On June 12, 2023, the President of Nigeria signed the Data Protection Bill into law following a successful third reading at the Senate and the House of Representatives. The Data Protection Act, 2023 (the Act) has had executive and legislative support and marks an important milestone in Nigeria’s nearly two-decade journey towards a comprehensive data protection law. Renewed efforts towards a comprehensive law began in September 2022 when the National Commissioner of the Nigeria Data Protection Bureau (NDPB), now the National Data Protection Commissioner (NDPC), announced that the office would seek legal support for a new law as part of the Nigeria Digital Identification for Development Project. The drafting of the law was followed by a validation process that was conducted in October 2022. After validation, the Act was submitted to the Federal Executive Council for approval, which paved the way for its transmission to the National Assembly. The 2022 Data Protection Bill was introduced in both houses of Nigeria’s bicameral legislature as the Nigeria Data Protection Bill, 2023. The Act commenced upon signature by the President.
The Act provides for data protection principles that are common to many international data protection frameworks. It defines “personal data” broadly and it includes legal obligations for “data controllers” and “processors,” defined similarly to the majority of data protection laws around the world. While the structure and content of the Act align with other international frameworks for data protection, the Act contains notable unique provisions:
The Act introduces a new category of “data controllers and processors of major importance,” which seems to be inspired by the tiered approach in the EU’s Digital Services Act and its specific obligations for “very large online platforms and search engines;”
A “duty of care” is among the principles that controllers and processors need to comply with;
Controllers and processors must seek the services of a data protection compliance organization (DPCO) to perform a data protection audit, among other obligations;
The broad extraterritorial provisions under the Act are also notable;
The Act also introduces and places limitations on legitimate interest as a legal basis for personal data processing which is not present under the NDPR and the Implementation Framework;
Data subject rights under the Act are similar to those found in international data protection frameworks, however, with minimal restrictions on their exercise;
The Act provides stronger protections for children and persons without legal capacity, compared to the NDPR. It also introduces a requirement for age verification, where feasible; and
Lastly, the Act sets out structural changes to the existing data protection authority, which will change from a “Bureau” to a Commission, and updates the governing mechanisms for the authority.
Prior to the introduction of the Act, Nigeria’s data protection landscape was governed by the Nigeria Data Protection Regulation, 2019 (NDPR) and the Nigeria Data Protection Regulation 2019: Implementation Framework (Implementation Framework). However, the need to fill in the gaps under the NDPR, create a legal foundation for the existing data protection body, and as a necessary condition for the rollout of a national digital identification program required the creation of a new legislative framework. However, the NDPR and its Implementation Framework shall remain in force alongside the Act. Under Section 64(2)(f) all existing regulatory instruments, including regulations, directives, and authorizations issued by the National Information Technology Development Agency (NITDA) or NDPB shall remain in force as if they were issued by the Commission until they expire, are repealed, replaced, reassembled or altered. Per Section 63 of the Act, the new law shall take precedence in any instance of a conflict with pre-existing provisions.
1.Covered Actors: Novel Categories of Data Controllers and Processors
The Act applies to the processing of personal data by data controllers, data processors, and third parties, which may be individuals, private entities, or public entities that process personal data. A data controller is defined as an individual, private entity, public Commission or agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A data processor is defined as an individual, private entity, public authority, or any other body who or which processes personal data on behalf of or at the direction of a data controller or another data processor. The Act does not define third parties.
The Act introduces a novel category of “data controllers and processors of major importance.” A data controller and processor of major importance is defined as a “data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than a such number of data subjects who are within Nigeria.” The Act continues, explaining that “the Commission may prescribe or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society, or security of Nigeria as the Commission may designate.”
While the practical thresholds of this definition are set to be further clarified by the Commission, they will be based on the number of data subjects whose data are processed and the value or significance of the processed data. This categorization has commonalities with the EU’s Digital Service Act’s designation of entities as Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) and may be used to create unique and additional obligations for such controllers and processors. The Act currently requires qualifying entities to meet special registration requirements, appoint a data protection officer, and pay different penalty amounts for violations. Future obligations will relate to processes relating to filing of compliance returns (Section 61(2)(g)), as well as any others that may be prescribed through regulations later issued by the Commission.
2. Covered Data: Broad Categories of Sensitive Personal Data
The Act covers both personal and sensitive personal data. It defines personal data as “any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.” The definition closely tracks Article 4(1) of the GDPR.
It further defines sensitive personal data as personal data relating to an individual’s:
genetic and biometric data, for the purpose of uniquely identifying a natural person;
race or ethnic origin;
religious or similar beliefs, such as those reflecting conscience or philosophy;
health status;
sex life;
political opinions or affiliations; and
trade union memberships.
Section 30(2) of the Act envisions a broad, flexible definition for sensitive personal data by authorizing the Commission to prescribe further categories of sensitive personal data. The Act also prohibits the processing of sensitive personal data unless specified conditions are met. Notable allowances for processing of sensitive personal data include:
Where the processing is necessary for reasons of “substantial public interest,” on the basis of a law (Section 30(1)(f)). Substantial public interest is not defined under the Act; and
Where the data subject has consented to such processing (Section 30(1)(a)).
These proposed rules closely track Article 9 of GDPR’s restrictions for the processing of “special category” data. Unlike the GDPR, which envisions situations where the prohibition on processing sensitive personal data may not be lifted on the basis of consent, the consent exception under Nigeria’s Act is only restricted to situations where a data subject has given and then withdrawn such consent. Additionally, the Act only applies an “explicit consent” requirement to the potential sharing of sensitive personal data by a “foundation, association, or other not-for-profit body with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes,” while the GDPR’s Article 9(2)(a) requires “explicit consent” for all excepted processing. However, the Act does permit the Commission to potentially create additional regulations that may apply to the processing of sensitive personal data, including regulations expanding categories of sensitive personal data, additional grounds for processing such data, and safeguards to be applied.
3.Territorial Application: Broad Extraterritorial Application of the Act
Section 2(2)(c)) of the Act contains broad extraterritorial authority, covering any form of processing the personal data of a data subject in Nigeria by controllers or processors not established in Nigeria. This provision does not consider the nature of processing being conducted, unlike frameworks such as the GDPR, which include the “targeting” criteria.
Exemptions from Application of the Act: Increased Protections for Exempted Processing Activities
Section 3 of the Act provides several different exemptions from the broader application of the law and makes room for the Commission to expand the processing activities that may be exempted from the Act. Processing personal information “solely for personal or household purposes” is exempt, as long as such processing does not violate a data subject’s right to privacy. This is a stark difference from laws such as the GDPR, which wholly exempts processing of personal data by a natural person in the course of personal or household activity, regardless of whether it touches on the person’s right to privacy or not. Therefore, there are instances where personal data processing activities of a non-professional and non-commercial nature may fall under the ambit of the law. The rationale for this condition is not clear. Other exemptions include processing activities by law enforcement during the prevention, investigation, detection, or prosecution of a crime, processing for the prevention or control of a national public health emergency, national security or public interest purposes, and as necessary for the establishment, exercise, or defense of legal claims that are exempt from most of the obligations under Part V of the Act. Exempt entities must still comply with some specific provisions under Part V including:
The principles of personal data processing – Section 24;
Provisions relating to the lawful basis of processing personal data – Section 25;
Provisions relating to the appointment of data protection officers for data controllers and processors of major importance – Section 32; and
Provisions relating to personal data breaches – Section 40.
While the Act reserves for the Commission authority to prescribe additional exemptions, it includes a greater number of protections for exempt processing activities than the 2022 Bill. In addition to the above-mentioned provisions that exempt entities must comply with, the Act empowers the Commission to issue a Guidance Note on the legal safeguards and best practices for exempted data controllers and processors where such processing violates or is likely to violate Sections 24 and 25 of the law. Some exemptions have been narrowed relative to the 2022 Bill. Entities who were exempted from complying with provisions under the 2022 Bill must now comply with the above-mentioned provisions for exempt entities under the 2023 Act, as well as those relating to data security and cross-border data transfers.
4. Obligations of Data Controllers and Processors: Novel Registration Requirements for Data Controllers and Processors of Major Importance
Some of the Act’s obligations for data controllers and processors are novel, while others have been maintained from the NDPR.
Data Controllers and Processors of “Major Importance”
The designation of “data controllers and processors of major importance” and the Commission’s authority to classify and regulate such entities is a key new development. Section 44 of the Act sets out the process and timelines to which such entities must adhere, including registering with the Commission within six months after the commencement of the Act, or upon meeting the statutory criteria for qualifying as a data controller or processor of major importance. Additionally, the Act empowers the Commission to exempt classes of data controllers and processors of major importance from registration where it considers that such registration is unnecessary or disproportionate. The criteria for exemption may be stipulated through Regulations by the Commission.
Another special obligation for controllers and processors of major importance is the requirement to appoint a Data Protection Officer (DPO), which is imposed by Section 32 on such entities only. This requirement substantially differs from the NDPR and the Implementation Framework; under the NDPR, every data controller must appoint a DPO (Article 4.1.2), while the Implementation Framework stipulates conditions for such an appointment (3.4.1).
Other important obligations of all data controllers and processors include:
Compliance with Data Protection Principles
Data controllers and processors are responsible for complying with the principles provided in the Act. The principles are similar to the FIPPS-based sets found in many comprehensive data protection regimes but also include the duty of care as a principle for controllers and processors (Section 24(3)). Specifically, both controllers and processors owe “a duty of care” with respect to data processing, which is linked to demonstrating accountability related to compliance with other principles provided by the Act.
Filing of Audit Reports
As discussed in greater detail below, controllers and processors must seek the services of a data protection compliance organization (DPCO) to perform a data protection audit, among other obligations. As the Act does not create new criteria for entities required to conduct such audits, provisions under the NDPR and Implementation Framework remain in force. While the Implementation Framework provides that the authority may carry out scheduled audits or perform spot checks, the common practice is for controllers and processors that process personal data of more than 2000 data subjects in 12 months to engage a DPCO to conduct annual audits on their behalf. This practice is expected to continue.
Provision of Information to a Data Subject Prior to Collection of Personal Data
Where a data controller collects personal data directly or indirectly from a data subject, they must supply the data subject with the following information prior to collection:
The identity, residence or place of business of, and means of communication with the controller;
The specific lawful basis of processing under either Section 25(1) or 30(1) of the Act, and the specific purposes of processing;
The categories of recipients of the personal data;
The existence of the data subject rights;
The retention period of the data;
The right to lodge a complaint with the Commission; and
The existence of any automated decision-making, including profiling, its significance, the envisaged consequence of such processing for the data subject, and the right to object to/challenge such processing.
Where personal data is collected indirectly, a controller may be exempted from providing this information to a data subject if it had already been provided or where it would involve a disproportionate effort (Section 27(2)). The transparency obligations imposed by Section 27(1) (listed above) shall form part of the content of a privacy policy that a controller is obliged to have under the law and must be expressed in “clear, concise, transparent, intelligible, and easily accessible form.” In providing this information, a controller is obligated to take into account the intended class of data subjects. This implies that a privacy notice may need to be adjusted to cater to, among other issues, the literacy levels and language differences among data subjects.
Conducting a Data Protection Impact Assessment
Section 28(1) mandates a data controller to conduct a data protection impact assessment (DPIA) prior to the processing of personal data, where such processing may likely result in a high risk to the rights and freedoms of a data subject. The Act does not specify the period within which a DPIA must be conducted prior to such processing. Laws such as Kenya’s Data Protection Act require a DPIA to be conducted 60 days prior to the processing; this obligation may be clarified under future Regulations.
The Commission may designate, by Regulation or Directive, categories of processing or persons that automatically trigger the requirement to conduct a DPIA. To qualify, a DPIA must include:
A systematic description of the envisioned processing and its purpose, including any legitimate interest pursued by the controller, processor, or third party;
An assessment of the necessity and proportionality of the processing related to those purposes;
An assessment of the risks to the rights and freedoms of the data subject;
Measures envisioned to address those risks, along with any safeguards, security measures, and mechanisms in place to ensure the protection of personal data.
Overseeing the Conduct of Data Processors and Sub-Processors
Controllers engaging processors, or processors engaging sub-processors, must take “reasonable measures” to ensure that the engaged party complies with the requirements of the Act set out in Section 29(1). These measures must take the form of a written agreement and ensure that the engaged party:
Assists the data controller or processor, as the case may be, in the fulfillment of the controller’s obligations to honor the rights of a data subject;
Implements appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data;
Provides the controller or processor, where applicable, with information reasonably required to demonstrate compliance with the Act; and
Notifies the engaging controller or processor when a new processor is engaged.
Data Security and Data Breach Notification Requirements
Controllers and processors shall be required to implement security measures and safeguards for personal data. The level of such measures shall take into account several factors, including:
The amount and sensitivity of personal data involved;
The period of data retention; and
The availability, and cost of technologies to be implemented.
The measures that controllers and processors may implement are further described under section 39(2), including pseudonymization, encryption, and periodic assessments of risks to processing systems.
Where a data breach occurs that affects a data processor, the processor will be required to notify the data controller or processor that engaged it as soon as the breached party becomes aware of the incident, and must respond to information requests regarding the breach (Section 40(1)).
Where a data controller suffers a breach that is likely to cause a risk to the rights and freedoms of data subjects as defined by Section 40(7), several steps are required, including:
Notifying the Commission within 72 hours of becoming aware of the breach;
Notifying the data subjects without undue delay. No time specification is made for notifying data subjects.
The requirements for communications to the Commission and to affected data subjects also differ. Communication to the Commission should be as detailed as possible and include a description of the nature of the breach, while notice to data subjects should be in plain and clear language and include steps to take to mitigate any adverse effects. Section 40(4) highlights the common information that should be present in both cases, such as the name and contact details of a point of contact for the data controller. Information relating to a breach may be provided in a phased manner, where it is impossible to provide all information in a single communication.
5.Lawful Grounds for Processing Personal Data, Consent Requirements, and Children’s Personal Data
The Act provides for six lawful grounds for processing personal data similar to those under the GDPR, including:
With consent of a data subject for the processing of personal data for a specific purpose;
For performance of a contractual obligation in which the data subject is a party;
Compliance with a legal obligation to which the data controller or data processor is subject;
For protection of the vital interest of the data subject or another person;
For performance of a task in the public interest or exercise of official authority by a data controller or data processor; and
To fulfill the legitimate interests of a data controller or processor, or by a third party to whom the data is disclosed, considering that a data subject would have a reasonable expectation that personal data would be processed in the stipulated manner and the processing does not override their fundamental rights and freedoms. This basis is, however, not permissible where a controller or processor’s legitimate interests are incompatible with other lawful bases under the Act.
Consent Requirements
The Act requires that consent be freely given, specific, informed, and unambiguous. This is similar to consent requirements under the NDPR and Implementation Framework. The Act prohibits implied consent – i.e., the inference of consent from a data subject’s inactivity or the use of pre-ticked boxes. This corresponds with most of the consent provisions under the Implementation Framework, other than the fact that the Framework provides exceptions for consent relating to cookies. The Framework (5.6) provides that consent for cookies may be implied from the continued surfing of a website and does not mandate explicit consent. This effectively limits the extent of consent to direct marketing that is required under 5.3.1(a) of the Implementation Framework.
Children’s Privacy
The Act expands the protections accorded to children and persons lacking legal capacity compared to the NDPR and its Implementation Framework. It increases the age threshold under which a data subject is considered a “child” to 18 years, in alignment with the Nigeria Child Rights Act (however, not all states have domesticated the Act), and contrasts with the Implementation Framework, which categorizes a child as a person under 13 years of age). The Act also includes specific consent requirements for children and persons lacking the legal capacity to consent. While the NDPR and Implementation Framework are silent on whom to obtain such consent from, under the Act, consent shall be obtained explicitly from parents or legal guardians (Section 31(1)). To effect this, the Act requires controllers and processors to adopt consent verification mechanisms. To guarantee stronger privacy protections for children, the Commission will create Regulations to guide the personal data processing of a child of 13 years and above in the course of their usage of online products and services.
However, there are instances where a controller or processor may process the personal data of children and persons lacking legal capacity without the consent of a parent or legal guardian, such as:
Where the processing is necessary to protect the vital interests of the child or person lacking the legal capacity to consent;
Where the processing is carried out for purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality; or
Where the processing is necessary for proceedings before a court relating to the individual.
Further Protection for Processing of Personal Data Relating to Children and Persons Lacking Legal Capacity
In addition to the consent requirements, the Act further requires controllers and processors to adopt age verification mechanisms. Age verification is required “where feasible,” taking into consideration available technology. Presentation of any government-approved identification documents will be permitted as a verification mechanism.
