Data Sharing for Research: A Compendium of Case Studies, Analysis, and Recommendations

Today, the Future of Privacy Forum (FPF) published a report on corporate-academic partnerships that provides practical recommendations for companies and researchers who want to share data for research. The Report, Data Sharing for Research: A Compendium of Case Studies, Analysis, and Recommendations, demonstrates how, for many organizations, data-sharing partnerships are transitioning from being considered an experimental business activity to an expected business competency.

DOWNLOAD THE FULL REPORT
DOWNLOAD THE EXEC SUMMARY

Corporate data-sharing partnerships offer compelling benefits to companies, researchers, and society to drive progress in a broad array of fields. However, organizations have long faced complex commercial, legal, ethical, and reputational risks that accompany the activity and act as disincentives to sharing data for academic research.

This report contains eight case studies that look at specific corporate/academic data-sharing partnerships in depth, from initiation through the publication of research findings. These case studies illuminate practical challenges for implementing corporate data sharing with researchers. Some common themes that emerged from the case studies include:

This report builds upon prior FPF research, including the publication of The Playbook: Data Sharing for Research and the companion infographic in 2022. The case studies examine how data sharing works in a practical environment. By analyzing the case studies as a group, we arrived at recommendations for all parties interested in pursuing an ethical data-sharing partnership that protects against privacy risks.

For companies considering data sharing for research, we recommend the following: 

For researchers interested in using data held by a company for research, we recommend the following:

You can access each of our individual case studies at these links:

Download accessible versions of these documents here.

FPF offers the Ethics and Data in Research Working Group, which analyzes US legislation impacting research and data, discusses ethical and technological research challenges, and develops best practices for privacy protection, risk reduction, and data sharing in research. Learn more and join the Working Group here.

For inquiries about this report, please contact Shea Swauger, Senior Researcher for Data Sharing and Ethics, at [email protected].

This project is supported by the Alfred P. Sloan Foundation, a not-for-profit grantmaking institution whose mission is to enhance the welfare of all through the advancement of scientific knowledge.

The Digital Personal Data Protection Act of India, Explained

Authors: Raktima Roy, Gabriela Zanfir-Fortuna

Raktima Roy is a Privacy Attorney with several years of experience in India and holds an LLM in Law and Technology from Georgetown University, as well as an FPF Global Privacy Intern.

The Digital Personal Data Protection Act of India (DPDP) sprinted through its final stages last week after several years of debates, postponements and negotiations, culminating with its publication in the Official Gazette on Friday, August 11, 2023. In just over a week, the Bill passed the lower and upper Houses of the Parliament and received Presidential assent. India, the most populous country in the world with more than 1.4 billion people, is the largest democracy and the 19th country among the G20 members to pass a comprehensive personal data protection law – which it did during its tenure holding the G20 Presidency.

The adoption of the DPDP Bill in the Parliament comes 6 years after Justice K.S. Puttaswamy v Union of India, a landmark case in which the Supreme Court of India recognized a fundamental right to privacy in India, including informational privacy, within the “right to life” provision of India’s Constitution. In this judgment, a nine-judge bench of the Supreme Court urged the Indian Government to put in place “a carefully structured regime” for the protection of personal data. As part of India’s ongoing efforts to create this regime, there have been several rounds of expert consultations and reports, and two previous versions of the bill were introduced in the Parliament in 2019 and 2022. A brief history of the law is available here

The law as enacted is transformational. It has a broad scope of application, borrowing from the EU’s General Data Protection Regulation (GDPR) approach when defining “personal data” and extending coverage to all entities who process personal data regardless of size or private status. The law also has significant extraterritorial application. The DPDP creates far reaching obligations, imposing narrowly defined lawful grounds for processing any personal data in a digital format, establishing purpose limitation obligations and their corollary – a duty to erase the data once the purpose is met, with seemingly no room left for secondary uses of personal data, and creates a set of rights for individuals whose personal data are collected and used, including rights to notice, access and erasure. The law also creates a supervisory authority, the Data Protection Board of India (Board), which has the power to investigate complaints and issue fines, but does not have the power to issue guidance or regulations. 

