Do we need more particularized data privacy rights for U.S. citizens?

In a first this year late June, California passed A.B. 375, the California Consumer Privacy Act of 2018, a sweeping piece of legislation that, on its face, grants California residents data privacy rights that have never before been granted in the United States.

california-data-privacy-lawsIn late June, California passed A.B. 375, the California Consumer Privacy Act of 2018, a sweeping piece of legislation that, on its face, grants California residents data privacy rights that have never before been granted in the United States.

The law was driven by recent privacy scandals and the political pressure of a potential privacy rights ballot initiative that advocates agreed to drop in lieu of the passage of A.B. 375. Even more than the practical implications of the law, its passage spurred additional public debate that could lead to federal data privacy legislation and more particularized data privacy rights for U.S. citizens.

Generally, A.B. 375 allows consumers (defined as natural persons who are California residents) to demand access to all of the personal information that a company has collected relating to them, along with a full list of third parties with which the company has shared that data. In addition, the law allows consumers to sue companies – including through class actions – if they violate its privacy guidelines.

The law applies to for-profit companies that collect consumers’ personal information, conduct business in California, and fall into one of three categories:

  1. Realize gross revenues in excess of $25 million.
  2. Receive or disclose the personal information of 50,000 or more consumers, households or devices annually, or
  3. Receive 50 percent or more of annual revenues from selling consumers’ personal information. Additional provisions bring corporate affiliates of these companies if they share branding.

A.B. 375 grants consumers four categories of privacy rights.

First, the right to know what personal information a business has collected about them, including the source of that information, what is being done with it, and with whom it is being shared.

Second, the right to “opt out” of a company being permitted to sell their personal information to third parties.

Third, the right to request the deletion of their personal information. And fourth, the right to not be discriminated against if they exercise their data privacy rights.

Interestingly, however, A.B. 375 opens the door to allowing companies to pay consumers for the right to share their data by permitting, under certain circumstances, the granting of a different price to a consumer related to the value of that consumer’s data.

For the purposes of this law, “personal information” is defined broadly, including any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. But A.B. 375 does exclude information that is properly made available by federal, state, or local records provided that such information is used for a purpose compatible with the purpose for which it is maintained. A.B. 375 also carves out de-identified personal data (i.e., anonymized data) and aggregate data (both of which are narrowly defined).

The law does not come into effect until January 1, 2020, and numerous companies and lobbyists will be proposing amendments that could narrow its scope and impact. Companies that deal in consumer data – including retailers, internet service providers, and other web-based companies – will be working to scale back to privacy rights set forth in A.B. 375 based on the costly nature of compliance.

The state attorney general will also work with public stakeholders to develop a particularized compliance framework for impacted companies to work toward in the coming 16 months. But even a curtailed version of A.B. 375 is likely to require significant privacy policy changes for companies falling within its reach.

Perhaps most importantly, the passage of A.B. 375 coincides with increasing public and political acknowledgement of the need to better protect personal data. The week before it was signed into law, the Supreme Court issued its decision in Carpenter v. United States, 585 U.S. ___ (2018), holding (in a Fourth Amendment context) that an individual has a reasonable expectation of privacy in his geolocation data, despite that data being collected and held by cell phone companies.

Since June, many federal lawmakers ramped up efforts to draft and pass data privacy bills that address the manners in which companies collect, maintain, and use personal information. Seehttps://www.axios.com/congress-eyeing-national-privacy-rules-in-wake-of-california-law-d79c94b3-52e2-4ac2-846a-089d454d1905.html.

For now, companies impacted by A.B. 375 should be crafting draft privacy policies and procedures that would allow them to comply with the current iteration of the law. At the same time, they should follow proposed amendments to the law, raise issues with the California legislature if they unearth cost or logistical difficulties in their early compliance efforts, and keep an eye on Congress’ efforts on the same topic.

 

Courtesy: John C. Eustice

John C. Eustice is a member at the law firm Miller & Chevalier, chartered in Washington, D.C.
Advertisements

Are you making the most of your mainframe data?

Mainframe data is big data!

Data Quality Matters

When most people think of legacy software, we think of software that is outdated and due for replacement.

Yet, an alternative definition of legacy, particularly when it comes to mainframe application, is, simply, software that works.

This is a definition that our partner, Syncsort, is proud of. The legacy DMX Sort product has been helping customers to reduce the cost of running their mainframe for decades.

This legacy – the understanding of how to optimally move vast amounts of data – is brought to Syncsort’s line of data integration tools – particularly for moving both logs and data from the IBM mainframe and the IBM i series to advanced analytics platforms like Hadoop and Splunk.

These data integration and change data capture solutions are complemented by the data quality stack, meaning that we don’t just move data efficiently, we ensure its quality as well.

