Knowledge is Power and Portable: An In-Depth Look at the Right to - - PowerPoint PPT Presentation

April 4, 2019

Knowledge is Power and Portable: An In-Depth Look at the Right to Data Portability

K Royal, Director, Consulting, TrustArc Margaret Gloeckle, Privacy & Compliance Counsel, A+E Networks Debra Bromson, Assistant General Counsel, AAA Club Alliance Victoria E. Beckman, Partner, Frost Brown Todd

Your Speakers

Victoria Beckman

Partner Frost Brown Todd

Debra Bromson

• Asst. General Counsel

AAA Club Alliance

Margaret Gloeckle

VP, Privacy & Compliance Counsel A+E Networks

K Royal

Director, Consulting TrustArc

Knowledge is Power and Portable: An In-Depth Look at the Right to Data Portability

• Introduction to Data Portability
• Laws on Data Portability
• Enforcement
• Considerations
• IP Rights
• Operational Impact
• Impact to Individuals
• Questions

Introduction

Data Portability

Why do we care?

What is it?

The right to data portability allows individuals to

• btain and reuse their personal data for their own

purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

What is it?

Data portability is closely related to but differs from the right of access in many ways. It allows for data subjects to receive the personal data, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller. The purpose

• f this new right is to empower the data subject and

give him/her more control over the personal data concerning him or her.

What is it?

Control Empower Choice Themes

What is it?

exported in user- friendly

readable format -CCPA structured, commonly used, and machine-readable

• format. Proposed WPA

… as far as practicable, be: (i) intelligible; (ii) readily comprehensible; (iii) in an appropriate language and (iv) in a form specified in the request (or in such form as the data user thinks fit if not specified). This right might therefore be used to ask for data in a portable format. PDPO Hong Kong structured, commonly used and machine-readable format - GDPR

Laws on Data Portability

Recent Movement

United States:

• Recent US State Law – California (CCPA)
• Proposed US State Laws

Washington (WPA – SB5376) Maryland (SB0613) New Mexico (CIPA – SB 176) Rhode Island (S 0234) Hawaii (S.B. 418) Massachusetts (SD 341)

EU: GDPR & UK Asia: Hong Kong (PDPO) Proposed Laws

• Singapore (February 25,2019- Proposed amendment to PDPA)
• Australia - Treasury Laws Amendment (Consumer Data Right) Bill 2019

GDPR – Article 20 what it is

• Article 20 of the GDPR creates a new right to data portability, to allow greater

control over personal data and allow transfer to another data controller.

• This applies to processing operations based on the data subject’s consent or
• n a contract to which the data subject is a party.
• Right to receive a subset of personal data provided by the data subject and

processed by the data controller. – Includes observed data by virtue of the data subject’s use of the service or device – E.g. music playlist, contact list from a webmail application, purchases through a loyalty card – Does not include “inferred data” and “derived data”

• If a data processor is processing the data requested, then that data processor

is obligated to assist the controller to respond to the request.

GDPR – Article 20 what it is not

• Right to transmit personal data on request, where technically feasible

– Must be done in a safe and secure manner; but no obligation to check and verify the quality of the data – Sending Data controller not responsible for compliance by the receiving data controller with data protection laws.

• Data controller does not have the obligation to retain the personal data

longer than is necessary or beyond the specified retention period.

• Receiving data controllers not obliged to accept and process such personal data.

– They would need to comply with GDPR so this could mean they say no...

• Data portability cannot be used as a way to delay or refuse erasure of data.
• Not purchased content, but is list of what purchased, favorites, etc.

CCPA

• Consumers have a right to request that businesses disclose, in

portable electronic format, for the prior (look back) 12 month period: – The categories of PI collected about the consumer; – The categories of sources of such PI; – Purpose for collection or sale of PI; – Categories of third parties that the business shares PI with; and – Specific pieces of PI the business has collected.

• California requires a response within 45 days (vs. GDPR 1 month)

Laws like GDPR

Washington (SB5376): Controller must provide to the consumer, if technically feasible and commercially reasonable, any personal data that the controller maintains in identifiable form concerning the consumer . . . in a structured, commonly used, and machine- readable format. Time Frame: Within 30 days of receiving verified request.

Laws like GDPR

New Mexico (SB 176) – Hawaii (SB 418)

• Consumers have a right to request that businesses disclose, by mail or electronically, for the

prior 12 month period:

– The categories of PI collected about the consumer; – The categories of sources of such PI; – Purpose for collection or sale of PI; – Categories of third parties that the business shares PI with; and – specific pieces of PI the business has collected.

• Response within 45 days
• If electronically (New Mexico)- to the extent technically feasible and as established by the
• ffice of the attorney general by rule, in a format that allows the consumer to transmit the

information to another entity without hindrance.

Other U.S. State Laws like GDPR

• Maryland (SB 613)
• Massachusetts (S.120)
• Rhode Island (2019- S 0234)

Laws like GDPR

Philippines Hong Kong Brazil (Art 18(V))

Data subject shall have the right to obtain from the controller a copy of data undergoing processing in an electronic or structured format which is commonly used and allows for further use by the data subject. A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate. Unlike GDPR, right is not limited to data provided based

• n data subjects' consent.

Allows data subject to request entire copy of their data to be provided in an interoperable format.

Other Laws

• Laws with a concept but not actually data portability
• Laws that could “block” data portability from being allowed

– GLBA: prohibits financial institutions from sharing account numbers or similar access numbers or codes for marketing purposes. This applies even when a consumer or customer has not opted-out of the disclosure of Non- public personal information concerning their account. – HIPAA: What consents need to be obtained before the disclosure of this information would be permitted—written consents with details?

• How do you deal with “overlaps” from laws:

Consider: – If you have to send it from the EU to the US—what would be required? – If you are requested to send it to someone in the EU—but you DON’T comply with GDPR is this an issue?

Enforcement

Penalties

• Equitable

– Suspension of data flows (GDPR Article 58 2(j)) – Injunctive relief (CCPA)

• Legal

– GDPR. Administrative Fines up to 4% of annual world wide turnover – CCPA. $2500 per violation, or $7,500 per intentional violation.

Enforcement Action

Private Right of Action

• CCPA –

*amendment SB561

• Statutory damages of $100-$750 “per consumer per incident”
• r actual damages, whichever is greater

.

Considerations

Operational Impact

IP Rights

• Inherent conflict between portability and IP rights or

concerns.

• Content: music, books, movies

– NOT content data subject provided

• Other examples: genealogy, calculations, employees

Locating Data How do you find your data?

 Interviews  Data Inventory  Data Mapping  Ongoing process

Data Format

Structured Data. data that resides in a fixed field within a record or file. This includes data contained in relational databases an d spreadsheets. Unstructured Data datasets (typical large collections of files) that aren’t stored in a structured database format.

• Examples. document collections,

include e-mail messages, word processing documents, videos, photos, audio files, presentations, webpages and many other kinds of business documents

Machine Readable

• Machine-readable data is data which can be read and

interpreted by a computer program without the need for manual human intervention.

• The data is structured in a simple and consistent open data

format that permits easy interrogation by computer code and does not require the purchase of a specific piece of software

• r operating system in order to access.

Format

• Financial reports and statistics – CSV (JSON and XML may be

acceptable).

• Textual Data- reports and publications HTML, plain text(.txt)
• r accessible PDF’s

– Traditional word processing documents and portable document format (PDF) files are easily read by humans but typically are difficult for machines to interpret.

Other Considerations

• Data Accessibility

– Portal, file, API

• Protecting the rights and freedoms of other data subjects

(Article 20 (4)). – New data controller cannot use that date for their own purposes;

• marketing products or services,
• Enriching profiles of the third parties,
• Retrieving data of third parties and create specific

profiles.

Operational Challenges

• What system will your company use to do this?

– Need to protect the transfer of the PI – Verification of request/data—could be key regarding “stealing of data and sending it to the criminal”

• How will you find the data requested to be transferred?
• How will you interact with the recipient of the data?

– What if they are a competitor?

• Maintenance of records of requests
• Right to be forgotten: Will you need to notify the companies you

previously transferred the PI to if the person asks for deletion?

Impact to Individuals

• Will companies do this for all individuals, or only those covered by

applicable laws?

• What risks does this give the individual?

– Data breach risks? – Will this expose them to unexpected uses of their personal information? – Will this impact their relationship with the controller if they request the data to go to a competitor? Note: Data portability does not automatically trigger the erasure of the data or affect the original data retention period. The data subject would have to exercise their right of erasure as long as the controller is still processing the data.

KEY TAKEAWAYS

Resources

www.Dlatdataprotection.com www.iclg.com https://www.linklaters.com/ https://www.fbttechblog.com/california-consumer-privacy-act-ccpa-flowchart https://www.fbttechblog.com/california-consumer-privacy-act-checklist https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=61123 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general- data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

Questions + Contact

Victoria Beckman

Partner

Frost Brown Todd

vbeckman@fbtlaw.com

Debra Bromson

• Asst. General Counsel

AAA Club Alliance

DBromson@aaamidatlantic.com

Margaret Gloeckle

Privacy & Compliance Counsel A+E Networks

margaret.Gloeckle@aenetworks.com

K Royal

Director, Consulting TrustArc

kroyal@trustarc.com