At the same time, the law provides significant exceptions for the central government and other government bodies, the degree of exemption depending on their function (such as law enforcement). Other exemptions include those for most publicly available personal data, processing for research and statistical purposes, and processing the personal data of foreigners by companies in India pursuant a contract with a foreign company (such as outsourcing companies). Some processing by startups may also be exempt, if notified by the government. The Act also empowers the central government to act upon a notification by the Board and request access to any information from an entity processing personal data, an intermediary (as defined by the Information Technology Act, 2000 – the “IT Act”) or from the Board, as well as to order suspension of access of the public to specific information. The Central Government is also empowered to adopt a multitude of “rules” (similar to regulations under US state privacy laws) that detail the application of the law. 

It is important to note that the law will not come into effect until the government provides notice of an effective date. The DPDP Act does not contain a mandated transitional period akin to the two-year gap between the 2016 enactment of the GDPR and its entry into force in May 2018. Rather, it empowers the Government to determine the dates on which different sections of the Act will come into force, including the sections governing the formation of the new Board that will oversee compliance with the law. 

This blog will lay out the most important aspects of the DPDP Act, understanding nonetheless that many of its key provisions will be shaped up through subsequent rules issued by the central government, and through practice. 

  1. The DPDP Act Applies to “Data Fiduciaries,” “Significant Data Fiduciaries,” and provides rights for “Data Principals” 

The DPDP Act seeks to establish a comprehensive national framework for processing personal data, replacing a much more limited data protection framework under the IT Act and rules that currently provide basic protections to limited categories of “sensitive” personal data such as sexual orientation, health data, etc. The new law by contrast covers all “personal data” (defined as “any data about an individual who is identifiable by or in relation to such data”) and does not contain heightened protection for any special category of data. The definition of “personal data,” thus, relies on the broad “identifiability” criterion, similar to the GDPR. Only “digital” personal data, or personal data collected through non-digital means that have been digitized subsequently are covered by the law. 

The DPDP Act uses the term “data principal” to refer to the individual that the personal data relates to (the equivalent of “data subject” under the GDPR). A “data fiduciary” is the entity that determines the purposes and means of processing of personal data, alone or in conjunction with others, and is the equivalent to a “data controller” under GDPR. While the definition of data fiduciaries includes a reference to potential joint fiduciaries, the Act does not provide any other details about this relationship. 

The definition of fiduciaries does not distinguish between private and public, natural and legal persons, technically extending to any person as long as the other conditions of the law are met. 

Specific Fiduciaries, Public or Private, Are Exempted or May Be Exempted from the Core Obligations of the Act

The law includes some broad exceptions for government entities in general, and others apply to specific processing purposes. For instance, the law allows the government to exempt activities that are in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to commit crimes if it provides notice of the exemptions. Justice Srikrishna, who as the head of an expert committee set up to recommend a data protection law in India led the creation of the 2017 first draft of the law, has been critical of these government exemptions, as have been several Members of Parliament during the legislative debate. 

Some targeted exceptions also apply to companies, and are either well defined in the law or left to the government for specification. Under what can be called an “outsourcing exception,” the Act exempts companies based in India who process the personal data of people outside of India pursuant to a contract with a company based outside of India from core DPDP obligations including the rights of access and erasure normally held by data principals. Instead, such companies are largely required to only comply with data security obligations. 

In addition, the government is empowered to exempt any category of data fiduciaries  from some or all of the law, with the DPDP itself referring to “startups” in this context. These are fairly broad provisions and do not include any guidance on how they will apply or who could benefit from them. The government will need to make a specific designation for this exception to operate.

Significant Data Fiduciaries Have Significant New Obligations, such as DPOs, DPIAs and Audits 

The DPDP Act empowers the Government to designate any data fiduciary or class of data fiduciaries as a “Significant Data Fiduciary” (SDF), which is done using a series of criteria that lack quantifiable thresholds. These factors range from assessing characteristics of the processing operations (volume and sensitivity of personal data processed and the risk posed to the rights of data principals), to broader societal and even national sovereignty concerns (potential impact of the processing on the sovereignty and integrity of India; risk to electoral democracy; security of the state; and public order).

The designation of companies as SDFs is consequential, because it comes with enhanced obligations. Chief among them, SDFs will need to appoint a Data Protection Officer (DPO), who must be based in India and be the point of contact for a required grievance redressal mechanism. SDFs must also  appoint an independent data auditor to carry out data audits and evaluate the SDF’s compliance with the DPDP Act, and to undertake periodic Data Protection Impact Assessments.

It is important to note that appointing a DPO is not an obligation for all data fiduciaries. However, all fiduciaries are under an obligation to establish a “readily available” mechanism for redressing grievances by data principals in a timely manner. In order for such a process to be operationalized, usually an internal privacy compliance function or a dedicated privacy officer would be helpful.

The DPDP Act Recognizes the Role of Data Processors

Data processors are recognized by the DPDP Act, which makes it clear that fiduciaries may engage, appoint or otherwise involve processors to process personal data on their behalf “only under a valid contract” (Section 8(2)). There are no prescribed rules for what a processing contract should entail. However, the DPDP Act places all obligations on data fiduciaries, which remain liable for complying with the law. 

Data fiduciaries remain liable for overall compliance, regardless of any contractual arrangement to the contrary with data processors. The DPDP Bill requires data fiduciaries to mandate that a processor delete data when a data principal withdraws consent, and fiduciaries be able to share information of processors they have engaged when requested by a data subject.

  1. The DPDP Act Has Broad Extraterritorial Effect and Almost No Restrictions for International Data Transfers

The DPDP Act applies to the processing of “digital personal data” within India. Importantly, the definition of the “data principal” does not include any condition related to residence or citizenship, meaning that it is conceivable fiduciaries based in India who process the personal data of foreigners within the territory of the country may be covered by the Act (outside of the “outsourcing exception” mentioned above). 

The Act  also applies extraterritorially to processing of digital personal data outside India, if such processing is in connection with any activity related to offering of goods or services to data principals within India. The extraterritorial effect is similar in scope to the GDPR, and it may leave room for a broader interpretation through its inclusion of “any activity” connected to the offering of goods or services.

The DPDP Act does not currently restrict the transfer of personal data outside of India. It reverses the typical paradigm of international data transfer provisions in laws like the GDPR, by presuming that transfers may occur without restrictions, unless the Government specifically restricts transfers to certain countries (blacklisting) or enacts any other form of restriction (Section 16). No criteria for such restrictions have been mentioned in the law. This is a significant departure from previous instances of the Bill, which at one point contained data localization obligations (2018), and evolved at another point into “whitelisting” of countries (2022). 

It should also be noted that other existing sectoral laws (e.g., those governing specific industries like banking and telecommunications) already contain restrictions on cross-border transfers of particular kinds of data. The DPDP Act clarifies that existing localization mandates will not be affected by the new law. 

  1. Consent Remains Primary Means for Lawful Processing of Personal Data Under the Act

Data fiduciaries are under an obligation to process personal data for a lawful purpose and only if they either obtain consent from the data principal for that purpose, or they identify a “legitimate use” consistent with Section 4. This process is conceptually similar to the approach proposed by the GDPR, requiring a lawful ground before personal data can be collected or otherwise processed. However, in contrast to the GDPR (which provides for six possible lawful grounds), the DPDP Act includes only two: strictly defined “consent” and “legitimate use.” 

Which lawful ground is used for a processing operation is consequential. Based on the wording of the Act and in the absence of further specification, the obligations of fiduciaries to give notice and respond to access, correction and erasure requests (see Section 4 of this blog) are only applicable if the processing is based on consent and on voluntary sharing of personal data by the principal. 

Valid Consent Has Strict Requirements, Is Withdrawable, And Can be Exercised Through Consent Managers

The DPDP Act requires that consent for processing of personal data be “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” These conditions are similarly strict to those required under the GDPR, highlighting that the people whose personal data are processed must be free to give consent, and their consent must not be tied to other conditions.  

In order to meet the “informed” criterion, the Act requires that notice be given to principals before or at the time that they are asked to give consent. The notice must include information about the personal data to be collected, the purpose for which it will be processed, the manner in which data principals may exercise their rights under the DPDP Act, and how to make a complaint to the Board. Data principals must be given the option to receive the information in English or a local language among the languages specified in the Constitution.

The DPDP Act addresses the issue of legacy data for which companies may have received consent prior to the enactment of the law. Fiduciaries should provide the same notice to these data principals as soon as “reasonably practicable.” In that case, however, the data processing may continue until the data principal withdraws consent. 

Data fiduciaries may only process personal data for the specific purpose provided to the data principal and must obtain separate consent to process the data for a new purpose. In practice, this will make it difficult for data fiduciaries to rely on “bundled consent.” Provisions around “secondary uses” of personal data or “compatible purposes” are not addressed in the Act, making the purpose limitation requirements strict. 

