Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
•
0 likes•50 views
What is coming after GDPR in the US? a take on CCPA and CDPA and how it scores/hits vs GDPR
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Similar to Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430 (20)
More from Jean-François LOMBARDO
More from Jean-François LOMBARDO (10)
Recently uploaded
Recently uploaded (20)
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
- 1. Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA?
- 2. Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA? To keep in touch: https://twitter.com/IdentityMonk https://ca.linkedin.com/in/jflombardo Or as a member of: 14 years of expertise in Data Protection 40+ projects establishing trusted ecosystems: ▪ Strong Authentication, ▪ Identity Management, ▪ Access Governance, ▪ Information Protection. Security specialist @ , R&D
- 3. Welcome I consent First you need some information about my presentation: This presentation is brought to you by me It does not represent the views of my past/present employers It does not represent the views of past/present associations I’m/was a part of Any legislative citation come from the public repository of the legal frameworks Anything else is cited if not from me. • CaCPA: https://leginfo.legislature.ca.go v/faces/billTextClient.xhtml?bill _id=201720180AB375 • CDPA: https://www.wyden.senate.gov /imo/media/doc/Wyden Privacy Bill Discussion Draft Nov 1.pdf • Vermont’s Act 171: https://ago.vermont.gov/wp- content/uploads/2018/12/2018 -12-11-VT-Data-Broker- Regulation-Guidance.pdf • GDPR: https://gdpr.eu/tag/gdpr/
- 4. 2017 was: Be ready for ripples GDPR is just a first step… Russia Data Privacy Laws are operational Australia Data Privacy Laws are operational <Insert your country> Data Laws are coming China Data Privacy Laws are drafted
- 5. (*) If you want to build a ship, don’t drum up the men to gather wood, divide the work and give orders. Instead, teach them to yearn for the vast and endless sea. —Antoine de Saint-Exupéry If you want to build Digital Economy, don't drum up the men to write code, do it Agile and SCRUM. Instead, teach them to yearn for the secure by design and privacy by default benefits. —Some inspired* Privacy Practitioner
- 6. As regulation dated back from 2010, enforcement started for a 1st phase with Banks in 2019. Telcos will be next. Rapidly growing its cybersecurity law framework, it officially covers eCommerce since January 1st 2019 Reestablishing ruling from 2014, GDPR enactment saw the more stringent controls from the Russian Federation Growing on top of GDPR, EU is looking at guidelines on GDPR’s territorial scope, guidance on certifications and cross border transfers, and regulations on non-personal data
- 7. In the meantime, in the US… things were more complicated As regulation dated back from 2010, enforcement started for a 1st phase with Banks in 2019. Telcos will be next. Rapidly growing its cybersecurity law framework, it officially covers eCommerce since January 1st 2019 Reestablishing ruling from 2014, GDPR enactment saw the more stringent controls from the Russian Federation Growing on top of GDPR, EU is looking at guidelines on GDPR’s territorial scope, guidance on certifications and cross border transfers, and regulations on non-personal data
- 8. My team will get back to you Senator Ron Wyden (Oregon) and his bill for “Consumer Data Protection Act” [I want to know more] 2018’s “California Consumer Privacy Act” enforceable on January 1st 2020 [I want to know more] Vermont’s Act 171 of 2018 on Data Broker Regulation [I want to know more] Getty images
- 9. CDPA CaCPA GDPR What defines personal data? Household data Names Race Color National Origin Religion Trade union membership Genetic Data Biometric data Health Gender Gender History Sexuality Criminal convictions Arrests Identification number (permanent or transient) Location data physical but also transient like GPS) Online activity (IP address, cookie, etc.) Inferred information that can reasonably identify History of purchased goods or services Employment Data Audio, electronic, visual, thermal. olfactory information ChildrenLegal Persons Deceased Persons Education Data Publicly available information Reidentifiable data
- 10. CDPACaCPA GDPR European resident Any individual consumer or device People and Households resident of the state of California Which data subject is concerned?
