Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
1. Munich, May 2019
The Ripple
Effect of
GDPR in
North America:
What’s Ahead
of us with
CxPA?
2. Munich, May 2019
The Ripple
Effect of
GDPR in
North America:
What’s Ahead
of us with
CxPA?
To keep in touch:
https://twitter.com/IdentityMonk
https://ca.linkedin.com/in/jflombardo
Or as a member of:
14 years of expertise in Data Protection
40+ projects establishing trusted ecosystems:
▪ Strong Authentication,
▪ Identity Management,
▪ Access Governance,
▪ Information Protection.
Security specialist @ , R&D
3. Welcome
I consent
First you need some information
about my presentation:
This presentation is brought
to you by me
It does not represent the
views of my past/present
employers
It does not represent the
views of past/present
associations I’m/was a part of
Any legislative citation come
from the public repository of
the legal frameworks
Anything else is cited if not
from me.
• CaCPA:
https://leginfo.legislature.ca.go
v/faces/billTextClient.xhtml?bill
_id=201720180AB375
• CDPA:
https://www.wyden.senate.gov
/imo/media/doc/Wyden
Privacy Bill Discussion Draft Nov
1.pdf
• Vermont’s Act 171:
https://ago.vermont.gov/wp-
content/uploads/2018/12/2018
-12-11-VT-Data-Broker-
Regulation-Guidance.pdf
• GDPR:
https://gdpr.eu/tag/gdpr/
4. 2017 was:
Be ready for ripples
GDPR is just a first step…
Russia Data Privacy Laws
are operational
Australia Data Privacy Laws
are operational
<Insert your country> Data Laws
are coming
China Data Privacy Laws
are drafted
5. (*) If you want to build a ship, don’t
drum up the men to gather wood,
divide the work and give orders.
Instead, teach them to yearn for the vast
and endless sea.
—Antoine de Saint-Exupéry
If you want to build Digital Economy,
don't drum up the men to write code,
do it Agile and SCRUM. Instead, teach
them to yearn for the secure by design
and privacy by default benefits.
—Some inspired* Privacy Practitioner
6. As regulation dated back from
2010, enforcement started for
a 1st phase with Banks in 2019.
Telcos will be next.
Rapidly growing its
cybersecurity law
framework, it officially
covers eCommerce
since January 1st 2019
Reestablishing ruling from
2014, GDPR enactment saw
the more stringent controls
from the Russian Federation
Growing on top of GDPR, EU is
looking at guidelines on GDPR’s
territorial scope, guidance on
certifications and cross border
transfers, and regulations on
non-personal data
7. In the meantime,
in the US…
things were more
complicated
As regulation dated back from
2010, enforcement started for
a 1st phase with Banks in 2019.
Telcos will be next.
Rapidly growing its
cybersecurity law
framework, it officially
covers eCommerce
since January 1st 2019
Reestablishing ruling from
2014, GDPR enactment saw
the more stringent controls
from the Russian Federation
Growing on top of GDPR, EU is
looking at guidelines on GDPR’s
territorial scope, guidance on
certifications and cross border
transfers, and regulations on
non-personal data
8. My team will get
back to you
Senator Ron Wyden (Oregon)
and his bill for
“Consumer Data Protection Act”
[I want to know more]
2018’s “California Consumer
Privacy Act” enforceable on
January 1st 2020
[I want to know more]
Vermont’s Act 171 of 2018 on
Data Broker Regulation
[I want to know more]
Getty images
9. CDPA
CaCPA
GDPR
What defines
personal data?
Household data
Names
Race
Color
National Origin
Religion
Trade union membership
Genetic Data
Biometric data
Health
Gender
Gender History
Sexuality
Criminal convictions
Arrests
Identification number
(permanent or transient)
Location data
physical but also transient like GPS)
Online activity
(IP address, cookie, etc.)
Inferred information
that can reasonably identify
History of purchased
goods or services
Employment
Data
Audio, electronic, visual, thermal.
olfactory information
ChildrenLegal Persons
Deceased Persons
Education Data
Publicly
available information
Reidentifiable
data
11. Which Org must comply?
Any Org that Controls
and/or Processes of
protected subjects
A person, partnership,
corporation under the
Federal Trade
Commission, that had
a 3 year gross revenue
of at least
50 000 000$, PII that
concerns 1 000 000+
data subjects
For profit entities that
has at least an annual
gross revenue of
25 000 000$, does
50% of it from PII
selling, PII that
concerns 50 000+ data
subjects
CDPACaCPA GDPR
12. Which Operations are controlled?
CDPA
CaCPA
GDPR
Data Selling
Data Processing
Explicit Data
Processing
Non automated
Processing
Non automated
Processing
Sharing with
3rd party
CaCPA does not regulate data sharing
following an opt-out or
if a natural requirement
for the product/service to be delivered
GDPR and CDPA recognize
exceptions for some organizations:
with no profit oriented business, nor
being a data broker / commercial entity
Historical, statistical
oriented entities
Inferred
Data Processing
High risk automated
decision system
Lease/ rental
13. Who are the concerned actors?
Data ControllerFor profit business
Data ProcessorA Service Provider
State Privacy AgencyCa Attorney General
DPO
Consumer Privacy Fund
Federal Trade Commission
Executive Capacity
Third Party
Covered Entity
CDPACaCPA GDPR
14. How to manage consent?
Is Opt-out by default,
and must propose a
simple, understandable,
enlightened consent
collection
[renewed every
6 months]
Is Opt-out by default,
and must propose a
simple, understandable,
enlightened consent
collection
[renewed every 2 years]
Is Opt-in by default,
and must propose
Opt-out [but only for
selling of data]
CDPACaCPA GDPR
15. Is documentation mandatory?
Data Processing must
be described and
assessed in terms of
risks and impacts.
Data Processing must
be explained to the
Data Subject
Data Processing must
be described and
assessed in terms of
risks and impacts.
No Data Processing
documentation is
explicitly required, but
data processing
events must be
logged
CDPACaCPA GDPR
16. Is there a right to data export?
Data can be exported upon a
subject request
Data should be humanly readable
and portable
Export is…
Export shall be done under:
CaCPA: 45-90 days
GDPR: 30-90 days
CDPA: 30 days
CaCPA: free, max twice/year, 365
days history, limited to Controller
GDPR: potentially free, unlimited
CDPA: free, unlimited
CaCPA GDPRCDPA CaCPA GDPRCDPA
17. What about the right to be forgotten?
Data must be erased upon request
of the data subject
Controller must govern the global
erasure process
Controller must comply within
CaCPA GDPR
CaCPA: 45-90 days
GDPR: 30-90 days
CDPA: 0(new)-30(existing) days
Erasure shall be free of charge
CaCPA GDPR
CaCPA GDPR
18. Is breach notification mandatory?
Under 72 hours after
detection
Through the Annual
reporting to the FTC
Such requirements are
not covered by CaCPA
but Ca Civil code
CDPACaCPA GDPR
19. Depending of the
violation between 2%
global annual
turnover/10M€ or
between 4% global
annual turnover/20M€
50 000$ for each
violation as a sum or
4% of the annual gross
revenue
2 500$ for each
violation, 7 500$ for
each intentional
violation
How much for a penalty?
CDPACaCPA GDPR
20. Some specificities of CaCPA
Subject has a right
to equal service and price
even if opting-out
Ammonization / Deidentification
of the data is not mandatory
if reidentification mechanisms
are in place
Child data processed by Controller
without its knowledge
is covered by an exception
Processors must notify
the Data Subject
if they sell their data
21. Some specificities of CDPA
Explicitly targets
machine learning/artificial
intelligence processing
Sees in the future by identifying
covered assets as soon as they
represent a high risk for the privacy
or security of PII
Enforces the publication of an
annual report to the FTC for all
covered entities
Enforces criminal penalties
for the signee of the report
(CIO, CISO, CTO, and/or CFO)
up to 5 000 000$ or
25% of the salary
over the last 3 years
22. Even if
there will be specificities
to deal with
This will also ease
the complexity
of the US market
until a Federal law emerge
DPO is a great role
that should be a part
of every Organization
under GDPR scope or not
Being Compliant with GDPR
is always an helper
for new privacy regulations
Assume the most stringent
requirements to ease
your global compliance
CIO, CISO, CTO, and CFO
won’t be able to exonerate
themselves from
the compliance process
1
2
3
23. CDPA is still a Draft
that has a long way to go
to reach the federal scope
it aims to
CaCPA is challenged
by the GAFA,
ingesting amendments
that undermines
the initial purpose
24. Munich, May 2019
The Ripple
Effect of
GDPR in
North America:
What’s Ahead
of us with
CxPA?
14 years of expertise in Data Protection
40+ projects establishing trusted ecosystems:
▪ Strong Authentication,
▪ Identity Management,
▪ Access Governance,
▪ Information Protection.
Security specialist @ EXFO, R&D
To keep in touch:
https://twitter.com/IdentityMonk
https://ca.linkedin.com/in/jflombardo
Or as a member of: