Author: IAPP IAPP News

Telegram deleted user accounts to prevent the messaging application from being banned by Brazilian courts, Fortune reports. The move came in response to the Brazilian Supreme Court banning the app March 18, after ignoring requests to remove content deemed misinformation, particularly posts from supporters of President Jair Bolsonaro. Telegram’s Founder and CEO Pavel Durov asked the court for a delay to “remedy the situation.�
Full Story

A medical Q&A service provider reportedly left 300,000 personal medical files exposed after a cloud misconfiguration, InfoSecurity reports. A Safety Detectives team traced an exposed Amazon S3 bucket to Japanese company Doctors Me that was reportedly left open without authentication controls in place. One of Doctors Me core services is having users anonymously upload images of medical conditions for diagnosis by clinicians. Researchers claimed the 30GB trove of 12,000 unique images of faces and body parts of children and infants were potentially exposed to bad actors.
Full Story

Among the many topics top of mind for privacy pros at the IAPP Data Protection Intensive: UK in London is proposed reforms to the UK General Data Protection Regulation and the future of transborder data flows. This comes as the U.K.'s post-Brexit international data transfers agreement officially went into force Monday and negotiations around the current trans-Atlantic impasse continue behind the scenes. 

A day after U.K. Information Commissioner John Edwards made his first major public speech since his January appointment, Department of Digital, Culture, Media and Sport Director James Snook joined keynote panelists Ruth Boardman of Bird & Bird, Hogan Lovells Partner Eduardo Ustaran, CIPP/E, and IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, Thursday for a wide-ranging discussion on U.K. reforms, including potential adequacy agreements, prospects for increased data localization, and, relatedly, the chances of a replacement for the EU-US Privacy Shield arrangement.

With U.S. President Joe Biden in Brussels Thursday for discussions with NATO allies on a response to Russia's war against Ukraine, some rumors are swirling that a Privacy Shield replacement may be announced soon. Though there's been a slow drip of news stories that an agreement is pending in recent weeks, details for an agreement remain vague. 

While Thursday's keynote panels were on stage discussing U.K. reforms and transfers, Politico reported that "Political pressure from senior political leaders on both sides of the Atlantic, including European Commission President Ursula von der Leyen, is mounting to approve a new Privacy Shield pact as early as this week with technical details to be smoothed out over the coming weeks." 

Though the devil will certainly be in the details, separate talks between the U.K. and U.S. are also ongoing. The DCMS's Snook said the U.K. government is "having constructive conversations" with their U.S. counterparts and noted that both sides, as well as the EU, "share similar priorities." 

Privacy Shield replacement negotiations aside, Snook said data is a global issue and that there's a responsibility on governments to create a better and more sustainable structure to facilitate global data flows. 

For the U.K., data protection law reforms means it is walking a fine line between reforming the U.K. General Data Protection Regulation while continuing to keep its adequacy status with the EU.

Ustaran suggested people should "relax a bit" about adequacy. It's "not something you play with," he said, adding, "it's not a bargaining chip." He said there is a long tradition of data protection in the U.K. and that the direction of reform still moves in the same direction as the EU. Other countries, he said, have been trying to achieve adequacy for years, but during Brexit, the U.K. was still able to gain adequacy. "My message to you," he said, "is don't worry so much about adequacy. It's not going to go. There are much bigger problems in the world than losing adequacy, and it's not at risk in the way that people appear to think." 

Snook, who was part of the adequacy assessment negotiations during Brexit, said the U.K. government "is not naïve about the benefits of EU adequacy to all the organizations represented in this room and particularly the EU organizations who are actually the primary beneficiaries of adequacy." He added that he thinks there "is a problem if we are operating under a global system that expects identical data protection laws because that doesn't reflect the differing values and differing legal systems and differing constitutional regulatory systems in differing countries." He stressed the importance of adding to the list of adequate nations because the burdens and uncertainty on industry is "just too great." 

Notably, Snook also said the U.K. will not wait for the EU to decide on adequacy before the U.K. government does. "Certainly don't expect us to just be following after" the EU, he said. 

As the U.K. sets out to reform its post-Brexit data protection law, Bird & Bird's Boardman highlighted two key things industry is looking for from the U.K. government. "First," she said, "don't make the situation worse. Don't add to the uncertainty, bureaucracy and the complications by unique, bespoke U.K. solutions which add bureaucracy without benefit."

Secondly, she said these reforms are an opportunity "to show there is a better way to do this." Though it won't be easy, she conceded, "it is an important objective to show that you can more meaningfully protect individuals in a way that is less bureaucratic and which allows for the benefits that go with global data transfers." 

The IAPP compiled guidance made in response to the Court of Justice of the European Union's "Schrems II" ruling. The list includes documents issued by the European Commission, European Data Protection Board and European Data Protection Supervisor. It also includes guidance from data protection authorities from the EU and U.K., as well as information from the U.S. Department of Commerce.
Full Story

Business leaders have traditionally advocated for management by measurement. Edwards Deming wrote, “What gets measured gets done.� Dr. H. James Harrington once said, “If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it.� Effective measurement helps managers improve efficiency, streamline processes, prioritize efforts, and manage risk. Indeed, some say that measurement is management.

The best privacy leaders collect data and use metrics to measure, assess, and improve the performance of their privacy programs. When we gathered a group of Future of Privacy Forum CPOs to discuss some of the key issues, we learned that beyond demonstrating compliance, privacy metrics have emerged as key to measuring and improving privacy program performance and maturity in terms of customer trust, risk mitigation, and business enablement. Privacy leaders use metrics to benchmark the maturity of their organization’s privacy program against its strategy and goals and demonstrate how privacy contributes to its strategy and bottom line. They use metrics internally to secure budgets and staffing, to measure performance, and to diagnose program status and needs, as well as externally to demonstrate accountability and enhance trust. 

According to a Cisco study, 93% of organizations now track and provide analysis on at least one privacy metric and 14% utilize five or more. These metrics can provide CPOs and other C-Suite executives with pertinent information to cultivate customer trust, enable secure data transfers to ensure personal data remains safe, and confirm compliance with privacy laws and regulations.

While there are some metrics that almost all organizations track to a certain extent, there are many more that many CPOs can utilize to concretely measure the success of their policies and identify areas that can be improved to further their data privacy practices. 

Privacy metrics can be used to measure a wide variety of data points. Basic compliance and operational metrics measure activities carried out by an organization like the number of data subject requests and data protection impact assessments, allowing CPOs to track and improve the efficiency of organizational processes. More advanced customer- and business enablement-focused metrics display trends in the data like the amount of time needed to respond to requests. These metrics can typically be grouped into six categories, based on the types of data they measure:

• Individual rights: These metrics measure consent rates for data sharing and email marketing, data subject requests and how many customers are satisfied with the result, and the number of privacy breaches and customers impacted by them. This data is useful in measuring how well the privacy program protects customers’ personal data and how much trust they have in the program.
• Training & awareness: This set of metrics compiles the number of privacy trainings offered to staff and the number of staff trained, as well as the engagement of staff with the privacy program. By having a staff that is more engaged with privacy issues, businesses can better ensure compliance with laws while improving their public image and creating privacy operational excellence. These metrics can also show gaps in organizational privacy knowledge that can be filled by future trainings.
• Commercial: Commercial metrics measure the number of signed Data Processing Agreements with customers, external vendor reviews of the organization’s privacy program, and the number of privacy compliance attestations completed. These metrics focus on customer and business engagement and track the ability of a privacy program to support business priorities while adopting new technologies. These metrics can spur further investments from stakeholders, increasing the business’ value.
• Accountability: By conducting privacy, data protection, and transfer impact assessments, tracking the number of projects that have received privacy advice, and keeping privacy policies and procedures current, organizations can demonstrate their ability to comply with relevant laws while enhancing the competitive and reputational advantage of the organization.
• Privacy stewards: These metrics measure the extent of an organization’s privacy products. These include the number of Personal Information Management Systems, Data Privacy Impact Assessments, and data privacy FAQs created. Privacy stewardship is responsible for turning data policies into a common practice within an organization.
• Policy: An organization can closely monitor its compliance with potential privacy legislation while working to improve its Environmental, Social, and Governance rating. This enhances trust from the public that the organization will handle data ethically while increasing awareness of any potential policy changes.

Evaluating the effectiveness and strategic value of privacy initiatives is becoming a core aspect of many organizations’ strategies, as ignoring privacy issues can create unnecessary risks. The utilization of privacy metrics can help organizations accomplish many objectives, including benchmarking against industry standards, ensuring compliance with privacy laws and regulations, increasing customer trust, and asserting the value of existing privacy programs. 

Editor's note: The FPF has released a "Privacy Metrics Report" that provides additional information. 

Photo by Rob McGlade on Unsplash

Since becoming U.K. Information Commissioner Jan. 4, John Edwards has been busy. Near the end of that month, he announced a major listening tour, complete with a series of events across the U.K. in order to hear directly from businesses, organizations and individuals about their experiences with the Information Commissioner's Office. It comes at a busy time for data protection regulation in the region, as the U.K. considers an update to the UK General Data Protection Regulation and adjusts to a post-Brexit relationship with the EU. 

In his first major public speech as the U.K. commissioner, held here in London at the IAPP Data Protection Intensive: UK, Edwards was clear with his message: "I want to reassure you that my focus is on bringing certainty in what the law requires of you and your organizations, and in how the regulator acts. And certainty, too, for people of what their rights are."  

Indeed, there is much discussion about the U.K. government's reforms of the UK GDPR. Last fall, the U.K. Department for Digital, Culture, Media and Sport opened a public consultation on a series of data protection reforms. The wide-ranging consultation considered data protection officer requirements, data subject access requests, data protection assessments, among others. (A deeper dive on the proposed reforms can be found here.) 

"From the day my appointment was confirmed," Edwards said, "people, ministers, parliamentarians and journalists were asking me what my priorities were, what I was going to do in my first 100 days. I thought it was a bit presumptuous to arrive here from a different jurisdiction with different laws and cultural traditions and start pronouncing on solutions and fixes for a system I was unfamiliar with." 

Edwards, who is from New Zealand and previously served as its privacy commissioner, wanted to assuage concerns about uncertainty in the data protection space. "The proposed reform should not be seen as radical. And while there is always a cost in moving from one regulation to the next, there is nothing in what is proposed that imposes additional burdens on businesses. If anything, I can see a clear intention to reduce regulatory burden, in order to create a streamlined law that more effectively protects people's rights." 

He added: "My undertaking to you is that once parliament has decided on the appropriate regulation, we at the ICO will devote ourselves to ensuring that the transition is seamless, and as painless as possible." 

Naturally, any reforms to the UK GDPR potentially puts the region's adequacy agreement with the EU at risk. But Edwards wanted to mitigate concerns here, as well. "Given DCMS have committed to high standards, I struggle to see how the legal protections will be less in Cardiff than is afforded to those in Copenhagen." 

The ICO also plans to provide its three-year plan, which it's calling ICO25, "setting our values, aspirations and priorities" later in the year. 

Edwards offered some feedback from his listening tour, including the need for improved guidance afforded to groups of people who may not know their rights, including migrants, victims of sexual assault and non-English speaking communities. 

He also said organizations want more certainty on how the ICO will respond to complaints.

In response, Edwards said he's looking at the "assurance for positions offered by tax and revenue authorities" in which organizations can ask their regulators, "'If I take this approach, how will you treat it?' The response is a binding ruling that gives an organization the certainty to put their money down and invest in an innovation." Though the ICO currently has a version of this with its Sandbox, Edwards said, "I'd like to explore whether we can offer broader assurance advice," thereby offering a "quicker and more effective (regulatory position) than relying on ex-post enforcement." 