Data principals may also withdraw their consent at any time – and data fiduciaries must ensure that the process for withdrawing consent is as straightforward as that for giving consent. Once consent is withdrawn, personal data must be deleted unless a legal obligation to retain data applies. Additionally, data fiduciaries must ask any processors to cease processing any personal data for which consent has been withdrawn, in the absence of legal obligations imposing data retention.

The DPDP Act allows principals to give, manage, review and withdraw their consent through a “Consent Manager,” which will be registered with the Board and must provide an accessible, transparent, and interoperable platform. Consent Managers are part of India’s “Data Empowerment And Protection Architecture” policy, and similar structures have been already functional for some time, such as in the financial sector. Under the DPDP Act, Consent Managers will be accountable to data principals and act on their behalf as per prescribed rules. The Government will notify (in the Gazette) the conditions necessary for a company to register as a Consent Manager, which may include fulfilling minimum technical or financial criteria.

“Legitimate Uses” Are Narrowly Defined and Do Not Include Legitimate Interests or Contractual Necessity

As alternative to consent, all other lawful grounds for processing personal data have been amalgamated under the “legitimate uses” section, including some grounds of processing that previously appeared under a “reasonable purposes” category in previous iterations of the bill. It is notable that the list of “legitimate uses” in Section 7 of the Act does not include similar provisions to the grounds of “contractual necessity” and “legitimate interests” found in GDPR-style data protection laws, leaving limited options to private fiduciaries for grounding processing of personal data outside of consent, including for routine or necessary processing operations. 

Among the defined “legitimate uses”, the most relevant ones for processing personal data outside of a government, emergency or public health context, are the “voluntary sharing” of personal data under Section 7(a) and the “employment purposes” use under Section 7(i). 

The lawful ground most likely to raise interpretation questions is “voluntary sharing.” It allows a fiduciary to process personal data for a specified purpose for which a principal has voluntarily provided their personal data to the data fiduciary (presumably, provided it without the fiduciary seeking to obtain consent), and for which the principal has not indicated to the fiduciary an objection to the use of the personal data. For instance, one of the illustrations included in the law to explain Section 7(a) is the hypothetical of a buyer requesting a receipt of purchase at a store be sent to her phone number, permitting the store to use the number for that purpose. There is a possibility that subsequent rules may expand this “legitimate use” to cover instances of “contractual necessity” or “legitimate interests.”

A fiduciary may also process personal data without consent for purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service to employees.

  1. Data Principals Have a Limited Set of “Data Subject Rights,” But Also Obligations

The DPDP Act provides data principles a set of enumerated rights, which is limited compared to those offered under modern GDPR-style data protection laws. The DPDP guarantees a right of access and a right to erasure and correction, in addition to a right to receive notice before consent is sought (similar to the right to information in the GDPR). Thus, a right to data portability, a right to object to processing based on other grounds than consent, and the right not to be subject to solely automated decision-making are missing. 

Instead, the DPDP Act provides for two other rights – a right to “grievance redressal,” which entails the right to have an easily accessible point of contact provided by the fiduciary to respond to complaints from the principal, and a right to “appoint a nominee,” which permits the data principal to nominate someone who can exercise rights on their behalf in the event of death or incapacity.

Notably, the rights of access, erasure and correction are limited to personal data processing based on consent or the “voluntary disclosure,” legitimate use, which means that whenever government bodies or other fiduciaries rely on any of the “legitimate uses” grounds they will not need to reply to access or erasure/correction requests, unless further rules adopted by the government specify otherwise.

In addition, the right of access is quite limited in scope. It only gives data principals the right to request and obtain a summary of the personal data being processed and of the relevant processing activities (as opposed to obtaining a copy of the personal data), and the identities of all fiduciaries and processors with whom the personal data has been shared by the fiduciary, along with a summary of the data being shared. However, Section 11 of the law leaves space for subsequent rules that may specify additional information to be given access to.

Data principals have the right to request erasure of personal data pursuant to Section 12(3), but it is important to highlight that erasure may also be required automatically – after the withdrawal of consent or when the specified purpose is no longer being served (Section 8(7)(a)). Similarly, correction, completion and updating of personal data can be requested by the principal, but must also occur automatically when the personal data is “likely to be used to make a decision that affects” the principal (Section 8(3)).  

