ICO consults on privacy “regulatory sandbox”

Designing data-driven products and services in compliance with privacy requirements can be a challenging process. Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR). These challenges are often particularly acute for companies providing products and services leveraging artificial intelligence technologies, or operating with sensitive personal data, such as digital health products and services.

Recognising some of the above challenges, the Information Commissioner’s Office (ICO) has commenced a consultation on establishing a “regulatory sandbox”. The first stage is a survey to gather market views on how such a regulatory sandbox may work (Survey). Interested organisations have until 12 October to reply.

The key feature of the regulatory sandbox is to allow companies to test ideas, services and business models without risk of enforcement and in a manner that facilitates greater engagement between industry and the ICO as new products and services are being developed.

The regulatory sandbox model has been deployed in other areas, particularly in the financial services sector (see here), including by the Financial Conduct Authority in the UK (see here).

Potential benefits of the regulatory sandbox include reducing regulatory uncertainty, enabling more products to be brought to market, and reducing the time of doing so, while ensuring appropriate protections are in place (see the FCA’s report on its regulatory sandbox here for the impact it has had on the financial services sector, including lessons learned).

The ICO indicated earlier this year that it intends to launch the regulatory sandbox in 2019 and will focus on AI applications (see here).

Further details on the scope of the Survey are summarised below.

UK “No-Deal Brexit” Technical Notice Sets Out Plans on EU – UK Data Flows

By Inside Privacy on September 16, 2018 Posted in European Union, United Kingdom

By Grace Kim and Ezra Steinhardt

On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”). The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome,” but that “it’s our duty as a responsible government to prepare for all eventualities.” One of the notices, “Data protection if there’s no Brexit deal,” sets out the UK government’s position on data flows between the UK and EU and recommends actions that organizations should take to help ensure the continued flow of personal data from the EU to the UK if no agreement is reached.

Data privacy standards in the UK to remain the same

In the event of a no-deal Brexit, the technical notice is clear that the UK will maintain the same data protection standards as exist today. This is because the General Data Protection Regulation (“GDPR”) currently applies in the UK (as it remains, for now, an EU Member State), and, at the point of a no-deal Brexit, the UK would incorporate the GDPR into UK law. The GDPR rules — now and following Brexit — are supplemented by the UK Data Protection Act 2018, which sets out how certain aspects of the GDPR apply in the UK (e.g., in relation to children’s data). Continue Reading

Key Provisions in India’s Draft Personal Data Bill

By Dena Feldman on September 12, 2018 Posted in Cross-Border Transfers, Data Privacy, India, International

Key Provisions in India’s Draft Personal Data Bill

This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or services in India.

High Level Insights

The General Data Protection Regulation (GDPR) as a Model: For the most part, the Committee’s recommendations use GDPR as a model. The draft bill grants individual rights, institutes heightened consent requirements, mandates organizational practices such as DPIAs, and imposes stiff penalties for non-compliance. However, the draft bill coins new terminology, referring to GDPR’s “data subjects” as “data principals” and GDPR’s “data controllers” as “data fiduciaries.”

Data Localization: The Committee includes a data localization provision that requires copies of Indian personal data be stored in India. Likewise, it erects barriers that make it more difficult to transfer personal data out of India.

The Central Role of the Data Protection Authority (DPA): As in GDPR, the draft bill would introduce a DPA with the power to interpret regulations, investigate businesses, and issue fines, injunctions, and even criminal penalties. But unlike GDPR, the Committee’s proposal empowers the DPA to engage in rulemaking. For example, the DPA could identify new categories of sensitive data, specify new lawful bases for processing, and decide whether a particular business needs to hire a DPO, perform a DPIA, or undergo a data audit. As such, the DPA’s leadership and structure may have a substantial impact on the scope of India’s data protection regime.

California Legislature Passes Amendments to Expansive Consumer Privacy Law

By Alexandra Scott on September 4, 2018 Posted in Data Privacy, Data Security, State Legislatures, United States

Less than three months ago, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). Industry and privacy watch groups alike have scrutinized the law. This summer saw fierce negotiations all in the name of improving the CCPA. Last Friday, on August 31, 2018, the California legislature passed SB 1121 to amend the CCPA.

The CCPA applies to for-profit entities that conduct business in California. It has an expansive definition of personal information, and grants California residents a number of new rights, including rights to request access to and deletion of certain data, and to opt-out of the sale of data. For a more detailed summary of the CCPA, please see our previous blog post.