The other significant subject top of mind for Edwards is the role fines play in enforcement.

Though he said they have a role to play, "fines are a slow way to find certainty." Instead, Edwards said, "The view I am forming is that our significant enforcement efforts must be used with surgical and targeted application." 

In addition to his prepared speech, Edwards took questions from the audience and directly answered concerns that the DPO requirement may be softened in the U.K. government reforms. Though he is unsure what will happen with the proposal, he doesn't believe making DPOs non-mandatory "will change incentives within organizations to de-prioritize data protection," adding that "the importance of the role will endure regardless of the regulatory approach of the law reforms." 

Ultimately, Edwards said he wants people to see "an ICO that is agile and curious," and as a regulator "that moves fast and fixes things."  

John Edwards (@JCE_IC) reflects on his first speech as Information Commissioner at this morning's @PrivacyPros event.

📺Watch below to hear his thoughts on his listening tour so far.

To learn more about the listening tour: https://t.co/bCXvyGJh5i#DPI22 pic.twitter.com/asjYkqrkRf

— ICO - Information Commissioner's Office (@ICOnews) March 23, 2022

Since becoming U.K. Information Commissioner Jan. 4, John Edwards has been busy. Near the end of that month, he announced a major listening tour, complete with a series of events across the U.K. in order to hear directly from businesses, organizations and individuals about their experiences with the Information Commissioner's Office. It comes at a busy time for data protection regulation in the region, as the U.K. considers an update to the UK General Data Protection Regulation and adjusts to a post-Brexit relationship with the EU. In his first major public speech as the U.K. commissioner, held in London at the IAPP Data Protection Intensive: UK, Edwards was clear with his message: "I want you to see an ICO that brings you certainty in an uncertain world." IAPP Editorial Director Jedidiah Bracy, CIPP, has the details. 
Full Story

The Oklahoma House advanced House Bill 2969, the Oklahoma Computer Data Privacy Act, out of chamber on a 74-15 vote. Notable provisions within HB 2969 include unique coverage thresholds, opt-in consent for the collection and sale of personal information and attorney general enforcement. The bill's effective date is Jan. 1, 2023. The Oklahoma Senate must move HB 2969 through committee assignments by April 14 for it to get floor consideration before the April 28 final passage deadline.
Full Story

The concept of privacy and data protection by design is not new in the privacy world. We know privacy should be integrated in the foundational design of a product or service; that is should be baked in, not bolted on. But what that means in practice is often elusive. In 2018, Enterprivacy Consulting Group founder R. Jason Cronk, CIPP/US, CIPM, CIPT, FIP, wrote the book "Strategic Privacy by Design," which was published by the IAPP. In it, Cronk offered insights for building processes, products and services that consider an individual’s privacy interests as a requirement. In the four years since, law and technology have continued to evolve, prompting Jason to write a second edition of the book. The IAPP's Jedidiah Bracy, CIPP, recently caught up with Cronk to discuss his work in designing for privacy and what’s new in his second edition.

As consumer trust continues to take precedent with companies' technological developments and innovation, privacy by design has never been more crucial. The second edition of "Strategic Privacy by Design" by Enterprivacy Consulting Group Privacy Engineer R. Jason Cronk, CIPP/US, CIPM, CIPT, FIP, offers a new guide to implementing privacy by design from a practitioner's perspective. Building upon a series of established components to create an end-to-end method, Cronk uses dozens of examples and graphics to detail best practice for the implementation of privacy by design. The book is now available in print and digital.
Full Story

The Privacy Advisor Podcast: A conversation with R. Jason Cronk

IAPP Editorial Director Jedidiah Bracy, CIPP, recently caught up with Cronk to discuss what’s new in his second edition of "Strategic Privacy By Design" and how the evolution of laws and technology spawned the updates.
Full Story