6.Data Subject Rights: Robust Rights with No Implementation Mechanisms for Data Subjects and Narrow Restrictions on Exercise of Rights
The Act provides for data subject rights, which data controllers and processors must comply with prior to and during the processing of personal data, including the rights to:
Obtain information regarding the personal data held by a controller or processor about the requestor, in a commonly used electronic format;
Know the source of information where the personal data has been collected from a source other than the data subject;
Lodge a complaint with the Commission;
Know the existence of automated decision-making (ADM) and not to be subject to a decision that is solely based on automated processing of personal data, including profiling, and the significance and consequences for the data subjects of such processing;
Correct, and where it is not feasible or suitable, delete inaccurate, out-of-date, incomplete, or misleading information;
Request erasure where the personal data is no longer required in relation to the purpose for which it was collected and where the data controller has no other lawful basis to retain the personal data;
Request the restriction of processing personal data where there is a pending resolution of a request, where a data subject objects to processing, and where a data subject seeks to establish, exercise or defend a legal claim;
Object to the processing of personal data, including where processing is for the purpose of direct marketing;
Data portability. The Act makes it possible for a data subject to receive personal data concerning them from a data controller and transmit it to another controller, or for the data to be directly transferred from one controller to another. The importance of this right, given Nigeria’s thriving fintech ecosystem, has seen the Central Bank of Nigeria issue operational guidelines within the context of open banking; and
Withdraw consent to the processing of personal data at any time.
The Act does not provide comprehensive mechanisms for implementing these rights, such as parameters and modalities to respond to data subject requests. However, the Implementation Framework (2.3.2(c)) requires controllers to inform data subjects on the method to use to withdraw consent before obtaining consent. The Act states that “a controller should ensure that it is as easy for the data subject to withdraw as it is to give consent.”
The Act does not provide general restrictions/limits to the rights except for specific cases such as:
The right to object – where a controller may still process personal data in light of an objection if there is a public interest or other legitimate ground which overrides the fundamental rights and freedoms of the data subject; and
Exceptions to the right not to be subject to ADM systems, including where the processing is necessary for contractual obligations, is authorized under a written law, or based on a data subject’s consent. While a person may not object to processing by ADM systems if it falls under the three exempt conditions, data subjects retain the rights to (i) request human intervention in the ADM system, (ii) have an opportunity to express their point of view, and (iii) contest a decision based on an ADM system. This differs from the 2022 Bill where a controller using an ADM system on the basis of another existing law, did not have to guarantee these three data subject rights.
7. Cross Border Data Transfers: Broad Grounds for Transfers of Personal Data as well as Parliamentary Authorizations to Protect Data Sovereignty
The Act establishes as a rule that personal data should not be transferred outside of Nigeria, allowing for two exceptions. First, personal data can be transferred when the recipient of the personal data (the data importer) is subject either to (1) a law, (2) Binding Corporate Rules (‘BCRs’), (3) contractual clauses, (4) a Code of Conduct, or (5) a certification mechanism that “affords an adequate level of protection” to that provided by the Act. In the absence of such adequate protection through one of the enumerated means, personal data can also be transferred outside of Nigeria in exceptional situations, listed in Section 43 and mapping precisely to the set of derogations under Article 49 GDPR (consent of the individual, or for the performance of a contract, among others).
Controllers are under an obligation to keep a record of the legal basis for transferring personal data outside Nigeria, as well as to record “the adequacy of protection,” according to the criteria described in detail under Section 42 of the Act. This wording suggests that the adequacy of the means of transfers used can be validly assessed by each controller. This is a departure from other existing adequacy regimes, which usually require an official body to declare a specific jurisdiction adequate.
The Commission is tasked with issuing guidelines on how to assess the adequacy of a particular means of transfer, under the criteria established by Section 42 of the Act. This section explains that an adequate level of protection means “upholding principles that are substantially similar (n. – our emphasis) to the conditions for processing personal data” under the Act. The criteria relevant for adequacy include “access of a public authority to personal data,” potentially complicating such assessments in line with the broader global debate on “government access to data held by private companies.”
Of note, the Commission is given the possibility under the Act to determine whether “a country, region, or specified sector within a country, or standard contractual clauses, affords an adequate level of protection.” In this sense, it is important to recall that the NDPR and Annex C of the Implementation Framework already provide a white list of 41 countries whose laws are considered adequate. Interestingly, the Act specifically allows the Commission to make an adequacy determination under the Nigerian law based on an adequacy decision “made by a competent authority of other jurisdictions,” if such adequacy is based on similar criteria to those listed in Section 42 of the Act. This opens the door for Nigeria to potentially equivalate adequacy decisions made by foreign bodies, like the European Commission, making an “adequacy network effect” functional. The Commission is also empowered to approve BCRs, Codes of Conduct, and certification mechanisms for data transfers.
Finally, and particularly interesting in the context of emerging certification frameworks like the Global Cross Border Privacy Rules (CBPR) framework, the Act requires that any specific “international, multinational cross-border data transfer codes, rules, or certification mechanisms” relating to data subject protection or data sovereignty must be approved by the National Assembly of Nigeria. This provision on data sovereignty aligns with the Nigeria National Data Strategy, 2022, which incorporates data sovereignty as one of its enabling pillars. Under the Strategy, data sovereignty will facilitate data residency and ensure that data is treated in accordance with national laws and regulations.
In this sense, the Act also empowers the Commission to “designate categories of personal data that are subject to additional specified restrictions on transfer to another country.” This designation would be based on “the nature” of such personal data and on “risks” to data subjects. This provision opens the door to potential future data localization requirements for specific categories of personal data.
8.Enforcement: Legal Foundation for the Nigeria Data Protection Bureau, Creation of a Governing Council and Expected Regulations
Establishment of the Commission
Originally created through an Executive Order in February 2022, the NDPB has now been renamed the “Nigeria Data Protection Commission” and will operate as an independent and impartial body to oversee the Act’s implementation and enforcement. Previously, data protection enforcement in Nigeria was conducted under the auspices of the Nigeria Information and Technology Development Agency. However, concerns that the NITDA lacked powers to oversee data protection in the country may have necessitated the creation of a new agency. The Commission will function as a successor agency, and all persons engaged in the activities of the Commission shall, upon enactment of the Act, have the same rights, powers, and remedies held by the NDPB before the commencement of the law (Section 64(1)). All regulatory instruments issued by the NITDA, including the NDPR, shall remain in force, and shall have the same weight as if they had been issued by the Commission until they expire, are repealed, replaced, reassembled, or altered (Section 64(2)(f)).
Functions and Powers of the Commission
Some of the key functions and powers of the Commission include:
Accrediting, Licensing, and Registering Suitable Bodies to Provide Data Protection Compliance Services (Section 5(c)).
Section 28 of the Act provides the Commission with the power to delegate the duty to monitor, audit, and report on compliance with the law to licensed data protection compliance organizations. This model was introduced under the NDPR and allows the data protection authority to delegate some functions under existing regulations to monitor, audit, and report on compliance by data controllers and data processors. Detailed provisions on the operation of DPCOs can be found under the NDPR and Implementation Framework and shall continue to apply to controllers and processors.
Designating, Registering, and Collecting Fees from Data Controllers and Processors of Major Importance (Section 5(d)).
Following successful registration of a controller or processor of major importance, the Commission is tasked to publish a register of duly registrants on its website. The Commission is also expected to prescribe fees and levies to be paid by this class of controllers and processors.
Participating in international fora and engaging with national and regional authorities responsible for data protection to develop efficient strategies for the regulation of cross-border transfers of personal data (Section 5(j)).
Issuing Regulations, Rules, Directives, and Guidance.
The Commission is expected to develop certain regulations as prescribed under the law and as detailed above, including in relation to designating new categories of sensitive data, adequate steps for data breach notification, conducting DPIAs, or issuing data localization regulations for specific categories of personal data.
Other functions of the Commission include promoting public awareness and understanding of personal data protection, the rights and obligations imposed under the law, and the risks to personal data; receiving complaints alleging violations of the Act or subsidiary legislation; and ensuring compliance with national and international personal data protection obligations and good practice.
In a bid to ensure that the services of the Commission are accessible beyond urban areas, the Commission is allowed to establish its offices in other parts of Nigeria (Section 3(b)). This is important as part of creating awareness of the importance of data protection across the country.
The Commission will be governed by a “Governing Council” (the Council), whose members will be appointed by the President on the recommendation of the Minister on a part-time basis, drawn from the public and private sector to serve for a term of 5 years that is renewable once. This rule exempts the National Commissioner, who will serve as the Secretary to the Council.
The Council is tasked with providing overall policy direction of the affairs of the Commission, approving strategic and action plans, budgeting support programs submitted by the National Commissioner, as well as providing advice and counsel to the National Commissioner.
9. Offenses, Sanctions, and Compensation: Higher Penalties for Data Controllers and Processors of Major Importance
The Act provides a data subject who has suffered injury, loss, or harm arising from a violation of the law with a private right of action that allows recovery of damages in a civil proceeding. Where a controller or processor violates the provisions of the Act or subsidiary legislation, the Commission may issue a compliance order requiring them to take specific measures to remedy the situation within a specified period as well as inform them of their right to a judicial review. The Commission may also impose an enforcement order or a sanction. In issuing an enforcement order or a sanction, the Commission may:
Require the data controller or processor to remedy the violation;
Order for the compensation of data subjects;
Order the controller or processor to account for profits realized from the violation; or
Impose a penalty.
However, it is not clear from the Act what conditions may trigger an enforcement order, sanction, and thus a penalty or any other such measure. In laws such as Section 62 of Kenya’s Data Protection Act, failure to comply with the requirements of an enforcement order (referred to as a compliance order under the Act) triggers a penalty notice. The Act does not specify the period within which complaints may be heard and concluded.
The penalty amount depends on whether the violator is a data controller or processor of major importance or not. Penalties against data controllers or processors of major importance shall be the higher of N10,000,000 (approximately 22,000 USD) or 2% of the annual gross revenue of the preceding financial year. Penalties against other data controllers and processors shall be greater than N2,000,000 (approximately 4,300 USD) or 2% of the annual gross revenue of the preceding financial year.
The Commission is empowered to create regulations that create new offenses and that impose penalties not exceeding those prescribed under the Act (Section 56(3)).
Conclusion
As Nigeria continues to make its mark within the global digital economy and rapidly expand its technology ecosystem, this Act represents a continued focus on protecting the personal data of Nigerian citizens, in alignment with common internationally accepted principles of data protection.
However, the Act contains unique provisions that should not be overlooked, including a new classification of data controllers and processors “of major importance” and specific obligations attached to them, as well as broader protections for exempt processing activities. Overall, the Act represents a significant step in Nigerian data protection and notably resolves the long-running dispute regarding the identity and institutional authority of Nigeria’s primary data protection regulator.
FPF Launches Cybersecurity and Data Privacy Expert Group, Bringing Together Top Leaders for Advisory Committee
As the world becomes more ingrained and dependent on digital systems, the need to explore the challenges posed by emerging technologies and develop ethical norms and workable best practices grows. Today, FPF launched its Privacy and Cybersecurity Expert Group and announced the Inaugural Advisory Committee to lead FPF’s exploration of the intersection of privacy and security.
Comprised of FPF’s Advisory Board members, the Privacy & Cybersecurity Expert Group will examine the overlap between data privacy and cybersecurity and how different global laws and policy regimes tackle that overlap. The working group will also provide space for privacy and cybersecurity experts to work together, ultimately facilitating the opportunity to elevate practices and approaches.
“Often, privacy and cybersecurity are mistaken as separate, and sometimes even competing, motivators,” said Amie Stepanovich, Vice President for U.S. Policy at FPF, who leads the working group. “However, both cybersecurity and privacy experts deal with large amounts of personal information. Our work to convene the Expert Group, and with the advice of our Inaugural Advisory Committee of innovative thinkers, provides an invaluable opportunity for a wide variety of experts to work together and become powerful allies moving toward the common interest of crafting norms and protections for society at large.”
The Inaugural Advisory Committee consists of top cyber and privacy executives at industry-leading companies and representatives from civil society and academia.
Advisory committee members include:
Emily Hancock, Cloudflare
Stephenie Handler, Gibson Dunn (Chair)
David Hoffman, Duke University, Sanford School of Public Policy
Anitha Ibrahim, Amazon Web Services
Andy Serwin, DLA Piper
Chad Sniffen, National Network to End Domestic Violence
Melanie Tiano, T-Mobile
Heng Xu, American University
To join FPF’s Privacy & Cybersecurity Expert Working Group as an FPF member, please email [email protected].
We’re On to Oregon: Sixth State Privacy Law of 2023 Creates New Consumer Rights and Protections
On June 22nd, lawmakers in Salem passed SB 619, the Oregon Consumer Privacy Act (“OCPA”). If enacted by Governor Kotek, Oregon will become the eleventh U.S. state (and sixth in 2023) to adopt broad-based data privacy legislation governing the collection, use, and transfer of consumer data. The bulk of OCPA’s requirements will take effect on July 1, 2024 (with a July 1, 2025 effective date for nonprofit organizations).
OCPA is the product of a multi-year stakeholder task force held under the auspices of Attorney General Rosenblum’s office.* The bill shares a common underlying framework, rooted in the proposed Washington Privacy Act, with every non-California state to enact comprehensive privacy legislation. Nevertheless, stakeholders should pay particular attention to OCPA as it would join the Texas Data Privacy and Security Act as the only two comprehensive state privacy laws enacted so far in 2023 that extend privacy rights and protections beyond the existing high-water marks established by states such as Colorado and Connecticut in modest but meaningful ways.
Below, we identify the key provisions that distinguish OCPA from comparable state privacy laws:
1. Broad Scope
State privacy laws typically exclude entities that are subject to existing federal privacy laws from coverage; however, OCPA carves out only specific data held by organizations that is subject to laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). Furthermore, OCPA does not include an entity-level exception for non-profit organizations, joining only the Colorado Privacy Act in applying to such organizations. Notably, Oregon’s bill does carve out nonprofits “established to detect and prevent fraudulent acts in connection with insurance” as well as organizations designated as “financial institutions” under state law.
2. Expansive Definitions of Covered Data
Consistent with the ten existing state privacy laws, OCPA applies to “personal data” and creates a subcategory of “sensitive data” that is subject to heightened protections. However, OCPA’s definition of “personal data” is unique in explicitly including “derived data” (presumably covering inferences about a customer) and data associated with a “device” that is reasonably linkable to one or more consumers in a “household.” Furthermore, contrary to other Washington Privacy Act-style laws, OCPA lacks a definition of and dedicated exemptions for personal data that is maintained in a “pseudonymous” format.
The Oregon bill’s definition of “sensitive data” is also broader than other state laws, covering “national origin,” “status as transgender or nonbinary,” and “status as a victim of crime.” OCPA also contains a comparatively broad definition of “biometric data” (a category of sensitive data), including information that may allow the unique identification of an individual, not just data collected or used for the purpose of such identification. However, the scope of “biometric information” is also limited by a novel exception providing that “facial mapping or facial geometry” only qualifies as biometric data if collected for or used for the purpose of uniquely identifying an individual, likely carving out technologies used solely for facial detection and characterization.
3. Novel Consumer Rights
OCPA provides for now-routine individual rights to obtain confirmation of data processing, to access, correct, delete, receive personal information in a portable format, and to opt-out of targeted advertising, data sales, and significant profiling decisions. However, Oregon’s bill also allows individuals to obtain a list of the “specific third parties” to whom a controller discloses personal data. This may be the most operationally complicated novel aspect of the Act and mirrors similar requirements included in recently enacted health privacy laws in Washington State and Nevada. OCPA would also be the first comprehensive state privacy law to explicitly provide that individuals have a right to request the deletion of “derived data.”
4. Slightly Stricter Controller Obligations
Oregon’s bill includes a number of routine obligations for covered organizations including maintaining reasonable data security, contractual requirements for processors, posting privacy notices, and obtaining consent for the processing of sensitive data. However, OCPA does establish slightly stricter data controller obligations than comparable state laws. First, controllers are required to obtain affirmative consent in order to profile adolescent data (individuals from 13-15 years of age), for significant decisions. Second, while OCPA does not explicitly use the term “dark patterns,” it does provide that design mechanisms deployed with a purpose to frustrate consumer choice, not just those that have “substantial effect” of doing so, will invalidate consumer consent under the law. Finally the Act requires that data protection impact assessments must be retained for a period of five years, joining only Colorado which established a similar retention period through its implementing regulations.
5. Enabling Data Use and Sharing for Research
Finally, OCPA includes a familiar list of uses of personal data that are exempt from that Act’s consumer rights and obligations, including processing for the purposes of internal operations reasonably aligned with consumer expectations, complying with law enforcement inquiries, and maintaining data security. However, unlike other state privacy laws providing that the use of data for research must be governed by an IRB-like entity and conducted in the “public interest” (a subjective term that may be applied differently across jurisdictions), SB 619 exempts identifying data used for research so long as it is consistent with applicable law.
