PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Cartoon: GDPR Lawful Basis

Cartoon GDPR Lawful Basis - TeachPrivacy GDPR Training

This cartoon is about the GDPR’s lawful basis requirement to process personal data. One of the biggest differences between U.S. and EU privacy law is that in the U.S., organizations can collect and use personal data in nearly any way they choose as long as they state what they are doing in their privacy notice and follow what they say.  In the EU, in contrast, the GDPR requires that organizations have a “lawful basis” to collect and process personal data. The GDPR specified six lawful bases, including consent, performance of a contract, compliance with a legal obligation, public interest, protect the vital interests of the data subject or other people, and legitimate interest in processing the data.

Many organizations use legitimate interest as their lawful basis.

Article 6(1)(f) of the GDPR provides: 

1.Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Continue Reading

Cartoon: Multi-Jurisdictional Privacy Law Compliance

Cartoon Multi-Jurisdictional Privacy Law Compliance Poodle - TeachPrivacy CCPA Training 02 small

This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR.  In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA).  And, there will be a new referendum on privacy law in California next year — CCPA 2.0.  There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on.  And, each year, more and more countries are passing new comprehensive privacy laws.

We are witnessing the growing pains of privacy law.  Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed.  A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.

For more on the issue, I recently interviewed K Royal on this topic – see here for the interview.

Continue Reading

Cartoon: Cookies and the GDPR

Cartoon Cookies and the GDPR

This cartoon depicts how, after the GDPR, countless websites have cookie notices and require agreeing to accept cookies.  I find these cookie notices to be form over substance.  These notices are virtually meaningless and don’t help consumers. They are a nuisance.  They give privacy a bad name because people start to think that privacy is just about a bunch of silly notices and needless extra clicks.

Because cookies are so ubiquitous and commonly-known, being notified about them isn’t very informative. At this point, a notice that says “this site uses cookies” is akin to a notice that says “this computer uses electricity.” What matters is how personal information is being used, not whether there are cookies. Additionally, there are no meaningful choices for consumers. Often, there’s no choice but to accept the cookies. Even when there is a choice, consumers aren’t informed enough about the benefits and costs to make a meaningful decision.

Formalistic “protections” of privacy such as these cookie notices are a big fail.  These cookie notices create the illusion of doing something about privacy, but nothing really meaningful is happening here.

Continue Reading

Cartoon: Data Subject Access Requests Under the CCPA and GDPR

Cartoon Data Subject Access Requests (DSARs) - TeachPrivacy CCPA Training 02

This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs).  The GDPR Article 15 provides for DSARs.  The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.

For more background about DSARs, see this great guide to DSARs by WireWheel.

Continue Reading

Cartoon: GDPR Data Portability

Cartoon GDPR Data Portability Santa - TeachPrivacy GDPR Training 02 medium

This cartoon is about the GDPR’s right to data portability under Article 20.  This right allows data subjects to take their data from one organization and transfer it easily to other organizations. Pursuant to the GDPR Article 20:

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Continue Reading