On December 14, 2022, the members of the Organization for Economic Co-operation and Development (“OECD”) (which includes various EU Member States, Mexico, Turkey, the UK and the United States) and the EU, adopted the Declaration on Government Access to Personal Data held by Private Sector Entities (“Declaration”).
On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments. The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.
The GAO turned to a variety of resources to explore the four identified issues. For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S. In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”). Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce.
Continue Reading GAO Releases New Vehicle Data Privacy Report
The Organization for Economic Cooperation and Development (“OECD”) has revised its Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. The revision has been triggered by changes in personal data usage as well as new approaches to privacy protection since the adoption of the first Guidelines back in 1980, which were the first set of internationally agreed privacy principles. Whereas the eight basic principles of the 1980 Guidelines (namely the collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability principles) are maintained, the revised Guidelines introduce a number of new concepts and changes to the OECD privacy framework, implementing a risk based approach. These include:
- implementing privacy management programs – essential elements discussed in this respect include privacy policies, employee training and education, provisions for sub-contracting, audit process and privacy risk assessment;
- introducing mandatory data security breach notification – requiring notification to the privacy enforcement authority where there is a significant security breach affecting personal data and notification to individuals where such a breach is likely to adversely affect individuals;
- the need for privacy enforcement authorities and national privacy strategies – the revised Guidelines recognize the need to establish authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis; they also promote the development of a coordinated approach across governmental bodies up to the highest levels; Member countries should also consider complementary measures, including education and awareness raising, skills development and the promotion of technical measures;
- improving global interoperability – to be improved through international arrangements (examples mentioned include the U.S.-EU Safe Harbor framework, the EU Binding Corporate Rules and the Council of Europe Convention 108 on the Automated Processing of Personal Data) and global cooperation among privacy enforcement authorities.