*The Future of Privacy Forum submitted written feedback to the Oregon task force in early 2022.
New FPF Infographic Analyzes Age Assurance Technology & Privacy Tradeoffs
As a growing number of federal and state children’s online privacy and safety proposals seek to age-restrict social media and other online experiences, FPF released a new infographic, Unpacking Age Assurance: Technologies and Tradeoffs. The infographic analyzes the risks and potential harms associated with attempting to discern someone’s age online, as well as potential mitigation tools. FPF also outlines the privacy and accuracy tradeoffs of specific age assurance methods and technologies.
“Age assurance is highly contextual, and the most privacy-protective approach requires choosing a method, or sometimes multiple methods, in a layered approach, that is proportional to the risks of each specific use case,” said Jim Siegl, FPF Youth & Education Senior Technologist, and a co-author of the infographic. “If the potential for user harm associated with the service is high, a higher level of certainty may be appropriate. We hope this analysis and visualization of the key decision points will serve as a helpful guide as policymakers, regulators, service providers, and others continue to evaluate options and potential solutions.”
The analysis outlines the three categories of age assurance, finding that:
Age declaration, including age gate and parental consent/vouching, generally offers the lowest degree of privacy risks to the user and the lowest level of accuracy to the service provider. Parental consent provides more assurance than age-gating but may impact a teen’s autonomy.
Age estimation, such as facial characterization and other algorithmic estimation methods based on browsing history, voice, gait, or data points/signals from a VR game, can be particularly effective for determining if a user meets an age threshold (e.g., under 13 or 21+) but is less accurate within in narrow age ranges (e.g., determining if a user is 17 or 18).
Age verification, such as government ID plus biometrics or digital ID, is more appropriate for higher-risk, regulated, or age-restricted services, and it provides the greatest level of assurance but also poses the highest degree of privacy risks.
Balancing the privacy and equity implications of age assurance with the potential for harm to minors is an ongoing challenge for policymakers and online service providers. The infographic highlights some of those risks, including limiting legitimate access to online content, a loss of anonymity, limiting teen autonomy, and sensitive data collection and/or unexpected data uses. FPF also identifies some risk management tools, including on-device processing, data minimization, immediate deletion of ID data, and using a third party to separate data processing so that one company doesn’t control/access all of the data.
“Age assurance impacts all users on a service, not just minors. In addition to considering the tradeoffs around privacy and the potential for harm with each particular method, it’s important to balance those against the risk of barring access to content – especially if content restrictions have inequitable impacts,” said Bailey Sanchez, FPF Youth & Education Privacy Senior Counsel and a co-author of the infographic. “While age restrictions such as gambling are a matter of law, risk of harm is subjective – and that’s where things are starting to become really difficult. Different people make different calculations about potential risks posed by online gaming, for example.”
Unpacking Age Assurance builds on a series of new federal and state policy resources from FPF’s Youth & Education Privacy team. FPF recently released a report on verifiable parental consent, a form of age declaration and requirement of the Children’s Online Privacy Protection Act, and its analyses of new children’s privacy laws in Utah, California, Florida, and Connecticut highlight their respective approaches to age assurance.
The following is a guest post to the FPF blog by Yirong Sun, research fellow at the New York University School of Law Guarini Institute for Global Legal Studies at NYU School of Law: Global Law & Tech and Jingxian Zeng, research fellow at the University of Hong Kong Philip K. H. Wong Centre for Chinese Law. The guest blog reflects the opinion of the authors only. Guest blog posts do not necessarily reflect the views of FPF.
The Draft Measures for the Management of Generative AI Services (the “Draft Measures”) were released on April 11, 2023, with their comment period closed on May 10. Public statements by industry participants and legal experts provided insight into the likely content of their comments. It is now the turn of China’s cyber super-regulator – the Cyberspace Administration of China (“CAC”) – to consider these comments and likely produce a revised text.
This blog analyzes the provisions and implications of the Draft Measures. It covers the Draft Measures’ scope of application, how they apply to the development and deployment lifecycle of generative AI systems, and how they deal with the ability of generative AI systems to “hallucinate” (that is, produce inaccurate or baseless output). It also highlights potential developments and contextual points about the Draft Measures that industry and observers should pay attention to.
The Draft Measures aim to protect the “collective” interests of “the public” within the territory of the People’s Republic of China (PRC) in relation to the Management of Generative AI Services. The primary risk foreseen by the CAC involves the potential use of the novel technology to manipulate public opinion and fuel social mobilization by spreading sensitive or false information. The Draft Measures also seek to tackle issues arising from high-profile societal events, such as data leaks, frauds, privacy breaches, intellectual property infringements, as well as overseas incidents widely reported in Chinese media, including defamation and extreme cases of suicide following interactions with AI chatbots. Notably, the Draft Measures set high standards for data authenticity and impose safeguards for personal information and user input. They also mandate the disclosure of information that may impact users’ trust and the provision of guidance for using the service rationally.
Meanwhile, concerns have arisen that the Draft Measures may slow down the development of generative AI-based products and services by Chinese tech giants. Companies providing services based on generative AI, including those provided through application programming interfaces (“APIs”), are all subject to stringent requirements in the Draft Measures. The Draft Measures thus concern not only those who have the means to train their own models, but also smaller businesses who want to leverage on open-source pre-trained models to deliver services. In this regard, the Draft Measures are likely to present compliance challenges within the open-source context.
While this blog focuses on the Draft Measures, it is important to note that industrial policies from both central and local governments in China also exert substantial influence over the sector. Critically, the task to promote AI advancement amid escalating concerns is overseen by authorities other than the CAC, such as the Ministry of Science and Technology (“MST”) and the Ministry of Industry and Information Technology (“MIIT”). Recently, the China Academy of Information and Communications Technology (“CAICT”), a research institute affiliated with the MIIT, introduced China’s first-ever industry standards1 for assessing generative AI products. These agencies, along with their competition and coordination, can and will co-play a significant role with the CAC in the realm of generative AI regulation.
1. Notable aspects of the Draft Measures’ scope of application: Definition of “public” and extraterritorial application
Ambiguity in the definition of “public”
The Draft Measures regulate all generative AI-based services offered to “the public within the PRC territory.”2 This scope of application diverges from existing Chinese laws and regulations where intended service recipients are not usually considered. For instance, regulations targeting deep synthesis and recommendation algorithms both apply to the provision of service using these technologies regardless of service recipients being individuals, businesses or “the public.” Looking at its context, Article 6 of the Draft Measures suggests that generative AI-based services have the potential to shape public opinion or stimulate social mobilization, essentially highlighting their impact on “the public.” This new development thus likely signifies the CAC’s goal to prioritize the protection of wider societal interests over individual ones such as privacy or intellectual property which could be protected under previous regulations.
However, the Draft Measures leave “the public (公众)” undefined. This gives rise to ambiguity as to the scope of application for the Draft Measures. For example, would a service licensed exclusively to a Chinese private entity for in-house use fall in the scope? How about a service accessible only to certain public institutes but not to the unaffiliated, or one customized for individual clients who each receive a unique product derived from a common foundation model, or simply an open-source model that is ready to download and install?
Extraterritorial application
The new approach also suggests a more extensive extraterritorial reach. Regardless of where the service is provided, as long as the public within the PRC territory has access to it, the Draft Measures apply. To avoid being subject to Chinese law, OpenAI, for example, has reportedly begun blocking users based in mainland China. This development could further restrict Chinese users’ access to overseas generative AI services, especially since even before the Draft Measures were released, most Chinese users’ access to such services was already geo-blocked – either by the service providers themselves (e.g., by requiring a foreign telephone number for registration), or by the Chinese government through enforcement measures. At the same time, the scale of China’s user market and its involvement in AI development render it a “vital” jurisdiction in terms of AI regulation. OpenAI CEO has recently called for collaboration with China to counter AI risks, a trend we might see more in the future.
2. The Draft Measures adopt a compliance approach based on the lifecycle of generative AI systems
The Draft Measures are targeted at “providers” of generative AI-based services
The Draft Measures take the approach of regulating generative AI-based service providers. As per Article 5, “providers (提供者)” are those “using generative AI to offer services such as chat, text, image, audio generation; including providing programmable interface and other means which support others to themselves generate text, images, audio, etc.” The obligations are as follows:
Model Training
Pretraining and optimization:3 Providers must ensure the legality of the sources of data used for pretraining and optimization of generative AI products (Article 7). Existing laws and regulations, such as the Intellectual Property Law and the Personal Information Protection Law (PIPL), are thus extended to cover this new field.
Human annotation (if any): Providers must establish necessary annotation rules, provide training for annotation personnel, and conduct spot checks to verify the validity of annotation content (Article 8).
Pre-Launch
Security assessment and filing: Providers must submit a security assessment to the CAC and register the algorithms they use (Article 6). The CAC has been developing similar filing systems for recommendation algorithms and is likely to draw upon established practices for generative AI.
Disclosure requirement: Providers shall provide essential information that may impact user trust or decision-making, including descriptions of pre-training and optimization training data, human annotation, as well as foundational algorithms and technological systems (Article 17).
Service Delivery
Traceability: Providers must label generated images, videos, and other content in accordance with regulations on deep synthesis (Article 16).
User guidance: Providers shall guide users to scientifically understand generative AI services and to use generated content rationally and legally (Article 18).
User accountability: Providers shall take necessary measures against users who misuse generative AI products in ways that violate laws, regulations, ethics, or social norms (Article 19). They also need to require users to provide real identity information in accordance with the Cybersecurity Law (Article 9).
Report mechanism: Providers shall establish a mechanism for receiving and handling user complaints (Article 13). Users also have the right to report directly to the authorities if they discover noncompliant generated content (Article 18).
Post-Launch
Non-compliant content: Providers must take down noncompliant content using methods like filtering and must prevent repeated generation through techniques such as optimization training within three months (Article 15).
Content producer: Providers bear responsibility as the producer of the content generated by the product (Article 5).
Incentivizing providers to allocate risk upstream to developers
By imposing lifecycle compliance obligations on the end-providers, the Draft Measures create incentives for end-providers to allocate risks to upstream developers through mechanisms like contracts. Whether the parties can distribute their rights and obligations fairly and efficiently depends on various factors, such as the resources available to them and the presence of asymmetric information among them. To better direct this “private ordering” with significant social implications, the EU has planned to create non-binding standard contractual clauses based on each party’s level of control in the AI value chain. The CAC’s stance in this new and fast-moving area remains to be seen.
The Draft Measures pose potential challenges for deploying open-source generative AI systems
Open-source models raise a related but distinct issue. Open-source communities are currently developing highly capable large language models (“LLMs”), and businesses have compelling commercial incentives to adopt them, as training a model from scratch is relatively hard. However, many open-source models are released without a full disclosure of their training datasets, due to reasons such as the extensive effort required for data cleaning and privacy issues, especially when user data is involved. Adding to this complexity is the fact that open-source LLMs are not typically trained in isolation. Rather, they form a modification chain where the models build on top of each other with modifications made by different contributors. Consequently, for those using open-source models, several obligations in the Draft Measures become difficult or even impossible to fulfill, including pre-launch assessment, post-launch retraining, and information disclosure.
3. The Draft Measures target the “hallucination” of generative AI systems
The Draft Measures describe generative AI as “technologies generating text, image, audio, video, code, or other such content based on algorithms, models, or rules.” In contrast to the EU’s new compromise text on rules for generative AI, which adopts a technical definition of “foundation models,” the Draft Measures focus on the technology’s function, regardless of their underlying mechanisms. Moreover, according to Article 6 of the Draft Measures, generative AI-based services automatically fall under the scope of Regulations for the Security Assessment of Internet Information Services Having Public Opinion Properties or Social Mobilization Capacity, which mandate security assessment. A group of seven Chinese scholars have proposed removing this provision and applying security assessment only to those that actually possess these properties.
The Draft Measures contain provisions targeted at ensuring accuracy throughout the developmental lifecycle of generative AI systems. These echo the CAC’s primary concern that the technology could be misused to generate and disseminate misinformation. Article 7(4) of the Draft Measures stipulates that providers must guarantee the “veracity, accuracy, objectivity, and diversity” of the training data. Article 4(4) of the Draft Measures requires that all content generated be “true and accurate,” and that providers of generative AI-based products and services must adopt measures in place to “prevent the generation of false information.” Such providers are responsible for filtering out any non-compliant material and preventing its regeneration within three months (Article 15). However, industry representatives and legal practitioners in China have raised concerns about the baseline and technical feasibility of ensuring data authenticity, given the use of open internet information and synthetic data in the development of generative AI.
4. Looking Ahead
The CAC is expected to refine the Draft Measures after gathering public feedback. The final version and subsequent promulgation may be influenced by a broader set of contextual factors. We believe the following aspects also warrant consideration:
Risk-specific digital regulation framework The Draft Measures cannot be fully understood on its own and by its text. It takes its shape from existing laws and regulations with risk-specific concerns in the context of mainland China. As mentioned, the CAC has already targeted recommendation algorithms and deep synthesis, which too owe their existence to high-profile societal events involving algorithmic abuses, adolescent Internet addiction, as well as deepfake-related fraud, fake news, and data misuse that sparked widespread consternation. The Draft Measures also rest on upper-level Cybersecurity Law, Data Security Law, PIPL and the measures that directly implement them.
Dynamic interplay of political, economic, and social factors The implementation and enforcement of the Draft Measures will be deeply influenced by strategies, plans, and policies in a broader context. Most are dedicated to promoting the AI industry. Even though China has an 18-month crackdown on its Big Tech, we shouldn’t forget that these very same “national champions” were encouraged to grow and flourish in the first place. A supportive and nurturing regulatory environment was provided domestically to boost their global competitiveness. Besides, it might be more accurate to view the crackdown as resteering, rather than barring, China’s technology sector growth. It redirects the industry towards a path that the country’s policy makers view as healthier, more sustainable – emphasizing independent and secure supply chains, fostering startups, and encouraging significant breakthroughs in areas such as foundational AI frameworks and models.
Multifaceted interaction between different jurisdictions The regulation of generative AI is a global issue, with many shared concerns and demands across various countries. China interacts with other major jurisdictions, and China’s policy discussions on AI regulation often draw comparisons with regulations in jurisdictions like the EU and the US. However, the degree to which learning occurs remains unclear, as China’s approach is also molded by contextual elements and considerations, as well as the dual forces of competition and coordination between nations. For these reasons, relationships among AI regulations in different jurisdictions defy simplistic categorization.
1Chinese major players in the AI industry are forming interest groups to channel their influence on policy makers. For example, China’s industry standards for generative AI were drafted by over 40 entities including tech companies such as Baidu, SenseTime, Xiaomi, NetEase. SenseTime also launched an open platform for AI safety governance to shape practices around AI regulatory issues such as cybersecurity, traceability, IP protection.
2A widely circulated translation of Article 2 states: “These Measures apply to the research, development, and use of products with generative AI functions, and to the provision of services to the public within the territory of the People’s Republic of China.” However, we believe this is misleading. A more accurate read of the original Chinese text and its context suggest that “the provision of services to the public” is a cumulative requirement rather than a separate one.
3The Draft Measures seem to exhibit technical sophistication in their terminology. In Articles 7 and 17, the data compliance obligation is split into two phases – pre-training and optimization. However, the choice of terminology is peculiar, as the prevailing terms in machine learning are pre-training and fine-tuning. Optimization is typically employed to describe a stage within the training process, often used in conjunction with forward and backward propagation.
(Health) Data is What (Health) Data Does in Nevada
On June 16, 2023, Nevada Senate Bill 370 (SB 370) was signed into law by Governor Lombardo, making Nevada the second state, after Washington, to pass broad-based consumer health data privacy legislation this session. The act will take effect on March 31, 2024.
The Washington ‘My Health, My Data’ Act (MHMD), which was enacted on April 27, 2023, established a first-of-its-kind, comprehensive framework within U.S. law for the protection of consumer health data and health-related inferences. To help stakeholders assess how SB 370 fits into the expanding U.S. state health privacy landscape, the Future of Privacy Forum has released a chart comparing SB 370 to MHMD.
SB 370 and MHMD adopt similar, but not identical, frameworks for protecting personal health data. Both laws restrict the disclosure of personal health data to third parties and limit the use of geofencing to collect information from or target content to people entering health care facilities. SB 370, however, establishes a use-based definition of “consumer health data,” applies to a narrower scope of covered entities, contains greater flexibility for businesses in responding to access and deletion requests, and provides sole enforcement through the state Attorney General.
Key differences include the following:
1. SB 370 applies to a narrower, use-based range of “consumer health data.” Rather than governing all consumer personal data that could potentially identify health status, SB 370 applies to information that a regulated entity “uses to identify the past, present or future health status of the consumer.” Furthermore, SB 370 excludes certain personal information concerning consumer shopping habits and interests.
