Author: IAPP IAPP News

Ukraine Vice Prime Minister Mykhailo Fedorov said the military has been using Clearview AI software to identify Russian soldiers killed in combat so officials can track down their families and inform them, Reuters reports. Fedorov, who is also the head of the ministry of digital transformation, said Ukraine has used Clearview AI facial recognition to find the social media accounts of killed Russian soldiers. Civil rights groups have criticized the use of Clearview technology by Ukraine due to possible misidentification.
Full Story

The Philippines’ National Privacy Commission updated the penalties for violations of the Data Privacy Act of 2021, GMA News reports. There will be a new cap on penalties to not exceed 5 million pesos whether there was a single violation or multiple violations by a personal information controller or a personal information processor. Previously, administrative fines for PICs or PIPs were 0.25% to 3% of gross income for “grave� violations and 0.25% to 2% of gross income for “major� violations.
Full Story

1. The Daily Dashboard reported the U.K.'s new data protection clauses for international data transfer agreements, replacing former EU standard contractual clauses, entered into force.
2. The IAPP Resource Center aims to keep privacy professionals in the know with its "US State Privacy Legislation Tracker," which has been updated to reflect the latest bill introductions. It was also recently updated to improve user experience.
3. U.K. Information Commissioner John Edwards gave his first major public speech as commissioner at the IAPP Data Protection Intensive: UK. IAPP Editorial Director Jedidiah Bracy, CIPP, had the details.
4. IAPP Editorial Director Jedidiah Bracy, CIPP, recapped the IAPP Data Protection Intensive: UK keynote panel's thoughts on the Privacy Shield news and the current state of affairs with U.K. adequacy.
5. Future of Privacy Forum CEO Jules Polonetsky, CIPP/US, and Goodwin Procter Partner Omer Tene looked at how metrics help improve overall performance and growth of a company's privacy program.

Even as the U.S. capital celebrates the return of cherry blossoms, flags have dropped to half-staff to mark the death of Madeleine Albright. Reflecting on Albright’s inspirational diplomatic career, one can’t help but wonder which lapel pin she would have chosen to wear to a Privacy Shield negotiation. The internet is also mourning the loss of the creator of the GIF, Stephen Wilhite (as The Verge reminds us, it’s pronounced "jif"). Meanwhile, technology policy nerds comfort ourselves by creating March Madness-inspired brackets to determine everything from the best privacy movie, to the most prophetic work of speculative fiction, to the most misunderstood legal concept. Here's what’s happened since the last roundup:

• Top-level U.S.-EU agreement paved the way for a renewed Privacy Shield. After months of intense negotiations, U.S. President Biden and EU President von der Leyen announced an agreement in principle on trans-Atlantic data flows. Full analysis here. 
• The FTC reminded us we can’t have data security without privacy. In a draft settlement with the operators of CafePress.com related to multiple data breaches, the Federal Trade Commission included charges about insufficient privacy practices: incomplete data deletion, data uses exceeding stated purpose limitations, and data stored indefinitely ‘without a business need.’ Coincidentally, the IAPP is hosting a webinar about data retention on March 29.
• NIST announced two updates to its work on AI bias. In a revised special publication, the National Institute of Standards and Technology recommended “widening the scopeâ€� of the search for sources of algorithmic bias “beyond the machine learning processes and data used to train AI software to the broader societal factors that influence how technology is developed.â€� At the same time, NIST published an initial draft of its AI Risk Management Framework, with comments requested through April 29.
• State privacy regulators welcomed “thoughts and concernsâ€� from privacy professionals. The Colorado attorney general is seeking informal comments along a broad range of issues related to the implementation of the CPA. Meanwhile, the California Privacy Protection Agency posted a form to request to speak at “stakeholder sessionsâ€� to be scheduled later.
• Can you un-ring an algorithm? Protocol published a follow-up article on the FTC’s new remedy of algorithm disgorgement, predicting that it "could get very messy."
• Privacy leaders on the move.
• Boston University School of Law announced the appointment of professor Woodrow Hartzog to its faculty. It’s a good opportunity to re-watch his keynote reflections problematizing the notion of "control."
• In a heartfelt LinkedIn post, Amelia Vance announced her departure from the Future of Privacy Forum, where she led the Youth and Education program, to focus on ‘hands-on work’ as an independent consultant.

Upcoming happenings:

• March 29-30, the California Privacy Protection Agency will host pre-rulemaking informational sessions.
• March 29-31, NIST will host its second virtual workshop on the AI Risk Management Framework.
• March 29 at 2 p.m. EDT, TeachPrivacy will host a webinar on Privacy Legislation: How to Create Effective Privacy Laws.
• March 30 at 11 a.m. EDT, IAPP will host a webinar on Building a Privacy Risk Framework for Accountability Through PIAs.
• March 31 at 1 p.m. EDT, IAPP will host a webinar on the State of CCPA: A Look Back to Prepare for What's to Come.

Please send feedback, updates and your favorite GIFs to cobun@iapp.org.  

Did you miss me last week?  The family and I traveled internationally for the first time in ages. We went to Mexico, and I think, going forward, I’m going to try to do two-week vacations instead of one. It was so nice to be drenched in the warm sun, not to mention the cocktails by the pool.

But, I’m back now and in full press organizing with the IAPP staff for the upcoming Canada Privacy Symposium where we hope the COVID-19 implications are at most a minor inconvenience (as they were in Mexico).

The keynote sessions are going to be great and, of course, we have the Annual Commissioner’s Address to the Profession. It will be Daniel Therrien’s last appearance as federal commissioner, so you won’t want to miss it.