Data Principals May Be Fined if They Do Not Comply With Their Obligations

Unlike the majority of international data protection laws, Section 15 of the DPDP Act imposes duties on data principals, similar to Article 10 of Vietnam’s recently adopted Personal Data Protection Decree (titled “Obligations of data subjects”). 

These obligations include, among others, a duty not to impersonate someone else while providing personal data for a specified purpose, not suppress any material information while providing personal data for any document issued by the Government, and, significantly, not register a false or frivolous grievance or complaint. Noncompliance may result in a fine (see clause 5 of the Schedule). This may hamper the submission of complaints with the Board, per expert analysis.

  1. Fiduciaries are Bound by a Principle of Accountability and Have Data Breach Notification Obligations

The DPDP Act does not articulate Principles of Processing, or Fair Information Practice Principles, but the content of several of its provisions put emphasis on purpose limitation (as explained in previous sections of the blog) and on the principle of accountability. 

Section 8 of the Act includes multiple obligations for data fiduciaries, all under an umbrella expectation in paragraph 1 that they are “responsible for complying” with the provisions of the Act and any subsequent implementation rules, both regarding processing undertaken by the data fiduciary and by any processor on its behalf. This specification echoes the GDPR accountability principle. In addition, data fiduciaries are under an obligation to implement appropriate technical and organizational measures to ensure the effective implementation of the law.

Data security is of particular importance, considering that data fiduciaries must both take reasonable security safeguards to prevent personal data breaches, and notify the Board and each affected party if such breaches occur. The details related to modalities and timeline of notification will be specified in subsequent implementation rules. 

A final obligation of data fiduciaries to highlight is the requirement they establish  a “readily available” mechanism for redressing “grievances” by data principals in a timely manner. The “grievance redress” mechanism is of utmost importance, considering that data principals cannot address the Board with a complaint until they “exhaust the opportunity of redressing” the grievance through this mechanism (Section 13(3)). The Act leaves determination of the time period for responding to grievances to delegated legislation, and it is possible that there may be different time periods for different categories of companies.

  1. Fiduciaries Have a Mandate to Verify Parental Consent for Processing Personal Data of Minors under 18

The DPDP Act creates significant obligations concerning the processing of children’s personal data, with “children” defined as minors under 18 years of age, without any distinguishing sub-category for older children or teenagers. As a matter of principle, data fiduciaries are forbidden to engage in any processing of children’s data that is “likely to cause any detrimental effect on the well-being of the child.”

Data fiduciaries are under an obligation to obtain verifiable parental consent before processing the personal data of any child. Similarly, consent must be obtained from a lawful guardian before processing the data of a person with disability. This obligation, which is increasingly common to privacy and data protection laws around the world, may create many challenges in practice. A good resource for untangling its complexity and applicability is FPF’s recently published report and accompanying infographic – “The State of Play: Is Verifiable Parental Consent Fit For Purpose?

Finally, the Act also includes a prohibition on data fiduciaries engaging in tracking or behavioral monitoring of children, or targeted advertising directed at children. Similar to many other provisions of the Act, the government may issue exemptions from these obligations for specific classes of fiduciaries, or may even lower the age of digital consent for children when their personal data is processed by designated data fiduciaries.

  1. The Act Creates a Data Protection Board to Enforce the Law, But Reserves Regulatory Powers For the Government

The DPDP Act empowers the Government to establish the Board as an independent agency that will be responsible for enforcing the new law. The Board will be led by a Chairperson and will have Members appointed by the Government for a renewable two-year mandate.

The Board is vested with the power to receive and investigate complaints from data principals, but only after the principal has exhausted the internal grievance redress mechanism set up by the relevant data fiduciaries. The Board can issue binding orders against those who breach the law, can direct urgent measures to remediate or mitigate a data breach, imposing financial penalties and direct parties to mediation. 

While the Board is granted “the same powers as are vested in a civil court” – including summoning any person, receiving evidence, and inspecting any documents (Section 28(7)), the Act specifically excludes any access to civil courts in the application of its provisions (Section 39), creating a de facto limitation on effective judicial remedy similar to the relief provided in Article 82 GDPR. The Act grants any person affected by a decision of the Board the right to pursue an appeal in front of an Appellate Tribunal, which is designated the Telecom Disputes Settlement and Appellate Tribunal established under other Indian law.

