On May 18, 2023, the Federal Trade Commission (“FTC”) unanimously adopted its Policy Statement on Biometric Information and Section 5 of the Federal Trade Commission Act (“Policy Statement”), addressing the increasing use of consumers’ biometric information and the marketing of technologies that use or claim to use it—regarding which the FTC raises significant concerns. In the areas of privacy, data security, and the potential for bias and discrimination. In addition, the Policy Statement also provides a detailed discussion of the established legal requirements applicable to the use of biometrics, particularly those relating to Section 5 of the FTC Act, and lists examples of the practices the agency will scrutinize in determining whether companies’ use of biometric technologies run afoul of Section 5.

Continue Reading FTC’s New Policy Statement on Biometric Information Provides Clear Warning to Companies on Increased Scrutiny of Facial Recognition & Related Biometrics Practices

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

The Philippines Consults on Draft Consent and Private Identification Cards Guidelines | Privacy World

Southeast Asia and the EU Publish a First-of-its-Kind Interoperability Guide for Data Transfers | Privacy World

Changes to Spanish Data Protection Laws | Privacy World

Navigating Data Privacy Assessments Amid New State Laws | Privacy World

The Philippines and Hong Kong Sign Data Protection Mutual Assistance Agreement | Privacy World

South Korea Consults on Draft Decree to Personal Information Protection Act | Privacy World

Bilingual Draft of China’s Standard Contract for Export of Personal Data | Privacy World

Data Protection Impact Assessments: Are You Ready? | Privacy World

Introducing Our AI Webinar Series | Privacy World

Scott Warren to Speak at Legal Plus 3rd Annual Asia International Arbitration and Competition Law Summit | Privacy World

SYMPOSIUM: Stephanie Faber to Speak at the 3rd Annual France-Singapore Symposium on Law and Business | Privacy World

Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data | Privacy World

The Philippines’ National Privacy Commission (NPC) has released for public comment two sets of draft guidelines on:

  • Consent as a basis for processing personal data (Consent Guidelines)[1]
  • The issuance and use of identification cards by private organizations (ID Cards Guidelines)[2]

Consent Guidelines

Consent is acknowledged as the most common criterion for processing personal data. Hence, the NPC has determined the need to provide further guidance to the industry on the concept and usage of consent as a lawful basis for processing personal data.

Data Privacy Principles 

The Consent Guide sets out the following data privacy principles that must be adhered to:

  • Transparency
  • Legitimate purpose
  • Proportionality
  • Fairness

There is a minimum level of information that must be provided to data subjects in a clear and concise[3] manner. This includes the purpose, nature, extent, duration and scope of processing, the identity of the organization, the existence of data subject rights, and how these can be exercised.

Where there is further processing of personal data for additional purposes beyond what the data was initially collected for, a compatibility assessment should first be done to establish:

  • A clear and reasonable link between the original and new purposes of the processing
  • The context in which the data was collected, and any reasonable expectations on further use based on the parties’ relationship
  • The nature of the data and the impact of its further processing on the data subject
  • The existence of appropriate security measures accorded to the processing

Where the additional purpose goes beyond what a data subject might reasonably expect, then consent is required.

Elements of Consent 

The elements to valid consent are as follows: it must be freely given, specific, informed, an indication of will, and evidenced by written, electronic or recorded means.

Public bodies – The use of consent by processing by public authorities is permitted where the processing activity is unrelated to what is required by law or regulation.

Contracts of adhesion – Where a party imposes a ready-made form of contract on the other party (known as a contract of adhesion in the Philippines), consent is only valid if the contract of adhesion contains all the necessary information to demonstrate transparency, and the processing is necessary and for a legitimate purpose, is not excessive and is fair and lawful.

Quality of consent – Consent must be granular and not bundled. However, organizations must avoid consent fatigue by properly identifying the lawful basis for processing prior to any data collection. If another lawful basis applies, then a request for consent is unnecessary and does not need to be made. Implied consent is not valid. On the other hand, if all the elements of consent are present, then it is possible that a data subject’s continued use of a specific service is an assenting action that signifies consent.

Format of consent – There is no differentiation among different formats or media for capturing consent. An organization must, however, keep evidence of the consent, including the date it was obtained, the method of obtaining it, who obtained it, and what information was given to the data subject. Deceptive design or dark patterns and other forms of coercion will void any manner of obtaining consent, and the NPC will consider such determination on a case-by-case basis.