At the end of the first day of the conference, we have a number of commissioners lined up to participate in the Game Show — something I bet you’ve missed. It promises to be a lot of fun — and maybe a bit educational at the same time. This year, we are doing a Dragons' Den type game and this is where you come in.

We need three to five privacy pros to be the participants who want to pitch their novel ideas to the commissioners/dragons. To be considered, please fill out this tiny survey to give us an idea of what your pitch might look like. (I’m told the survey tool doesn’t work the best on a mobile device, so please try using your computer.) The idea behind the pitch is to present the Dragons with a privacy-related idea that they can then debate and interact with you on.

I somehow doubt that, at the end of the day, there will be any actual money exchanging hands, but I’m pretty sure this will be a fun way to get to know our commissioners and get a sense of what they are thinking about.

OK, as I resist the urge for another margarita, I’m going to get caught up on this week’s news. I hope you do the same.

U.S. President Joe Biden and European Commission President Ursula von der Leyen announced Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement in principle. Though the details about the deal are not yet known, in a press conference, Biden said, "Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy." Von der Leyen added, "This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties." IAPP Editorial Director Jedidiah Bracy, CIPP, has the details. 
Full Story

In an op-ed for The Globe and Mail, University of Victoria Political Science Professor Colin Bennett wrote a ruling by British Columbia’s Information and Privacy Commissioner over political party data collection is a “significant victory� for voters’ privacy. The ruling requires federal political parties to comply with privacy laws when collecting, using or disclosing personal data. “It should bring more transparency to the ways that political parties use data on Canadian voters in their campaigns,� Bennett said.
Full Story

British Columbia’s Information and Privacy Commissioner Michael McEvoy is examining the possibility of a children’s code regulating targeted advertising and online tracking, similar to the code in place in the U.K., Glacier Media Group reports. “I think there’s a case to be made that our children are particularly vulnerable,� said McEvoy, who noted the Personal Information Protection Act does not specifically address children’s privacy needs. McEvoy said he’d like to see a ban on targeted advertising and online tracking turned off by default in technologies.
Full Story

Kia ora koutou,

After a relatively slow start, 2022 is shaping up to be a very eventful year for privacy in the ANZ region.

On 3 March, our KnowledgeNet chapter chairs for Auckland and Wellington jointly hosted the first virtual event for 2022 on COVID-19 and workplace privacy issues. Our panel of experts — Simpson Grierson Partner John Rooney, BNZ Privacy and Data Ethics Senior Manager Henry Flood, and Ministry of Health Privacy Manager Caitlin Hawkins — led an excellent and comprehensive discussion, defined in my view by the diversity of the panel. We heard employment law, in-house privacy and government perspectives on the contentious issues surrounding vaccine mandates and employee privacy concerns about the collection of vaccine status information. I was particularly impressed by Caitlin Hawkins’ openness and honesty in putting forward a Ministry of Health perspective on the recent High Court cases relating to the Wh�nau Ora Commissioning Agency’s requests for M�ori vaccination data.

Giving us barely a moment to catch our breath, our chapter chairs will host their next event 31 March. Another powerhouse panel — Ewan Lincoln from the Office of the Privacy Commissioner, Auror Chief Privacy Officer Frith Tweedie, Briscoe Group Human Resources General Manager Aston Moss, and Department of Internal Affairs Manager of Information Partnerships Dion Chamberlain — will lead a very timely discussion on the privacy implications of facial recognition technology. I am particularly interested in hearing from the OPC regarding the recent position paper they published on biometrics, which I commented on back in October.

Privacy Week — 9 to 15 May — comes next on our increasingly busy agenda, with the Office of the Privacy Commissioner announcing the theme for this year is "Privacy: The Foundation of Trust." In a departure from previous years, the OPC plans to replace the traditional in-person conference with a “privacy festival� — a week of mostly virtual events and activities led by the community. The OPC has described this as an opportunity to listen to other people’s perspectives on privacy, to help shape the future of their work. The OPC has put out a call for Privacy Week proposals, which closes 28 March. The IAPP is working closely with the OPC to support the privacy festival, including the potential to co-host an event or two.

Speaking of trust, the OPC recently awarded its coveted Privacy Trust Mark to privacy operations platform Securiti. The OPC was “impressed by the holistic privacy management system approach taken by Securiti,� noting in particular the system’s “ability to both help people exercise their right to access and correct their personal information and help agencies facilitate these requests rapidly, completely, and accurately.� This is an interesting direction for the PTM program, which has traditionally focused on the steps that regulated agencies have taken to lift their own privacy practice. The OPC has paused the PTM program currently, to review its effectiveness. It will be interesting to see if other privacy vendors apply for the PTM if and when the program is restarted.

Finally, let’s not forget the premier privacy event for the ANZ region — the annual IAPP ANZ Summit — currently planned to be an in-person event in Sydney 23 to 24 Nov. The call for proposals is closed, and the IAPP ANZ Advisory Board will collaborate with the IAPP events team to review them and start crafting a program that will be worth traveling for.

So, it might be time to save some dates to make sure you don’t miss any of this great content and opportunities to connect with colleagues.

In the meantime, stay safe and be kind.

Under the EU General Data Protection Regulation, data subjects have been granted various rights, including the right to data portability. An informal survey of the Lex Mundi network found few "developments regarding the right to data portability, such as supervisory enforcement or case law." Houthoff, Amsterdam Attorneys Jurre Reus and Nicole Bilderbeek look at the developments and where data portability is headed.
Full Story