Penalties for breaches of the law have been stipulated in a Schedule attached to DPDP Act and range from the equivalent in rupees of USD $120 to USD $30.2 million. The Board can determine the penalty amount from a preset range based on the offense. 

However, the Board does not have the power to pass regulations to further specify details related to the implementation of the Act. The Government is conferred broad discretion in adopting delegated legislation to further specify the provisions of the Act, including clarifying modalities and timelines for fiduciaries to respond to requests from data principals, the requirements of valid notice for obtaining a data principal’s consent for processing of data, details related to data breach notifications, and more. The list of operational details that may be specified by the Government in subsequent rules is open-ended and detailed in Section 40(2)(a) to (z). Subsection (z) of this provision provides a catch-all permitting the Central Government to prescribe rules on “any other matter” related to the implementation of the Act. 

In practice, it is expected that it will take time for the new Board to be established and for rules to be issued in key areas for compliance. 

Besides rulemaking power, the Central Government has another significant role in the application of the law. Pursuant to Section 36, it can require any information (including presumably personal data) that it wants (or “call for”) from the Board, data fiduciaries, and “intermediaries” as defined by the IT Act. No further specifications are made in relation to such requests, other than that they must be made “for the purposes of the Act.” This provision is broader and subject to fewer restrictions than provisions on data access requests in the existing IT Act and its subsidiary rules.

Additionally, the Central Government may also order or direct any governmental agency and any “intermediary” to block information for access by the public “in the interests of the general public.” To issue such an order, the Board will need to have sanctioned the data fiduciary concerned at least twice in the past, and the Board must advise the Central Government to issue such an order. An order blocking public access may refer to “any computer resource” that enables data fiduciaries to offer goods or services to data principals within the territory of India. While it is now common among modern comprehensive data protection laws around the world for independent supervisory authorities to order erasure of personal data unlawfully processed, or to order international data transfers or sharing of personal data to cease if conditions of the law are not met, these provisions of the DPDP Act are atypical because the orders will come directly from the Government, and also because they more closely resemble online platform regulation than privacy law.

  1. Exceptions for Publicly Available Data And Processing for Research Purposes Are Notable for Training AI

Given that this law comes in the midst of a global conversation about how to regulate artificial intelligence and automated decision-making, it is critical to highlight provisions in the law that seem directed at facilitating development of AI trained on personal data. Specifically, the Act excludes from its application most publicly available personal data, as long as it was made publicly available by the data principal – for example, a blogger or a social media user publishing their personal data directly – or by someone else under a legal obligation to publish the data, such as personal data of company shareholders that regulated companies must publicly disclose by law.

Additionally, the Act exempts the processing of personal data necessary for research or statistical purposes (Section 17(2)(b)). This exemption is extremely broad, with only one limitation in the core text: the Act will still apply to research and statistical processing if the processing activity is used to make “any decision specific to the data principal.”

There is only one other instance in the DPDP Act where processing data to “make decisions” about a data principal is raised. Data fiduciaries are under an obligation to ensure the “completeness, accuracy and consistency” of personal data if it is used to make a decision that affects the data subject. In other words, while the Act does not provide for a GDPR-style right not to be subject to automated decision-making, it does require that when personal data are used for making any individual decisions, presumably including automated or algorithmic decisions, such data must be kept accurate, consistent and complete. 

Additionally, the DPDP Act remains applicable to any processing of personal data through AI systems, if the other conditions of the law are met, given the broad definitions of “processing” and of “personal data.” Further rules adopted by the Central Government or other notifications may provide more guidance in this regard.

Notably, the Act does not exempt processing of personal data for journalistic purposes, a fact criticized by the Editors’ Guild of India. In previous versions of the Bill, especially the expert version spearheaded by Justice Srikrishna in 2017, this exemption was present. It is still possible that the Central Government will address this issue through delegated legislation. 

Key Takeaways and Further Clarification

India’s data protection Act has been in the works for a significant period of time and the passage of the law is a welcome step forward after the recognition of privacy as a fundamental right in India by the Supreme Court in its landmark Puttaswamy judgment.

While the basic structure of the law is similar to many other global laws like the GDPR and its contemporaries, India’s approach has its differences, such as more limited grounds of processing, wide exemptions for government actors, regulatory powers for the government to further specify the law and to exempt specific fiduciaries or classes of fiduciaries from key obligations, no baked-in definition or heightened protection for special categories of data, and the rather unusual inclusion of powers for the Government to request access to information from fiduciaries, the Board and “intermediaries”, as well as to block access by the public to specific information in “computer resources”.