SB 1121 largely preserves the substance of the CCPA, but it contains the following technical edits: Continue Reading

U.S. Wireless Industry Establishes IoT Security Certification Program

By Rafael Reyneri on August 31, 2018 Posted in Cybersecurity, Internet of Things (IoT)

CTIA, the U.S. wireless industry’s trade association, recently announced the creation of a cybersecurity certification program for Internet of Things (IoT) devices that connect to the internet via LTE or Wi-Fi. The program permits device makers to submit such IoT devices for testing by CTIA-authorized labs in order to obtain a certification of compliance with respect to cybersecurity.

Covington Webinar: Examining the CLOUD Act

By Alexander Berengaut and Katharine Goodloe on August 28, 2018 Posted in Cloud Computing, Cross-Border Transfers, Data Privacy

Covington’s Alex Berengaut and Kate Goodloe today hosted a webinar on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act. The CLOUD Act was signed into law in March and creates a new framework for government access to data held by technology companies worldwide. The webinar, hosted with DataGuidance, is available here. The webinar expands on many aspects of the CLOUD Act we previously covered on this blog.

Brazil’s New General Data Privacy Law Follows GDPR Provisions

By Melanie Ramey on August 20, 2018 Posted in Cross-Border Transfers, Data Privacy, International

On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation.

The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial application and vast fines of up to two percent of the company’s previous year global revenue (the GDPR allows for up to four percent in certain aggravated circumstances).

EU and Japan conclude talks on reciprocal adequacy finding

By Anna Oberschelp de Meneses on August 17, 2018 Posted in Cross-Border Transfers, Data Privacy, European Union, International

On July 17, 2018, the European Commission successfully concluded negotiations with Japan on a reciprocal adequacy finding which will allow personal data to flow freely from the EU to Japan (and vice versa).

The adequacy decision has not yet been formally adopted, as it must still undergo the respective EU and Japanese approval procedures, which the EU and Japan expect to complete by fall 2018. During that period, Japan is expected to implement additional safeguards required in order to meet EU data protection standards (e.g., for onward transfers).

The conclusion of the negotiations follow Japan’s recent modernization of its data protection legislation which increased the convergence between the two systems. By agreeing on a reciprocal adequacy decision, the European Commission (representing the EU) and Japan acknowledge each other’s data protection laws to “adequately” protect personal data. Once the adequacy decision is adopted, data can flow safely between the EU and Japan without the need to adopt additional safeguards (e.g., standard contractual clauses). The adequacy decision is expected to strengthen trade and economic relations between the EU and Japan.

NTIA’s International Internet Policy Priorities for 2018 and Beyond

By Jadzia Pierce on August 10, 2018 Posted in Artificial Intelligence (AI), Cybersecurity, Data Privacy, Department of Commerce, Emerging Technologies, Internet of Things (IoT)

On July 20, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) published comments it received from a wide array of tech and telecom companies, trade groups, civil society, academia, and others regarding its “international Internet policy priorities for 2018 and beyond.” NTIA’s Office of International Affairs (“OIA”) had requested comments and recommendations from interested stakeholders in four broad categories: (1) free flow of information and jurisdiction; (2) the multistakeholder approach to Internet governance; (3) privacy and security; and (4) emerging technologies and trends. NTIA plans to harness the comments it received to help it identify “priority” issues, and to leverage its resources and expertise to effectively address stakeholders’ interests. Continue Reading

District Court Rules “Direct Drop” Voicemails Subject to TCPA

By Hannah Lepow on August 2, 2018 Posted in Advertising & Marketing, Mobile, United States

Last month, a Michigan federal district court judge denied defendant’s motion for summary judgment regarding application of the Telephone Consumer Protection Act (“TCPA”) to “direct drop” voicemail messages (also known as “ringless voicemail”). Emphasizing the “broad net” cast by the TCPA, Judge Gordon J. Quist of the Western District of Michigan held that such messages constitute “calls” under the statute.

Plaintiff Karen Saunders alleged that defendant Dyck O’Neal, Inc., made repeated debt collection calls to her over the course of a year. In addition to these calls, defendant left approximately 30 direct drop voicemails on plaintiff’s mobile phone. Dyck O’Neal argued that these voicemails did not fall within the scope of the statute, as its service provider, VoApp, did not dial Saunders’ cell phone number to leave the message, but instead, through alternate technology, placed the message directly on a voicemail service. The court rejected this argument, finding that “by leaving a voicemail directly with the server space associated with Saunders’ phone, Dyck O’Neal was attempting to communicate with Saunders via her phone—which is the definition applied to the TCPA’s use of ‘call.’”

The service provider in Saunders filed a petition for declaratory ruling with the Commission in 2014, arguing that its service should not be covered by the TCPA. Last year, All About the Message, LLC, another service provider, again sought a declaratory ruling, although it later withdrew its petition. The FCC has not yet spoken on this issue.