risk in exposing personally identifiable information (PII) as we did 20 years ago. Paper shredding may still have its place in security protocols for now, but today, the rapid advancement of technology…
New Privacy Coalition Gathers to Set Agenda
The newly-created Global Cross-Border Privacy Rules Forum-—an international association of countries that includes the U.S., Japan, Singapore, and the Republic of Korea—gathered last week in Hawaii to work on an agreement for, “potential worldwide data protection rules that would allow people’s personal information like search queries and payroll information to flow seamlessly across borders,” according to Politico. The current members of the Forum are primarily members of The Asia Pacific Economic Cooperation (APEC), but the meeting included representatives from other jurisdictions and potential members, including the United Kingdom and Brazil. The Forum could create friction with the EU, which currently calls most of the shots on global privacy standards. Politico reports that, “The goal, according to Shannon Coe, director of global data policy at the U.S Commerce Department’s International Trade Administration, who is involved in the discussions, is to open up trade between participating countries while giving people assurances their data won’t be mishandled once it’s shipped outside their home countries. The new rules will be based on an existing APEC privacy framework, but are expected to replace that regional regime — with updated privacy standards — with a global system that’s open to all.”
Minnesota Student Privacy Law Heads to Senate
Last week, the Minnesota Senate Education committee unanimously approved new limits on how tech companies can use data belonging to students when it is gathered through school-issued devices. The bill would ban the tracking of student activity through GPS, camera, microphone, and web browsing, and prohibit tech companies from selling student data. It’s currently with the general Minnesota Senate for approval.
Bank for International Settlements Calls for Data Governance Reform
A facilitator of cross-border payments and a meta bank for the globe’s central bank is weighing in on data governance and lashing out against big tech. The Bank for International Settlements (BIS) has released a report calling for new governance systems. The report, released last week, advocates for data subjects owning their data, and argued that recent market failures support this conclusion. According to The Register, “To restore control and be effective, the BIS called for the creation of consent systems that are user friendly, offer low transaction costs, and operate as public-private partnerships. To achieve cost savings, the org argued data management must be digitally based and scalable across large numbers of users.” BIS also outlined standards for data governance that resemble most data privacy laws: A clear and communicated purpose for collection; data minimization; limits on data retention and; secure storage.
Lawmakers Zero in on Meta/Facebook
Last week, we reported that Meta/Facebook is in hot water after a leaked internal memo revealed the company is unable to comply with data privacy laws like GDPR. Per Protocol, “In a leaked internal document published by Motherboard last week, Facebook privacy engineers wrote that there are “tens-of-thousands of uncontrolled data ingestion points into Ads systems.” The document, which was written in 2021, likened Facebook’s open-data systems to ink poured in a lake of water. “How do you put that ink back in the bottle?” the engineers ask, in what is seemingly a concession that the company can’t trace some user data accessible to third parties.” Meta denied this allegation to Motherboard, and notes it is working to build the technical tools for compliance. But lawmakers aren’t convinced. U.S. Democratic Sen. Kirsten Gillibrand went so far as to call for a Data Protection Agency to hold big tech companies accountable. Meanwhile Dutch EU Parliamentarian Sophie in’t Veld called for an investigation into Meta’s noncompliance with GDPR.
* * * * * * *
To read our coverage on the Connecticut Data Privacy Act (CDPA) including information on its applicability, enforcement and the obligations it places on businesses, click here.
To read our coverage on the European Data Protection Board’s published draft guidelines intended to provide UX designers and consumers on how to identify deceptive marketing and UX designs (known as “Dark Patterns”) that violate GDPR, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.