Finally, we note that many details of the Act are still left to be clarified once the new Data Protection Board of India is set up and further rules for the specification of the law are drafted and officially notified. 

Editors: Lee Matheson, Dominic Paulger, Josh Lee Kok Thong

FPF at Singapore PDP Week 2023: Navigating Governance Frameworks for Generative AI Systems in the Asia-Pacific

Authors: Cheng Kit Pang, Elena Guañuna, Alistair Simmons, and Matthew Rostick

Cheng Kit Pang, Elena Guañuna, Alistair Simmons, and Matthew Rostick are FPF Global Privacy Interns.

From July 18 to July 21, 2023, the Personal Data Protection Commission (PDPC) of Singapore held its annual Personal Data Protection Week (PDP Week), which overlapped with the IAPP’s Asia Privacy Forum 2023.  

The Future of Privacy Forum (FPF)’s flagship event during PDP Week was a roundtable on the governance implications of generative AI systems in the Asia-Pacific (APAC) region. In organizing this event together with the PDPC, FPF brought together over 80 participants from industry, academia, the legal sector, and international organizations, as well as regulators from across the APAC region, Africa, and the Middle East.   

FPF Roundtable on Governance of Generative AI Systems in APAC

On July 21, FPF organized a high-level closed-door roundtable, titled “Navigating Governance Frameworks for Generative AI Systems in the Asia-Pacific.” The roundtable explored the issues raised by applications of existing and emerging AI governance frameworks in APAC to generative AI systems.

Dominic Paulger (Policy Manager, FPF APAC) kicked off the roundtable with a presentation on the existing governance and regulatory frameworks that apply to generative AI systems in the APAC region. The presentation highlighted that to date, most major APAC jurisdictions have opted for “soft law” approaches to AI governance, such as developing ethical frameworks and voluntary governance frameworks, rather than “hard law” approaches, such as enacting binding regulations. However, the presentation also explained that China is an exception to this rule and has been active in enacting regulations targeting specific AI technologies, such as deep synthesis technologies and most recently, generative AI. In addition, even if they do not specifically target Generative AI, the comprehensive data protection laws enacted in most jurisdictions in the region are also applicable to how these types of computer programs are trained and generally process personal data.

The presentation was followed by three hours of discussion, facilitated by Josh Lee Kok Thong (Managing Director, FPF APAC). The discussions were first initiated by firestarters from industry, regulators, and academia: 

Turning to the wider roundtable discussion, participants highlighted the fast pace of developments in generative AI technology and hence, the importance of adopting an agile and future-proof approach to governance. Participants also identified that compared with other forms of AI technology, generative AI systems were more likely to raise challenges in addressing unseen bias in very large, unstructured data sets and “hallucinations” (generated output that is grammatically accurate but nonsensical or factually inaccurate). 

To address these issues, participants highlighted the importance of developing standards and metrics for evaluating the safety of generative AI systems and for measuring the effectiveness of achieving desired outcomes. Participants also called for efforts to educate users on generative AI systems, including the capabilities, limits, and risks of these technologies.

Regarding regulation of generative AI, participants were generally in favor of an incremental approach to the development of governance principles for generative AI systems in the region – allowing actors in the AI value chain to explore ways to operationalize existing AI principles and apply existing governance frameworks to the technology – rather than enacting “hard law” regulations. 

Participants also agreed on the need for AI governance principles to account for the three basic layers of the AI technology stack as different policy considerations apply at each of these levels, namely:

Several participants also raised that at the ecosystem level, it would be important for stakeholders to develop a common or standardized set of terminologies or taxonomies for key concepts in generative AI technology, such as “foundation models” or “large language models” (LLMs).

Some participants also called for greater collaboration between stakeholders, and a multidisciplinary approach to governance of generative AI systems and global alignment when developing best practices.

pdp week 4

pdp week 3

pdp week 5

pdp week 2

Photos: Participants from FPF Roundtable on Navigating Governance Frameworks for Generative AI Systems in the Asia-Pacific, 7/21/2023. Photos courtesy of the PDPC.