Withdrawal of consent – Consent may also be withdrawn at any time and without cost to the data subject, subject to any limitations prescribed by law or contract. It must be as easy as giving consent. When consent is withdrawn, an organization must stop processing without undue delay, and delete the personal data if there is no other lawful basis to justify its continued processing. The data can still be retained post-withdrawal, but only for a reasonable period based on industry standards and other relevant considerations.

Specific Processing

 Direct marketing – Consent is required for direct marketing where this would significantly affect the rights and freedoms of a data subject. The guidelines list the following as examples: analyzing or predicting personal preferences, behavior and attitudes of the data subject to inform subsequent decision-making, tracking and profiling for direct marketing, behavioral advertisement, data brokering, location-based advertising, tracking-based digital market research, and other analogous activities. However, it is possible to consider direct marketing as a legitimate interest for which consent is not required, but this must be determined on a case-by-case basis.

Data sharing – Where data sharing is based on consent, the data subject must be given specific information about the sharing arrangement.

Research – Research is recognized as important to nation-building and in the public interest. Consent can be obtained within a reasonable time after the conclusion of the data gathering, if obtaining consent prior to collection will affect the research results. Where research is done only through observing public behavior, or where the results will be fully anonymized, consent is not required.

Publicly available information – Significantly, the guidelines clarify that the fact that personal data is provided by a data subject on a publicly accessible platform does not mean that blanket consent has been given for its use for any purpose whatsoever. Ultimately, organizations bear the responsibility of finding and proving that its processing is pursuant to a lawful basis under Philippines data privacy law as applicable.

Profiling and automated processing – Data subjects must be informed of any profiling or automated processing of their personal data. There must be safeguards against discriminatory outcomes affecting, or unfair treatment of, data subjects. Consent must be obtained for automated processing that solely determines any decision that has legal ramifications or a significant impact on a data subject.

Miscellaneous provisions – The processing of sensitive personal data through a contract between an organization and a data subject will be regarded as one that is based on consent. Hence, the requirements for consent must be complied with. Further, any waiver by a data subject of their privacy rights, including the right to file a complaint, will be void.

ID Cards Guidelines

This set of guidelines will apply to any private organization that issues an identification card to a data subject. Such cards may be in a physical or digital format, and include company IDs, school IDs, insurance cards, membership cards, and even rewards or loyalty cards.

The requirements imposed for these ID cards are:

  1. They must only capture personal data as is necessary for the purpose of identifying the data subject. However, other personal data may be included if explicitly required by law.
  2. The organization that issues the ID cards must implement appropriate safeguards to protect personal data on these cards, which must be on par with technological advancements, best practices and industry standards.
  3. The organization issuing the cards bears the ultimate burden of demonstrating that the inclusion of any personal data is proportionate to a legitimate purpose.

Violation of the above carries criminal, civil and administrative liability as set out in the Philippines’ data privacy law.

Effective Date 

Each set of the guidelines will take effect 15 days after it is published in a newspaper or a gazette, and affected organizations have 90 days from such effective date to comply with it.

Public Consultation 

Comments on either of these guidelines must be submitted to policy@privacy.gov.ph no later than June 9, 2023, with the subject: “Public Consultation – Consent” or “Public Consultation – ID Cards,” as the case may be.

Privacy World will continue to cover developments. For more information, contact your relationship partner at the firm.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accept responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] https://privacy.gov.ph/wp-content/uploads/2023/05/DRAFT-Circular-Guidelines-on-Consent-For-Public-Consultation.pdf.

[2] https://privacy.gov.ph/wp-content/uploads/2023/05/DRAFT-Circular-on-ID-Cards-For-Public-Consultation.pdf.

[3] Language used must not be confusing or complex.

 

 

The European Commission and the Association of Southeast Asian Nations (ASEAN) have published a first-of-its-kind guide[1] that identifies the similarities and differences between the ASEAN model contractual clauses (ASEAN MCCs) and the EU standard contractual clauses (EU SCCs).

A second guide will be issued in due course, which will provide best practices for meeting both sets of contractual clauses.