- 11. Which Org must comply? Any Org that Controls and/or Processes of protected subjects A person, partnership, corporation under the Federal Trade Commission, that had a 3 year gross revenue of at least 50 000 000$, PII that concerns 1 000 000+ data subjects For profit entities that has at least an annual gross revenue of 25 000 000$, does 50% of it from PII selling, PII that concerns 50 000+ data subjects CDPACaCPA GDPR
- 12. Which Operations are controlled? CDPA CaCPA GDPR Data Selling Data Processing Explicit Data Processing Non automated Processing Non automated Processing Sharing with 3rd party CaCPA does not regulate data sharing following an opt-out or if a natural requirement for the product/service to be delivered GDPR and CDPA recognize exceptions for some organizations: with no profit oriented business, nor being a data broker / commercial entity Historical, statistical oriented entities Inferred Data Processing High risk automated decision system Lease/ rental
- 13. Who are the concerned actors? Data ControllerFor profit business Data ProcessorA Service Provider State Privacy AgencyCa Attorney General DPO Consumer Privacy Fund Federal Trade Commission Executive Capacity Third Party Covered Entity CDPACaCPA GDPR
- 14. How to manage consent? Is Opt-out by default, and must propose a simple, understandable, enlightened consent collection [renewed every 6 months] Is Opt-out by default, and must propose a simple, understandable, enlightened consent collection [renewed every 2 years] Is Opt-in by default, and must propose Opt-out [but only for selling of data] CDPACaCPA GDPR
- 15. Is documentation mandatory? Data Processing must be described and assessed in terms of risks and impacts. Data Processing must be explained to the Data Subject Data Processing must be described and assessed in terms of risks and impacts. No Data Processing documentation is explicitly required, but data processing events must be logged CDPACaCPA GDPR
- 16. Is there a right to data export? Data can be exported upon a subject request Data should be humanly readable and portable Export is… Export shall be done under: CaCPA: 45-90 days GDPR: 30-90 days CDPA: 30 days CaCPA: free, max twice/year, 365 days history, limited to Controller GDPR: potentially free, unlimited CDPA: free, unlimited CaCPA GDPRCDPA CaCPA GDPRCDPA
- 17. What about the right to be forgotten? Data must be erased upon request of the data subject Controller must govern the global erasure process Controller must comply within CaCPA GDPR CaCPA: 45-90 days GDPR: 30-90 days CDPA: 0(new)-30(existing) days Erasure shall be free of charge CaCPA GDPR CaCPA GDPR
- 18. Is breach notification mandatory? Under 72 hours after detection Through the Annual reporting to the FTC Such requirements are not covered by CaCPA but Ca Civil code CDPACaCPA GDPR
- 19. Depending of the violation between 2% global annual turnover/10M€ or between 4% global annual turnover/20M€ 50 000$ for each violation as a sum or 4% of the annual gross revenue 2 500$ for each violation, 7 500$ for each intentional violation How much for a penalty? CDPACaCPA GDPR
- 20. Some specificities of CaCPA Subject has a right to equal service and price even if opting-out Ammonization / Deidentification of the data is not mandatory if reidentification mechanisms are in place Child data processed by Controller without its knowledge is covered by an exception Processors must notify the Data Subject if they sell their data
- 21. Some specificities of CDPA Explicitly targets machine learning/artificial intelligence processing Sees in the future by identifying covered assets as soon as they represent a high risk for the privacy or security of PII Enforces the publication of an annual report to the FTC for all covered entities Enforces criminal penalties for the signee of the report (CIO, CISO, CTO, and/or CFO) up to 5 000 000$ or 25% of the salary over the last 3 years
- 22. Even if there will be specificities to deal with This will also ease the complexity of the US market until a Federal law emerge DPO is a great role that should be a part of every Organization under GDPR scope or not Being Compliant with GDPR is always an helper for new privacy regulations Assume the most stringent requirements to ease your global compliance CIO, CISO, CTO, and CFO won’t be able to exonerate themselves from the compliance process 1 2 3
- 23. CDPA is still a Draft that has a long way to go to reach the federal scope it aims to CaCPA is challenged by the GAFA, ingesting amendments that undermines the initial purpose
- 24. Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA? 14 years of expertise in Data Protection 40+ projects establishing trusted ecosystems: ▪ Strong Authentication, ▪ Identity Management, ▪ Access Governance, ▪ Information Protection. Security specialist @ EXFO, R&D To keep in touch: https://twitter.com/IdentityMonk https://ca.linkedin.com/in/jflombardo Or as a member of: