Statement on Passage of the Virginia Consumer Data Protection Act
Statement by Future of Privacy Forum CEO Jules Polonetsky regarding the approval of the Virginia Consumer Data Protection Act:
“Today, Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA), making Virginia the second state, following California, to establish baseline legal protections for consumer privacy – a significant milestone in the United States.
The law will be the first in the country to require companies to obtain affirmative opt-in consent for processing sensitive data, such as health information, race, ethnicity, precise geolocation, and other sensitive categories, and the first to mandate formal Data Protection Assessments. It also provides for consumer rights of access, deletion, correction, portability, and opt-outs for profiling, targeted advertising, and sale. In the absence of a comprehensive federal privacy law, we are encouraged to see Virginia lawmakers and other states continue to establish and improve legal protections for personal information.”
FPF’s analysis of the Virginia law and comparison to other jurisdictions is available here.
South Korean Personal Information Protection Commission Announces Three-Year Data Protection Policy Plan
by Jasmine Park
On November 24, 2020, the South Korean Personal Information Protection Commission (PIPC), the nation’s central administrative agency tasked with protecting the privacy rights of individuals by enforcing the country’s privacy laws, released its revised three-year “Personal Information Protection Master Plan” (‘21-‘23). A wide range of policies that balance both the protection and use of personal information will be implemented at the national level, such as improving the system for obtaining consent when collecting personal information, providing incentives for self-regulation, and reforming the system regulating the cross-border transfer of personal information. One innovative area where the PIPC will play a leading role is developing a comprehensive support system for the use of pseudonymized data.
The plan includes three key strategies:
Confident protection of personal information;
Secure use of personal information that increases the value of data; and
A fair balance between protection and use of personal information as the control tower.
The first strategy aims to 1) reinforce data subjects’ rights and promote citizen’s privacy literacy, 2) create a business ecosystem of voluntary protection of personal information, and 3) advance personal information protection systems in public sectors. The second strategy will 1) support the safe use of personal information, 2) eliminate blind spots in the digital transformation environment, and 3) create a safer environment for personal information through research and development. The third strategy sets out to 1) take stern measures against and respond promptly to privacy violations, 2) build national governance for personal information protection, 3) strengthen global personal information cooperation, and 4) reinforce the PIPC’s leadership as a unified supervisory body.
PIPC Chairman Yoon Jong-in also presented a report on the plan to the State Council of South Korea on November 24, 2020. The plan revises the “4th Personal Information Protection Plan” which was announced earlier in February 2020, and lays out the driving strategy and direction of major policies for the next three years, including the government’s plan for personal information protection. A need to revise the “4th Personal Information Protection Plan” arose due to the establishment of the PIPC as a central administrative agency on August 8, 2020, under the “Amendments to the Three Data Privacy Laws”, and the socially distanced and digital society brought about by COVID-19.
Therefore, the PIPC revised its plan after conducting an analysis of the environment, public surveys, and system research. Yoon Jong-in announced that the new plan will take effect in 2021 on the 10th anniversary of the enactment of PIPA, and encouragingly stated that “if the past decade was the time to lay the foundation for personal information protection in Korea, the next decade is the key to action. Built on trust in the data economy, we will do our best to implement the personal information protection plan so data can be used safely and well.”
The PIPC also aims to strengthen policies that confidently protect people’s personal information in the private and public sectors. It sets out to improve obtaining consent when collecting personal information, introduce new rights such as data portability, and effectively protect people’s control over their personal information in accordance with the changing times. In addition, the PIPC plans to enhance the self-protection of personal information by having people protect their own personal information taking into account the sensitivity of the data, providing incentives to businesses based on their performance voluntarily protecting personal information in a self-regulatory system, and developing professional expertise.
The PIPC will also expand the existing standards for privacy impact assessments by considering emerging privacy risk factors from new technologies, and expand the data breach incident factors assessment standards to prevent data breaches in the public sector. The public sector itself will take the lead on strengthening the foundation of personal information management, raising the standard through on-site inspections.
Further, in an economy increasingly driven by data, the PIPC will activate a pseudonymized data system to ensure personal information is used securely, and develop personal information protection systems and technologies. South Korea’s data protection law, the Personal Information Protection Act (PIPA) was amended in January 2020, and centralizes the data regulatory functions of PIPC (established as an administrative agency in September 2011), the Ministry of the Interior and Safety (MOIS), and the Korea Communications Commission (KCC) under PIPC, elevating it to the central data privacy regulatory authority in South Korea. While the PIPA has laid the foundation for processing and using pseudonymized personal information, due to the need to continuously enhance protections, the PIPC will develop a comprehensive support system and operate a government council to this end. The system will allow the combination of pseudonymized information by including an application and guidelines for submitting, receiving, and combining pseudonymized information, generating combined key-linked information, and managing the status of combinations.
The PIPC will also develop new protection standards for a digital society where new technologies such as artificial intelligence, cloud, and self-driving technologies have become widespread, and will actively review and seek to improve regulatory sandboxes that have been proven to require modification.
Finally, as the nation’s personal information protection “control tower”, the PIPC aims to strengthen its role in personal information protection domestically and internationally, and lead public-private global governance in balancing the protection and use of personal information. The PIPC also announced that it will increase inspections of public institutions that have large-scale personal information, carry out strict investigations and enforcements, and convene a government joint response consulting body to respond to data breaches. While the PIPC serves as a one-stop-shop for obtaining advice related to personal information protection with addressing complaints as one of the most anticipated functions of the PIPC, it will also assess and improve the cross-border data transfer system in response to increasing overseas data transfers by reviewing the diversification of cross-border transfer requirements, such as non-consent standard contracts.
With thanks to Caroline Hopland for her contribution.
We’ve been taking a look at recent studies about consumer attitudes regarding data use and privacy.
A new study, “Privacy Front and Center,” from Consumer Reports’ Digital Lab with support from Omidyar Network, found that American consumers are increasingly concerned about privacy and data security when purchasing new products and services, which may be a competitive advantage to companies that raise the bar for privacy. A majority of smart product owners (62%) worry about potential loss of privacy when buying them for their home or family, according to CR’s February 2020 nationally representative survey. The study found that the privacy and security conscious consumer class seems to include more men and people of color.
Additional findings from Consumer Reports:
65% of American consumers say they are slightly or not at all confident that personal data is private;
96% of Americans agree that more should be done to ensure that companies protect the privacy of consumers;
42% of consumers believe that companies should be the most responsible for user privacy.
The Cisco 2020 Consumer Privacy Survey, “Protecting Data Privacy to Maintain Digital Trust,” found that protecting data privacy remains important to consumers during the pandemic. In fact, one-third of consumers are “Privacy Actives” who have stopped doing business with organizations over their data privacy practices. The survey also found that residents of all 12 countries in the study view their privacy laws very favorably and want more transparency about how their data is being used.
Cisco also found:
40% of respondents felt that the pandemic would strengthen the importance of privacy; only 28% said it would make privacy less important in the future;
Over half (57%) supported employers requesting employee health information to ensure a safe workforce. However, slightly under half supported location tracking, only 37% supported disclosing information about infected individuals, and only a third supported sharing information with private companies for research purposes.
In addition, Deloitte recently released its 2020 Digital Consumer Trends survey, which focused on the growth in smart device use and data in the United Kingdom. It found that UK consumers have become less concerned about the use of their data. In 2018, 47% of respondents stated they were ‘very concerned’, this has now halved to 24%.