The objective of these guides is to:

  • Help companies that export or import data across the ASEAN and EU regions understand the similarities and differences between the respective contractual clauses
  • Aid these companies in meeting the respective requirements of the contractual clauses
  • Facilitate overall compliance with ASEAN and EU data protection laws as may be applicable

As noted by Didier Reynders, the European Commissioner for Justice,[2] model clauses are a “ready-made, cost-effective solution” that are especially useful for small and medium enterprises (SMEs), and “currently by far the most used instrument for international data transfers” in the EU.

In the first comparative guide, issued on 24 May 2023, specific commonalities and distinctions between the contractual clauses were identified, based on the following areas:

  1. Entering into the ASEAN MCCs or EU SCCs:
    1. Choosing appropriate modules to be adopted
    2. Execution and completion formalities
    3. How other contractual commitments between the parties are dealt with
    4. Any changes to the contracting parties
  1. Interpretation of the clauses, and their governing law
  1. Data protection safeguards:
    1. Lawfulness of the transfer
    2. Specifying the purpose of the transfer
    3. Data accuracy
    4. Data minimisation
    5. Storage limitation
    6. Security and confidentiality
    7. Sensitive personal data
    8. Onward transfers
  1. Data subject rights, including third-party beneficiary rights
  1. Accountability by the contracting parties
  1. Supervisory authority
  1. Government access
  1. Termination and survival clauses
  1. Dispute resolution

The guide provides the above comparisons for (i) controller-to-controller transfers and (ii) controller-to-processor transfers, to reflect where both sets of contractual clauses are structurally congruent.

Takeaways

MCCs are certainly continuing to gain significant traction globally.

Our team has prepared a detailed side-by-side comparison of the ASEAN MCCs and EU SCCs, together with China’s Standard Contract for Cross-Border Transfers of Personal Information,[3] as well as discussing the Latin American Data Protection Board SCCs and the Council of Europe’s SCCs that are being worked on. We expect to publish this article soon, so do subscribe to keep updated.

Privacy World will continue to cover developments. For more information, contact your relationship partner at the firm.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accept responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] https://asean.org/wp-content/uploads/2023/05/The-Joint-Guide-to-ASEAN-Model-Contractual-Clauses-and-EU-Standard-Contractual-Clauses.pdf.

[2] See Foreword to the guide, at paragraph 2.

[3] http://www.cac.gov.cn/2022-06/30/c_1658205969531631.htm

 

The Spanish data protection and e-commerce legislation has been recently amended in order to, on the one hand, redefine the nature of the process to issue reprimands to data controllers and processors (so that reprimands are removed from the list of sanctions resulting from infringement of the regulations) and, on the other hand, relax the rules governing the Spanish authority’s investigation procedure, enlarging the term for conducting investigation activities and allowing for the authority to operate remotely, among other updates. We summarize the impact of these modifications and how they may affect organizations now that these new provisions have entered into force.

The new law

A few weeks ago, Law 11/2023 of 8 May 2023 on the transposition of European Union Directives on the accessibility of certain products and services, migration of highly qualified persons, taxation and digitalisation of notarial and registry actions, and amending Law 12/2011 of 27 May on civil liability for nuclear damage or damage caused by radioactive materials (the “Law“) was published in the Official State Gazette (BOE).

The Law provides, amongst other amendments, for the modification of certain aspects contained in Constitutional Law 3/2018, of 5 December 2018, on the Protection of Personal Data and the guarantee of digital rights (“LOPDgdd“) and in Law 34/2002, of 11 July 2002, on information society services and electronic commerce (“LSSI“).

Changes in the process to issue warnings

As part of the sanctions and corrective measures available under the LOPDgdd, the Spanish Data Protection Agency (the “AEPD”) contemplated the possibility of sanctioning controllers or processors of personal data with a “reprimand” in the event of a breach of the European General Data Protection Regulation (the “GDPR”).

This warning process has been amended to become a measure of a non-punitive nature, subject to a more agile processing procedure that allows for a quicker response to complaints from the public.

The new regulation stipulates that the AEPD, after hearing the data controller or processor, may issue a reprimand, as well as order the data controller or processor to adopt corrective measures to put an end to the possible breach of the legislation in a certain manner and within the specified period of time. This process will have a maximum duration of six months, after which it will lapse and the proceedings will be closed.

Changes in the resolution of investigations

To accommodate the increasing number and complexity of complaints filed with the AEPD, the time limit for sanctioning proceedings has been extended from nine (9) to (12) twelve months, and from twelve (12) to eighteen (18) months for preliminary investigation proceedings. This extension is also intended to facilitate cooperation between data protection authorities in the European Union, as required by the one-stop-shop mechanism.

It also provides for the possibility of conducting investigations remotely, through digital systems. Thus, this would allow the AEPD to contact the investigated party by videoconference or other similar methods, ensuring, however, that the transmission and receipt of documents remains secure.

Changes to the complaint procedure

This Law also aims to simplify the process for lodging complaints. It contemplates the possibility for the AEPD to provide complaint forms in all areas in which it has competence. These forms will be mandatory one month after publication, although there is no confirmation of when they will be available yet.

Changes to the AEPD Statute

The Law also regulates the replacement of the Presidency of the AEPD in the event of absence, vacancy or illness, abstention or recusal. At present, the Statute reserves the exercise of the procedures regulated by the LOPDgdd to the Presidency, preventing their delegation and action in cases of possible infringement of data protection regulations in the circumstances previously mentioned. From now on, these functions may be assumed by the person in charge of the management body that carries out inspection functions, as they have the necessary specialisation in the matter.

Changes to the LSSI

Lastly, the LSSI is also amended to incorporate the following provisions:

  • The Ministry of Economic Affairs and Digital Transformation will also monitor compliance with European data governance obligations by data brokering service providers and recognised data management organisations for altruistic purposes. To this end, a national register of data management organisations for such purposes will be established.
  • Serious infringements, which previously required “habitual” non-compliance by service providers, now require “significant or repeated” non-compliance with the obligations set out in Articles 3 to 12 of Regulation (EU) 2019/1150 and Articles 11, 11(9), 12, 18 to 22, and 31 of Regulation (EU) 2022/868. Failure to comply with the obligations set out in the listed articles, where they do not constitute serious infringements, shall be minor infringements.
  • With regard to sanctions, organisations committing the serious infringements provided for in letters n), ñ) and o) of Article 38.3 of the LSSI (which concern the obligations set out in Articles 11, 11(9) and 12 of Regulation (EU) 2022/868) may be sanctioned with the definitive cessation of the data provision activity. This may be applied without prejudice to the applicable financial penalties.
  • Amongst the criteria for determining the amount of the sanction, the adoption of measures to mitigate or repair the damage caused by the infringement will be considered.
  • Previously, the regulations provided for the possibility of issuing a warning to the responsible person, instead of initiating a sanctioning procedure, when the facts constituted a minor or serious infringement and the competent body had not previously sanctioned or warned the offender. The latter requirement disappears from the current wording, which only requires consideration of the level of seriousness of the infringement.

Next steps

If you have any questions about how these modifications could impact your data protection policies and procedures, please do not hesitate to contact our Data Privacy, Cybersecurity and Digital Assets team in Spain: Bartolomé Martín (bartolome.martin@squirepb.com) and Claire Murphy (claire.murphy@squirepb.com).

With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here. Continue Reading Navigating Data Privacy Assessments Amid New State Laws

On 22 May 2023, the Philippines’ National Privacy Commission (NPC) and the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) signed a Memorandum of Understanding (MOU)[1] to cooperate on data protection matters.

Under the MOU, the authorities will provide mutual assistance in investigations pertaining to cross-border data incidents and breaches, and facilitate information sharing with one another.

The authorities will also collaborate on training and education on current and emerging data protection issues, with a view to fostering a more secure, inclusive and data-driven digital landscape.

The parties have also agreed to explore and identify suitable organisations from both jurisdictions to participate in a cross-jurisdictional sandbox to test-bed innovative data sharing cases.

Commentary

While it is certainly not new[2] for regulatory bodies to sign MOUs with one another covering cooperation and mutual assistance in data protection matters, including information sharing in incident and breach investigations, it will be interesting as more and more authorities enter into such arrangements. Among other things, such frameworks will have direct implications on how businesses handle cross-border data privacy compliance, including responding to a multijurisdictional breach and the regulatory investigations that ensue.

Privacy World will continue to cover developments. For more information, contact your relationship partner at the firm.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] “PH, HK sign MOU on Personal Data Protection”, National Privacy Commission and “Privacy Commissioner’s Office Signs MoU with its Philippines Counterpart to Foster Closer Collaboration and Cooperation in Personal Data Privacy Protection”, PCPD

[2] See for instance “Memorandum of Understanding Between OAIC and PDPC”, Personal Data Protection Commission, Singapore (PDPC); “Hong Kong and Singapore Authorities Renew MOU to Maintain Close Ties and Foster Closer Collaboration in Personal Data Protection”, PDPC; and “UK ICO and PDPC Sign MOU for Mutual Regulatory Interest”, PDPC.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

South Korea Consults on Draft Decree to Personal Information Protection Act | Privacy World

Bilingual Draft of China’s Standard Contract for Export of Personal Data | Privacy World

Data Protection Impact Assessments: Are You Ready? | Privacy World

Introducing Our AI Webinar Series | Privacy World

Scott Warren to Speak at Legal Plus 3rd Annual Asia International Arbitration and Competition Law Summit | Privacy World

SYMPOSIUM: Stephanie Faber to Speak at the 3rd Annual France-Singapore Symposium on Law and Business | Privacy World

Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data | Privacy World

Singapore Introduces New Law to Order Removal, Blocking of Harmful Online Content | Privacy World

California Federal Court Dismisses Direct and Derivative Liability CIPA Claims Brought Against Website Operator Concerning Chat Feature | Privacy World

NIST Not Voluntary in the Volunteer State: Tennessee Privacy Law Requires Comprehensive Written Privacy Program that Conforms to a Voluntary Framework. Will this Framework Become a De-Facto National Approach to Judging Compliance with New Privacy Obligations? | Privacy World

New CISA Guidelines Lay Out Unified International Principles on Security-by-Design and Security-by-Default | Privacy World

BREAKING: Seventh Circuit Affirms Dismissal of Lawsuit Alleging Violation of Genetic Right to Privacy, Rebuffing Claims Premised on Stock Purchase of Genetic Testing Company | Privacy World

 

 

 

On May 18, 2023, South Korea’s privacy regulator, the Personal Information Protection Commission (PIPC), released for public consultation a draft decree[1] under the Personal Information Protection Act (PIPA). The key changes proposed in the draft decree are as follows.

Consent

The draft decree seeks to enhance the right under the PIPA of citizens who are data subjects, to determine how their personal data may be processed. This is done by specifying that, where consent is the appropriate basis for processing personal data, such consent must be freely given by each data subject after it has been made explicitly clear to them that they can choose whether or not to consent. This includes ensuring that any personal data processing policy is implemented and disclosed in an easy-to-understand manner.

Where personal data is collected from a third party other than the data subject, the draft decree streamlines the requirement for notification that must be given, to the third-party source, of the details of use of the data subject’s personal data. Continue Reading South Korea Consults on Draft Decree to Personal Information Protection Act

China recently released its China Standard Contract for Export of Personal Information (China SCs), which are required to export any personal information (unless stricter rules apply such as critical information and/or large volume personal data).  As the template is only in Chinese, we created this bilingual draft to assist in understanding its content and the obligations. Please note that the China SCs must be filed in Chinese, and it remains unclear whether the authorities will accept a bilingual version.  However, in the hopes that this bilingual version can be filed, we have clarified within Annex II, that the Chinese version governs in the event of a discrepancy.

You may note several similarities to the EU/UK Standard Contractual Clauses, but also some significant differences, such as the requirement for Processors to notify the China authorities and individuals in the event of a breach, and the duty to follow Chinese authority requests as to that China data subject information stored abroad.

In addition to signing the SCs, the data exporter in China must also conduct/create a Personal Information Protection Impact Assessment (PIPIA) detailing, among other things, the necessity of exporting each piece of data, as well as the nature of the recipient jurisdictions data protection regime.  The data exporter in China must file both the China SCs and PIPIA with the authorities within 10 working days from the effective date of the SCs and prior to the data export.  This comes into effect June 1, 2023, except for prior exports, which have until December 1, 2023.

For more information, please see our article, China Releases the Standard Contract on Personal Information Export and/or our webinar, China’s New Personal Data Export Restrictions providing additional detail. Alternatively, feel free to reach out to your SPB contact or one of the authors of the above material, should you have any further questions.