Mainframe data is big data

View original post 155 more words

Data-centric approach to enterprise architecture

Data is the key to taking a measured approach to change, rather than a simple, imprudent reaction to an internal or external stimulus. But it’s not that simple to uncover the right insights in real time, and how your technology is built can have a very real impact on data discovery. Data architecture and enterprise architecture are linked in responding to change, while limiting unintended consequences. DBTA recently held a webcast featuring Donald Soulsby, vice president of Architecture Strategies at Sandhill Consultants, and Jeffrey Giles, principal architect at Sandhill Consultants, who discussed a data-centric approach to enterprise architecture. Sandhill Consultants is a group of people, products and processes that help clients build comprehensive data architectures resulting from a persistent data management process founded on a robust Data governance practice, producing trusted, reliable, data, according to Soulsby and Giles. A good architecture for data solutions includes: RISK MANAGEMENT Strategic Regulatory Media Consumer COMPLIANCE Statutory Supervising Body Watchdog Commercial Value Chain Professional Enterprise architecture frameworks start with risk management as its building blocks, Soulsby and Giles said. A typical model asks what, how, where, when, and who. A unified architectural approach asks what, how, where, when, who and why. This type of solution is offered by Erwin and is called Enterprise Architecture Prime 6. According to Soulsby and Giles, the platform can achieve compliance, either regulatory or value chain; can limit unintended consequences; and has risk management for classification, valuation, detection and mitigation. erwin and Sandhill Consultants offerings will provide a holistic view to governing architectures from an enterprise perspective. This set of solutions provides a strong Data Foundation across the Enterprise to understand the Impact of Change and to reduce Risk and achieve Compliance, Solusby and Giles said. An archived on-demand replay of this webinar is available here.

via The Building Blocks of Great Enterprise Architecture for Uncovering Data — Architectural CAD Drawings

Who is a Data Subject in GDPR

Who is a data subject in GDPR? – An identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. #AbhiSrivastava#GDPRArticle4#GDPR#DataSubject

Untitled design

Three kinds of a MDM Data Model that comes with a tool

Differences in an off-the-shelf model, a buildable model and a dynamic model, when buying MDM solution from a vendor. #AbhiSrivastava, #MDM, #MDMDataModel

Liliendahl.com

Master Data Management (MDM) is a lot about data modelling. When you buy a MDM tool it will have some implications for your data model. Here are three kinds of data models that may come with a tool:

An off-the-shelf model

This kind is particularly popular with customer and other party master data models. Core party data are pretty much the same to every company. We have national identification numbers, names, addresses, phone numbers and that kind of stuff where you do not have to reinvent the wheel.

Also, you will have access to rich reference data with a model such as address directories (which you may regard as belonging to a separate location domain), business directories (as for example the Dun & Bradstreet Worldbase) and in some countries citizen directories as well. MDM tools may come with a model shaped for these sources.

Tools which are optimized for data…

View original post 185 more words

GDPR: PII Data vs. Personal data

b8218ceb-2e27-4405-88eb-541da0d8237c

The European Union’s new General Data Protection Regulation (GDPR), which goes into full effect in May 2018, significantly strengthens the data privacy rights of consumers and the requirements on companies that solicit and retain customer identities. Positive part about GDPR is that companies cannot hide, and It applies to all companies anywhere in the world those do business in Europe and/or retain EU citizen’s data.

The US-based Personally identifiable information (PII) and the European concept of Personal Data make up a critical demarcation line related to data types and privacy consequences. To get compliant with GDPR, one has to understand the difference between the way two-legal systems approach the concept of personal information and its meaning in the context they are used. PII is any data that could potentially identify a specific individual. Any information that can distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

PII, or SPI (sensitive personal information), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. PII term is used in US context that is created on the basis of commonly used US law. Examples of PII data–full name, maiden name, social security number, phone number, email address, asset information, owned properties etc. Little variation may be observed from states to states.

Personal Data is defined in the EU Directive 95/46/EC and it covers much wider range of information that may include transaction history, social media posts, photographs and other data that relates to an individual or identifiable person, directly or indirectly. Personal data term applies to all 28 EU states of European Economic Area (EEA). The concept reflects European law maker’s intention to bring the concept of privacy as a fundamental human right and draw the accountability of handling this sensitive data by business.

We can say all PII data is personal data but not all personal data is PII data. It is important that data and IT architects along with Data Protection Officer (DPO) consider personal data beyond the narrow scope of PII, especially US based companies, to build a successful GDPR compliance program.

GDPR Data Portability and Master Data Sharing

The title of this blog caught my attention for it talks about data portability between competitors. Yes….This scenario is not very far when competitors will share the customer profiles…may be via DaaS (Data as a service). Henrik calls it another “Sunny side of GDPR”. #AbhiSrivastava, #GDPR, #DataArchitecture, #DataPortability

Liliendahl.com

PortabilityOne of the controversial principles in the upcoming EU GDPR enforcement is the concept of data portability.

In legal lingo data portability means: “Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.”

In other words, if you are processing personal data provided by a (prospective) customer or other kind of end user of your products and services, you must be able hand these data over to your competitor.

I am sure, this is a new way of handling party master data to almost every business. However, sharing master…

View original post 40 more words