IAPP CIPM Chapter 3

What is the Canadian DPL and Authority? Personal Information Protection and Electronic Documents Act (PIPEDA); Office of the Privacy Commissioner of [COUNTRY] (OPC) True/False: Canadian provinces may have separate DPLs that are stricter than PIPEDA? True What is the Chinese DPL and Authority? Cybersecurity Law of [COUNTRY]; Data Security Law of [COUNTRY]; Personal Information Protection Law of [COUNTRY] (PIPL) Cyberspace Administration of [COUNTRY] ("CAC") is the lead agency, other regulators may monitor sector-specific issues. What is the EU DPL and Authority? General Data Protection Regulation (GDPR); member state supervisory authority/lead supervisory authority. What is the Hong Kong DPL and Authority? Personal Data (Privacy) Ordinance, Cap. 486; Office of the Privacy Commissioner for Personal Data (PCPD) What is the Israeli DPL and Authority? Protection of Privacy Laws (PPL); Privacy Protection Authority (PPA) What is the India DPL and Authority? Information Technology Act 2000; Ministry of Electronics and Information Technology (MEITY). What is the Japanese DPL and Authority? Act on the Protection of Personal Information (APPI); Personal Information Protection Commission (PIPC) What is the New Zealand DPL and Authority? Privacy Act 2020; Office of the Privacy Commissioner (OPC) What is the Singapore DPL and Authority? Personal Data Protection Act of 2012 (No. 26 of 2012)(PDPA); Personal Data Protection Commission (PDPC) What is the South Korea DPL and Authority? Personal Information Protection Act (PIPA); Personal Information Protection Commission (PIPC) What is the Turkish DPL and Authority? Law on the Protection of Personal Data No. 6698 (LPPD); Personal Data Protection Authority (KVKK) What is the UK DPL and Authority? Data Protection Act of 2018 (DPA) and [COUNTRY]; Information Commissioner's Office (ICO). What three privacy policy frameworks are the basis for most countries' DPLs? Organization for Economic Cooperation (OECD); Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and the Asia Pacific Economic Cooperation (APEC) What foundational principles did the policy frameworks provide for national DPLs? Collection limits Data quality requirements Purpose specification Use limits Security safeguards Openness Ind'l participation Accountability What are some common parts of different countries' DPLs? Ensuring ind'l rights including access to data and the right to correct/delete data Safeguarding obligations Contractual requirements Audit protocol Self-regulatory regimes Marketplace expectations When was the GDPR first proposed? 2012 When was the GDPR agreed upon? December 2016 When did GDPR become effective? May 25, 2018 What is in Article 1.1 of GDPR? Rules protecting natural persons regarding the processing of personal data and free movement of personal data. What is in Article 1.2 of the GDPR? Protection of fundamental rights/freedoms of natural persons esp. re: right to protection of personal data. What is in Article 1.3 of the GDPR? Free movement of personal data w/in the EU isn't restricted or prohibited due to the protection of natural persons with regard to the processing of data. What is in Article 2 of the GDPR? The scope of the law. What is in Article 2.1 of the GDPR? GDPR applies to the processing of PD by wholly or partly automated means and to processing by non-automated means that are part of a filing system. What is in Article 2.2 of the GDPR? Exclusions from processing the PD: (a) in an activity that falls outside the scope of EU law; (b) by Member States when carrying out activities under Chap. 2, Title V, of the TEU; (c) by a natural person in the course of purely personal or household activity; (d) by competent authorities relating to criminal offenses. What is in Article 3 of the GDPR? Territorial Scope What is in Article 3.1 of the GDPR? GDPR applies to processing of personal data by a controller or processor in the EU even if processing doesn't take place in the EU. What is in Article 3.2 of the GDPR? GDPR applies to the PD of data subjects in the EU by controllers or processors not located in the EU if the processing activities are related to offering of goods/services to data subjects in the Union even if no payment by data subject is required and behavior monitoring withing the EU. What is in Article 3.3 of the GDPR? GDPR applies to processing of PD by a controller not in the EU but in a place where Member State law applies by virtue of public international law. What rights does the GDPR give the consumers? Withdraw consent for processing Request a copy of their PD Request move of their PD to a different org'n Request deletion of their PD Object to automated decision-making processing, including profiling What obligations does the GDPR place on organizations? Implement Privacy by Design principles Maintain appropriate safeguards Notify data protection authorities and consumers of data breaches w/in 72 hours Get consent for PD collection Provide notice to consumer of personal data processing activities Parental consent for children under 16 Keep records of all PD processing Appoint a DPO if needed Assume responsibility for vendor processing Conduct DPIAs on new/high-risk processing activities Cross-border transfer safeguards Consult regulators before processing if needed Demonstrate compliance on demand Provide data protection training to personnel that need to know When does the GDPR require an org'n appoint a DPO? Regular processing of PD Processing of highly sensitive PD What powers are regulators given by the GDPR? Ask for processing records and proof of steps taken to comply with GDPR Impose temporary data processing bans Require data breach notification Order erasure of PD Suspend cross-border data flows Enforce penalties of up to 20M Euro or 4% of annual revenue for non-compliance. What was the first comprehensive privacy law enacted in the United States? The California Consumer Privacy Act (CCPA) in June of 2018 When did CCPA go into effect? January 1, 2020 Who enforces the CCPA? Cali AG's office, which also promulgates the regs. What rights do consumers have under the CCPA? Request record of types of data org'n had about them Request information re: what an org'n does with their PD Request information re: what third-parties do with their PD Request erasure of PD Opt-out What obligations does the GDPR place on organizations? Provide methods to receive consumer requests about their PD, including toll-free phone numbers, web forms, email addresses Disclose to whom they sell data Add a "Do Not Sell My Personal Information" link on their websites Disclose what PII is collected and how used Provide online privacy notice Treat consumers equally, regardless of their opt-out status Express opt-in for children 13-16 and parental opt-in for children under 13 Train certain employees on consumer rights What are exceptions to the CCPA? Completion of a payment transaction Research Free Speech Limited internal analytical use What powers does the CCPA give to regulators? Cali AG enforces and can enforce fines up to $7,500 per intentional violation and up to $2,500 per unintentional violation if don't cure within 30 days after notice. When was Brazil's LGPD passed? August 18, 2018 When did the LGPD go into effect? September 18, 2020 When could administrative sanctions be imposed under the LGPD? August 1, 2021 Was