International Report 162 out now



Lead story:

New era for US privacy laws: California and more

No US federal privacy law is in sight but keep a close eye on California and rapidly expanding enforcement and litigation risks. By Laura Linkomies.

Contents also include:

  • Comment: Global privacy developments
  • DP is central to Germany’s Facebook competition case
  • Global data protection laws
  • International cooperation grows
  • Albania updates its DP framework
  • Buttarelli’s new vision for Europe
  • Accountability is crucial for privacy
  • US state data breach laws
  • Indonesia clarifies data localization, right to be forgotten
  • Advances in South Asian DP laws
  • Malta’s GDPR-style law in action
  • Where trade goes, so does data: Outlook from BC, Canada
  • EU-US Privacy Shield claim settled
  • EU GDPR’s territorial scope
  • Spain adopts new cookie guidelines
  • Code for digital identities in Africa
  • Russian data localization fines
  • EU DPAs assess EU-US Privacy Shield
  • Wiewiórowski appointed new EDPS
  • EU consults on DP by Design
  • US federal privacy law in Senate
  • New proposal expected on e-Privacy
  • e-Privacy Reg. conflicts with GDPR
  • UN ponders privacy and health data

Publisher's Cover Note

Buttarelli’s Privacy Manifesto: A warning and blueprint for action

The late Giovanni Buttarelli, European Data Protection Supervisor, told me in our last conversation in January, that he was working on his Privacy Manifesto which he expected to publish by the summer. He drafted it with Christian D’Cunha, the Head of his Private Office who, following Giovanni’s death in August, prepared it for publication (p.31). I recommend that all of us working in the privacy field read the Manifesto in full.

Giovanni provided a powerfully argued and coherent analysis, vision and programme to strengthen privacy, drawing on diverse sources across the privacy eco-system, including the work of Professor Graham Greenleaf, PL&B’s Asia-Pacific Editor. Giovanni analysed the forces supporting and opposing privacy values and made the case how attacks on privacy are consistent with threats to democracy, social cohesion and the environment.

An uncomfortable future

He referred to Sidewalk Toronto, a joint venture between Sidewalk Labs, owned by Google’s parent company Alphabet Inc., and Waterfront Toronto, which is developing a high-tech neighbourhood, Quayside, for the city’s eastern waterfront.

On 31 October, engaging with privacy values, an update to the plan was published stating: “Sidewalk Labs reaffirms its commitment to comply with all existing and future privacy legislation, regulations and policy frameworks.” The company states in an FAQ “Sidewalk Labs has committed that it would not sell personal information to third parties or use it for advertising purposes.”

However, in the words of Bianca Wylie, founder of Open Data Institute Toronto, a critic of the smart-city initiative in Toronto, quoted by Giovanni:

When did we as a society say that however we move around in public space — that this is something we want to share and commodify? We need to really think about what it means to have a private company operating in what historically is public space.

Typical questions are: how will the data be collected, used and who will benefit?

Daniel Therrien, the Privacy Commissioner of Canada together with the provincial Privacy Commissioners would like to be better placed to deal with such issues (p.26). Yesterday, 10 December, Therrien submitted his annual report to Parliament, and formally asked the government for stronger legislation and enforcement powers. His aim is quick and effective remedies for people whose privacy rights have been violated, and to help ensure broad and ongoing compliance for organizations. He wants the Privacy Commissioner to make binding orders and impose consequential penalties for non-compliance with the law, as well as proactive inspections to ensure organizations are demonstrably accountable to the regulator for their privacy practices.

Such powers would put the regulators in a more influential position when taking action against the risk of data harvesting from the widespread collection and use of data in the context of “free” wifi, as in Vancouver’s Yaletown.

Smart cities pose a challenge to privacy norms everywhere

Earlier this month at the APPA Forum in the Philippines (p.27), Stephen Wong, Privacy Commissioner for Personal Data, Hong Kong, expressed his concerns about Smart City Hong Kong. The plans include the installation of “multi-functional smart lamp posts.” He fears “unexpected uses and sharing” and “indiscriminate and excessive collection” of personal data. These smart devices include traffic detectors, Bluetooth detectors, a panoramic camera, meteorological and air quality sensors, and 5G base stations. However, he reported that the plan to install 400 smart lamp posts in four districts has been stalled due to the public’s concerns about personal data privacy, although facial recognition technology is not part of the plan.

Giovanni finished his Manifesto with 10 recommendations. Wojciech Wiewiórowski, formerly, his Assistant EDPS, started his five-year term on 6 December (p. 29). He will announce his five-year strategy in March. There will be both continuity and change. But I expect that there will be some echoes of his predecessor’s vision.

We will continue to bring you news, analysis and good practice from around the world in our 33rd Anniversary edition of PL&B International Report in February. There, we will analyse the Indian government’s Personal Data Protection Bill 2019 which was announced yesterday and is scheduled to be introduced in the Parliament’s Winter Session.

On behalf of all the Privacy Laws & Business Team, I wish you a happy holiday season.

Regards,

Stewart Dresner, Publisher