2. As compared to MHMD, SB 370 covers fewer organizations, excluding Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA)-covered entities, among others, from coverage. By contrast, MHMD excludes data that is subject to HIPAA and GLBA, but not HIPAA and GLBA-regulated entities in their entirety. Both laws apply to entities that “conduct business” in the state in which they were enacted or provide products or services targeted to state consumers and, solely or with others, “determine the purpose and means of processing, sharing, or selling consumer health data.”
3. SB 370 grants individuals a more limited “right to access” than MHMD. The law allows consumers to request access to a list of the third parties with whom a regulated entity has shared their consumer health data, but, unlike MHMD, does not grant individuals the right to access a copy of their health data held by the regulated entity.
4. Under SB 370, regulated entities have greater flexibility in responding to deletion requests. Entities are granted up to two years to comply with deletion requests for consumer health data contained within archival or backup systems, as opposed to the six months provided for under MHMD.
5. While MHMD contains a provision for enforcement through a private right of action, SB 370 is enforceable solely by the state Attorney General.
FPF Releases Report on Verifiable Parental Consent
Today, FPF released a new report on the effectiveness of a key federal children’s privacy requirement known as verifiable parental consent (VPC). The Children’s Online Privacy and Protection Act (COPPA) requires operators of child-directed services to provide parents with detailed, direct notice and obtain parents’ affirmative express consent – verifiable parental consent – before collecting personal information from kids. While companies are not required to use one of the Federal Trade Commission’s seven approved methods for obtaining VPC, most elect to do so.
FPF’s report, The State of Play: Is Verifiable Parental Consent Fit for Purpose?, and an accompanying infographic detail the mechanics of how VPC works; implementation challenges from both the parent and industry perspectives; and potential solutions, including alternative VPC methods and new regulatory approaches.
“Some of the same technology used to establish VPC is also the foundation for the age estimation technology required by new laws in California, Utah, and the United Kingdom,” said Jim Siegl, senior technologist with FPF’s Youth & Education Privacy team. “Utah’s law ups the stakes further by expanding age verification requirements to older and broader audiences. Understanding the challenges and opportunities posed by VPC has never been more important, as the FTC’s recent order against Edmodo makes abundantly clear. We hope this paper will inform the ongoing conversation about the privacy risks of estimating the ages of internet users and the trade-offs between the accuracy and invasiveness of VPC and age estimation technologies.”
FPF’s new report builds on a previous discussion draft and feedback from stakeholders. Based on public comments about COPPA and additional insights from parents, advocates, industry representatives, and academics, the report details unique challenges with the current VPC mechanisms and approaches, as well as potential solutions.
The identified concerns with VPC include efficacy (many VPC methods are easily circumvented by children), accessibility (not everyone has a government-issued ID or a credit card), privacy/security (concerns over sharing sensitive personal information like a credit card number or photo ID), and convenience (inconveniences in the process cause users to drop off, frustrating parents and online providers). The report also considers other potential avenues to obtaining VPC and age assurance, such as the use of mobile phone SMS or text messaging, the device’s operating system, the point of purchase or setup of a device by a parent, artificial intelligence, and profiling, as well as the associated privacy, security and accuracy tradeoffs.
“The online experience for kids has evolved tremendously in the last few years, and it is clear we need regulations and legislation that can keep up with the ever-changing digital environment and legal landscape,” said Alexa Mooney, policy counsel with FPF’s Youth & Education Privacy team. “While there is no single solution that will get us to that point, the recommendations and ideas outlined in this report provide a great place to start, and we hope will help advance this important conversation.”
FIRST JAPAN PRIVACY SYMPOSIUM CONVENING G7 REGULATORS FOCUSES ON GLOBAL TRENDS AND ENFORCEMENT PRIORITIES
The Future of Privacy Forum (FPF), a global non-profit focused on data protection and privacy, and S&K Brussels LPC will jointly present the first edition of the Japan Privacy Symposium on June 22, 2023. The event will convene in Tokyo, bringing together leaders in the Japanese privacy community with data protection and privacy regulators from across the globe.
The event coincides with the G7 Data Protection Authorities and Privacy Commissioners’ Summit, and the Symposium will convene leaders in the Japanese privacy community with data protection and privacy regulators from across the globe to discuss key issues on AI governance and data protection law, the future of adtech, global cooperation and enforcement trends. The line-up of speakers includes: Ms. Rebecca Kelly Slaughter (Commissioner, U.S. Federal Trade Commission), Dr. Wojciech Wiewiórowski (European Data Protection Supervisor), Mr. Philippe Dufresne (Federal Privacy Commissioner, Canada), Ms. Ginevra Cerrina Feroni (Vice President of the Garante, Italy), Mr. John Edwards (Information Commissioner, UK), with a keynote address from Mr. Shuhei Ohshima (Commissioner, Japan’s Personal Information Protection Commission).
“We’re excited to co-host this valuable event that will bring together data protection and privacy regulators from around the world alongside the Japanese privacy community,” Gabriela Zanfir-Fortuna, FPF’s Vice President for Global Privacy, said. “Data protection and privacy regulators from the G7 economies are meeting in Tokyo to strategize about coordinated approaches to tackle the challenges raised by the advancement of new technologies fueled by data and their impact on society, people, and economy. This Symposium offers a forum for the regulators and the Japanese data protection and privacy community members to exchange ideas, share an overview of the state of play in global regulation and strategize for the future.”
Takeshige Sugimoto, Managing Director and Partner at S&K Brussels LPC, FPF’s Senior Fellow for Global Privacy, and Co-Founder and Board Member of Japan DPO Association, added: “S&K Brussels is delighted to co-host the inaugural Japanese privacy symposium to bring together esteemed privacy and data protection leaders from G7 countries. Opportunities for collaboration in the global data protection and privacy community are vital, and we hope that the Japan Privacy Symposium will set the stage for important participation and dialogue for years to come.”
FPF is focused on the expansion of its international reach in Asia, with its August 2021 Asia Pacific office opening in Singapore and the announcement of a new FPF APAC Managing Director, Josh Lee Kok Thong, last July.
For more information about the event, the agenda, and speakers, visit the FPF site.
###
About Future of Privacy Forum (FPF)
The Future of Privacy Forum (FPF) is a global non-profit organization that brings together academics, civil society, government officials, and industry to evaluate the societal, policy, and legal implications of data use, identify the risks and develop appropriate protections.
FPF believes technology and data can benefit society and improve lives if the right laws, policies, and rules are in place. FPF has offices in Washington D.C., Brussels, Singapore, and Tel Aviv. Follow FPF on Twitter and LinkedIn.
About S&K Brussels LPC
S&K Brussels LPC is a Japanese law firm composed of lawyers and foreign lawyers whose main practice area is data protection and privacy laws in five jurisdictions i.e., EU, UK, US, China and Japan, which opened in Brussels, Belgium in 2019. We focus on Future Proof efforts to read the shape of future regulations, including AI regulations and other data-related regulations as regulations closely related to data protection legislation.
Future of Privacy Forum(FPF)は、学術関係者、市民社会、政府関係者、産業界が集まり、データ活用の社会的、政策的、法的な意味を評価し、リスクを特定し、適切な保護を開発するための世界的な非営利団体です。FPFは、適切な法律、政策および規則が整備されれば、技術とデータは社会に利益をもたらし生活を向上させることができると考えています。FPFはワシントンD.C.、ブリュッセル、シンガポールおよびテルアビブにオフィスを構えています。TwitterとLinkedInでFPFをフォローしてください。
Future of Privacy Forum Recognizes Two Privacy and Technology Leaders with Career Awards
The Future of Privacy Forum (FPF) — presented Maneesha Mithal, a long-time leader in privacy and consumer protection at the Federal Trade Commission, the Distinguished Public Service Award, and Jane Horvath, Apple’s former Chief Privacy Officer and a privacy and technology trailblazer of more than two decades, the Career Achievement Award. The awards were presented at the FPF Advisory Board Meeting on June 13, an annual gathering of senior privacy leaders at companies, academia, civil society, and government.
The Distinguished Public Service Award acknowledges an individual whose public service career efforts are notable for advancing protection as a government regulator. FPF awards the Career Achievement Award to private sector leaders who have made major contributions to advancing the values of data protection.
Jane Horvath and Maneesha Mithal have been trailblazers. Their achievements have directly benefited millions of people in the U.S. and globally by elevating standards for data protection.
Christopher Wolf, FPF Founder and Board President
Horvath recently stepped down as Chief Privacy Officer at Apple, where she led the company’s regulatory, policy, and product strategy on all privacy and cybersecurity-related legal matters. Horvath is currently a partner at Gibson, Dunn & Crutcher and is the co-chair for the firm’s Privacy, Cybersecurity, and Data Innovation Practice Group. She is also a member of their Administrative Law and Regulatory, Artificial Intelligence, Crisis Management, Litigation, Media and Entertainment, and Technology Practice Groups. Horvath has also previously served as Google’s Global Privacy Counsel and the Department of Justice (DOJ)’s first Chief Privacy Counsel and Civil Liberties Officer.
Mithal is a privacy and cybersecurity partner at Wilson Sonsini Goodrich & Rosati. She is an internationally recognized expert on privacy and data security, having led the Federal Trade Commission (FTC)’s Division of Privacy and Identity Protection prior to joining her current firm. Mithal also previously served as Chief of Staff and Senior Counsel in the Bureau of Consumer Protection (BCP). In her time as a public servant, Mithal oversaw teams that were responsible for the enforcement of privacy and security laws and the development of policy positions.
Jane Horvath and Maneesha Mithal have inspired me and so many others working in data protection. Each has had a tremendous impact in shaping for the better how our data is managed by companies, and each has shown that courageous individuals can drive real data protection progress.
Jules Polonetsky, FPF CEO
Previous award winners have included former FTC official Jessica Rich, Georgia Tech Professor Peter Swire, Irish Data Protection Commissioner Helen Dixon, former Procter & Gamble executive Sandra Hughes, and former Dell and Kodak privacy leader Dale Skivington.
FPF at CPDP 2023: Covering Hot Topics, from Data Protection by Design and by Default, to International Data Transfers and Machine Learning
At this year’s annual Computers, Privacy and Data Protection (CPDP) conference in Brussels, several Future of Privacy Forum (FPF) staff took part in different panels, organized by FPF, as well as academic, industry, and civil society groups. This blogpost provides a brief overview of these exciting events, and CPDP will publish recordings of them shortly.
May 24: EU Commission and ASEAN launch Joint Guide to Model Clauses for Data Transfers
On the conference’s first day, FPF Vice President for Global Privacy Gabriela Zanfir-Fortuna joined a panel organized by Haifa Center for Law and Technology (Faculty of Law, University of Haifa) on the GDPR’s effectiveness, alongside Tal Zarsky, Dean and Professor of Law at the University of Haifa’s Faculty of Law, Raphael Gellert, assistant professor in ICT and private law at Radboud University, Sam Jungyun Choi, associate in the technology regulatory group of Covington & Burling LLP, and Amit Ashkenazi, research student and adjunct lecturer on cyber law and policy at the University of Haifa. The panel contributed to current reflections on the effectiveness of the GDPR, five years after its enactment, by focusing on challenges arising from the regulatory design it sets forth. Gabriela noted that data protection law is much broader than the GDPR because it has a fundamental element behind it, meaning that the right to the protection of personal data is protected as a fundamental right at a constitutional level in the EU. She also stressed that ongoing adoption of the GDPR has catalyzed more societal interest in law, technology, and data protection rights and concepts.
Photo: CPDP Panel on Exploring the Many Faces of the GDPR – in Search of Effective Data Protection Regulation, 5/24/2023
Later that day, Gabriela moderated a panel organized by the EU Commission, which served as a platform to launch a “Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses.” The Guide identifies commonalities between the two sets of model clauses and aims to “assist companies present in both jurisdictions with their compliance efforts under both sets of clauses.” The panel was joined by Denise Wong, Deputy Commissioner-designate, Personal Data Protection Commission Singapore, and Assistant Chief Executive-Designate of the Infocomm Media Development Authority, Alisa Vekeman, European Commission, International Affairs and Data Flow team, and Philipp Raether, Group Chief Privacy Officer, Allianz. The panelists noted that model clauses are the most used mechanisms for international data transfers and that efforts like the Joint Guide are a promising solution for a global regime underpinning flows of personal data across different jurisdictions, while providing safeguards for individuals and their data. Officials in the panel noted that the Guide is just the first step in this EU-ASEAN collaboration on model clauses, noting that a set of best practices from companies who use both is to be expected in the near future.
To wrap up the first day of the conference, FPF’s Policy Councel for Global Privacy, Katerina Demetzou, joined a panel on the constitutionalization of data rights in the Global South, along with Mariana Marques Rielli, Institutional Development Coordinator at Data Privacy Brazil, Laura Schertel Mendes, law Professor at the University of Brasilia (UnB) and at the Brazilian Institute for Development, Education and Research (IDP) and Senior Visiting Researcher at the Goethe-Universität Frankfurt am Main with the Capes/Alexander von Humboldt Fellowship, and Risper Onyango, advocate of the High Court of Kenya, currently serving as a Digital Policy Lead under the Digital Economy Department at the Lawyers Hub. In her intervention, Katerina explored how the GDPR has been applied by Data Protection Authorities in Europe to emotion recognition AI systems and to Generative AI. Her examples emphasized that discussions about AI governance and AI regulation should examine existing data protection law applications to these systems and develop in response to gaps in these legal systems.
Photo: Panel on From Theory to Practice: Digital Constitutionalism and Data Justice in Movement in the Global South, 5/24/2023
May 25: High Level Discussion Spurred by FPF’s Data Protection by Design and by Default Case-Law Report
On May 17, FPF launched a comprehensive Report on the enforcement of the EU’s GDPR Data Protection by Design and by Default (DPbD&bD) obligations, which are outlined in GDPR Article 25. The Report is informed by extensive research covering more than 92 decisions from Data Protection Authorities (DPAs) and national Courts, and it offers specific Guidance and other policy documents issued by regulators.
On May 25, FPF organized a panel moderated by the Report’s co-author Christina Michelakaki, FPF Policy Fellow for Global Privacy, on the enforcement of Article 25 GDPR and the uptake of Privacy Enhancing Technologies (PETs). Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, Jaap-Henk Hoepman, Professor, Radboud University Nijmegen/University of Groningen, Cameron Russell, Primary Privacy Advisor on Global Payments Matters at eBay, and Stefano Leucci, Legal and Technology expert at the European Data Protection Supervisor joined the panel. The speakers offered their perspectives on the Article 25 GDPR enforcement, delving into topics such as the interrelation between dark patterns and by default settings, the role of Article 25 GDPR in preventing harms from AI systems, and the maturity of PETs.
Photos: CPDP workshop on State-of-Play of Privacy Preserving Machine Learning (PPML), and CPDP Panel on the Enforcement of Data Protection by Design & Default: Consequences for the Uptake of Privacy-Enhancing Technologies, 5/25/2023
Photo: CPDP Panel on the Enforcement of Data Protection by Design & Default: Consequences for the Uptake of Privacy-Enhancing Technologies, 5/25/2023
FPF’s Managing Director for Europe, Rob van Eijk, organized and facilitated a workshop exploring how to clear the path towards alternative solutions for processing of (personal) data with Machine Learning. Four data scientists, Lindsay Carignan (Holistic AI), Nigel Kingsman (Holistic AI), Victor Ruehle (Microsoft Research), and Reza Shokri (National University of Singapore) joined the workshop. The group introduced an easy to understand privacy auditing framework that quantitatively measures privacy risks in ML systems, while also exploring the relationship between bias and regulations in legislation such as the EU AI Act. You can watch the recording of the workshop here.
The same day, Rob also joined a panel on PETs, consumer protection, and the online ads ecosystem with Marek Steffen Jansen, Privacy Policy Lead – EMEA/Global at Google, Anthony Chavez, VP of Product Management of Google, Marie-Paule Benassi, lawyer, economist, data scientist, and Head of Enforcement of Consumer Law and Redress at the European Commission, Stefan Hanloser, VP Data Protection Law at ProSiebenSat.1 Media SE, and Christian Reimsbach-Kounatze, Information Economist and Policy Analyst at the OECD Directorate for Science, Technology and Innovation. You can watch the recording of the panel here.
May 26: Reflections on automation, compliance and data protection law
Finally, Gabriela participated in a day-long “philosopher’s seminar” on compliance and automation in data protection law organized by CPDP, ALTEP-DP, COHUBICOL under the leadership of Prof. Mireille Hildebrandt, which will flow into a series of published research papers later on in 2023.
While celebrating the five years anniversary of the GDPR becoming applicable, at a pivotal moment of growth and change for emerging technologies, CPDP 2023 in Brussels gave the FPF team an extraordinary opportunity to engage with and facilitate collaborative dialogues with leading academics, technologists, policy experts, and regulators.
