April 4, 2019 Knowledge is Power and Portable: An In-Depth Look at the Right to Data Portability K Royal , Director, Consulting, TrustArc Margaret Gloeckle , Privacy & Compliance Counsel, A+E Networks Debra Bromson , Assistant General Counsel, AAA Club Alliance Victoria E. Beckman , Partner, Frost Brown Todd
Your Speakers Victoria Beckman Margaret Gloeckle Debra Bromson K Royal Partner Asst. General Counsel VP, Privacy & Compliance Director, Consulting Frost Brown Todd Counsel AAA Club Alliance TrustArc A+E Networks
Knowledge is Power and Portable: An In-Depth Look at the Right to Data Portability • Introduction to Data Portability • Laws on Data Portability • Enforcement • Considerations • IP Rights • Operational Impact • Impact to Individuals • Questions
Introduction
Data Portability Why do we care?
What is it? The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
What is it? Data portability is closely related to but differs from the right of access in many ways. It allows for data subjects to receive the personal data , which they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.
What is it? Themes Empower Control Choice
What is it? structured, commonly used, and machine-readable format. Proposed WPA exported in user- friendly … as far as practicable, be: (i) readable format -CCPA intelligible; (ii) readily comprehensible; (iii) in an appropriate language and (iv) in a form specified in the request (or in structured, commonly used such form as the data user thinks fit if and machine-readable not specified). This right might format - GDPR therefore be used to ask for data in a portable format. PDPO Hong Kong
Laws on Data Portability
Recent Movement United States: • Recent US State Law – California (CCPA) • Proposed US State Laws Washington (WPA – SB5376) Maryland (SB0613) New Mexico (CIPA – SB 176) Rhode Island (S 0234) Hawaii (S.B. 418) Massachusetts (SD 341) EU: GDPR & UK Asia: Hong Kong (PDPO) Proposed Laws • Singapore (February 25,2019- Proposed amendment to PDPA) • Australia - Treasury Laws Amendment (Consumer Data Right) Bill 2019
GDPR – Article 20 what it is • Article 20 of the GDPR creates a new right to data portability , to allow greater control over personal data and allow transfer to another data controller. • This applies to processing operations based on the data subject’s consent or on a contract to which the data subject is a party. • Right to receive a subset of personal data provided by the data subject and processed by the data controller. – Includes observed data by virtue of the data subject’s use of the service or device – E.g. music playlist, contact list from a webmail application, purchases through a loyalty card – Does not include “inferred data” and “derived data” • If a data processor is processing the data requested, then that data processor is obligated to assist the controller to respond to the request.
GDPR – Article 20 what it is not • Right to transmit personal data on request, where technically feasible – Must be done in a safe and secure manner; but no obligation to check and verify the quality of the data – Sending Data controller not responsible for compliance by the receiving data controller with data protection laws. • Data controller does not have the obligation to retain the personal data longer than is necessary or beyond the specified retention period. • Receiving data controllers not obliged to accept and process such personal data. – They would need to comply with GDPR so this could mean they say no... • Data portability cannot be used as a way to delay or refuse erasure of data. • Not purchased content, but is list of what purchased, favorites, etc.
CCPA • Consumers have a right to request that businesses disclose, in portable electronic format, for the prior (look back) 12 month period: – The categories of PI collected about the consumer; – The categories of sources of such PI; – Purpose for collection or sale of PI; – Categories of third parties that the business shares PI with; and – Specific pieces of PI the business has collected. • California requires a response within 45 days (vs. GDPR 1 month)
Laws like GDPR Washington (SB5376) : Controller must provide to the consumer, if technically feasible and commercially reasonable , any personal data that the controller maintains in identifiable form concerning the consumer . . . in a structured, commonly used, and machine- readable format. Time Frame: Within 30 days of receiving verified request.
Laws like GDPR New Mexico (SB 176) – Hawaii (SB 418) • Consumers have a right to request that businesses disclose, by mail or electronically, for the prior 12 month period: – The categories of PI collected about the consumer; – The categories of sources of such PI; – Purpose for collection or sale of PI; – Categories of third parties that the business shares PI with; and – specific pieces of PI the business has collected. • Response within 45 days • If electronically (New Mexico)- to the extent technically feasible and as established by the office of the attorney general by rule, in a format that allows the consumer to transmit the information to another entity without hindrance.
Other U.S. State Laws like GDPR • Maryland (SB 613) • Massachusetts (S.120) • Rhode Island (2019- S 0234)
Laws like GDPR Philippines Hong Kong Brazil (Art 18(V)) Data subject shall have the A data subject must be given Unlike GDPR, right is not right to obtain from the access to his/her personal data limited to data provided based controller a copy of data and allowed to make on data subjects' consent. undergoing processing in an corrections if it is inaccurate. electronic or structured format Allows data subject to request which is commonly used and entire copy of their data to be allows for further use by the provided in an interoperable data subject. format.
Other Laws • Laws with a concept but not actually data portability • Laws that could “block” data portability from being allowed – GLBA: prohibits financial institutions from sharing account numbers or similar access numbers or codes for marketing purposes. This applies even when a consumer or customer has not opted-out of the disclosure of Non- public personal information concerning their account. – HIPAA: What consents need to be obtained before the disclosure of this information would be permitted—written consents with details? • How do you deal with “overlaps” from laws: Consider: – If you have to send it from the EU to the US—what would be required? – If you are requested to send it to someone in the EU—but you DON’T comply with GDPR is this an issue?
Enforcement
Penalties • Equitable – Suspension of data flows (GDPR Article 58 2(j)) – Injunctive relief (CCPA) • Legal – GDPR. Administrative Fines up to 4% of annual world wide turnover – CCPA. $2500 per violation, or $7,500 per intentional violation .
Enforcement Action Private Right of Action • CCPA – *amendment SB561 • Statutory damages of $100-$750 “per consumer per incident” or actual damages, whichever is greater .
Considerations
Operational Impact
IP Rights • Inherent conflict between portability and IP rights or concerns. • Content: music, books, movies – NOT content data subject provided • Other examples: genealogy, calculations, employees
Locating Data How do you find your data? Interviews Data Inventory Data Mapping Ongoing process
Data Format Unstructured Data datasets (typical large Structured Data. collections of files) that data that resides in aren’t stored in a a fixed field within a structured database record or file. This format. includes data contained Examples. document collections, include e-mail messages, word in processing documents, videos, relational databases an photos, audio files, presentations, webpages and many other kinds of d spreadsheets. business documents
Machine Readable • Machine-readable data is data which can be read and interpreted by a computer program without the need for manual human intervention. • The data is structured in a simple and consistent open data format that permits easy interrogation by computer code and does not require the purchase of a specific piece of software or operating system in order to access.
Format • Financial reports and statistics – CSV (JSON and XML may be acceptable). • Textual Data- reports and publications HTML, plain text(.txt) or accessible PDF’s – Traditional word processing documents and portable document format (PDF) files are easily read by humans but typically are difficult for machines to interpret.
Recommend
More recommend