Other FPF Activities during PDP Week 

IAPP Asia Privacy Forum 2023

On July 20, FPF organized an IAPP panel discussion titled “Unlocking Legal Bases for Processing Personal Data in APAC: A Practical Guide,” which built on FPF’s year-long research project on consent and other legal bases for processing personal data in the APAC region – the final report of which was released in November 2022.

Moderator Josh Lee Kok Thong led the discussion, in which panelists Deputy Commissioner Denise Wong, Deputy Commissioner Leandro Y. Aguirre, Arianne Jimenez, and David N. Alfred (Co-Head, Data Protection, Privacy & Cybersecurity Practice, Drew & Napier) explained the challenges faced by practitioners and regulators in addressing differing data requirements for consent and alternatives like “legitimate interests” in APAC data protection laws.

pdp week 1

Photo: FPF Panel on Unlocking Legal Bases for Processing Personal Data in APAC, July 20, 2023.

FPF’s APAC office was also represented at two further panels during IAPP Asia Privacy Forum 2023: 

FPF Training on EU AI Act

On the sidelines of PDP Week, FPF held its inaugural in-person FPF Training session in the APAC region. The closed-door training session, which focused on the forthcoming EU AI Act and its impact on the APAC region, was held on July 20 and was conducted by Katerina Demetzou (Senior Counsel for Global Privacy, FPF) with interventions from Vincenzo Tiani from his experience of advising Members of the European Parliament (MEPs) on drafting the EU AI Act. The training provided a detailed analysis of the draft AI Act and explained the lifecycle of AI systems and the law-making process in the EU. The training drew close to 20 attendees comprising regulators and representatives from industry and the legal sector.

pdp week 6

Photo: FPF Training on the EU AI Act, 7/20/2023 

Conclusion

This was the second time that FPF organized events around PDP Week since the launch of FPF’s APAC office in 2021. The week’s events enabled FPF APAC to foster collaborative dialogues among regulators, industry, academia, and civil society from the APAC region and draw links with the EU, and the US. FPF is grateful for the support of the PDPC and IAPP in organizing these activities.

Edited by Dominic Paulger and Josh Lee Kok Thong

FPF Files Comments for the FTC Health Breach Notification Rule Addressing Specific Definitions and Clarity of Scope

On August 8th, the Future of Privacy Forum (FPF) filed comments with the U.S. Federal Trade Commission (the Commission) regarding the Notice of Proposed Rulemaking (NPRM) to clarify the scope and application of the Health Breach Notification Rule (HBNR). 

The HBNR was promulgated in 2009 as part of the American Recovery and Reinvestment Act as a breach of security rule. Recent complaints brought by the Commission, GoodRx and Easy Healthcare, were the inaugural and second application of the HBNR and indicated a novel range of alleged privacy breaches rather than traditional security breaches. The cases indicated a shift in the interpretation of “breach of security” by the Commission that drew many proto-typical practices into scope. The NPRM seeks to clarify this broadened scope which has amalgamated traditional breaches of security with nascent breaches of privacy. To draw out and address key issues in the NPRM and the Commission’s considerations, we recommended that the Commission consider the nuance of definitions and address the complexities of breach by specifically:

FPF’s full comments to the Commission are available here.

FPF Releases Generative AI Internal Policy Checklist To Guide Development of Policies to Promote Responsible Employee Use of Generative AI Tools

Today, the Future of Privacy Forum (FPF) releases the Generative AI for Organizational Use: Internal Policy Checklist. With the proliferation of employee use of generative AI tools, this checklist provides organizations with a powerful tool to help revise their internal policies and procedures to ensure that employees are using generative AI in a way that mitigates data, security, and privacy risks, respects intellectual property rights, and preserves consumer trust. 

The Checklist draws from a series of consultations with practitioners and experts from over 30 cross-sector companies and organizations to understand current and anticipatory employee use of generative AI tools, benefits and harms, AI governance, and measures taken to protect company data and infrastructure. The conversations focused on any generative AI guidelines, policies, and procedures that had been implemented to govern employees’ use of generative AI tools. 

From those discussions, we learned that organizations have broadly varied use cases for generative AI and, therefore, significant variation in generative AI policies. Some organizations have enacted outright bans for generative AI tools without prior approval, while others have created restrictions for the use of generative AI, and still, others have yet to develop express policies and procedures on employee use of generative AI. The Internal Policy Checklist for Generative AI is intended to serve as a guidance document no matter what stage of the process an organization is in. It may be used as a starting point to help kick off the development of internal generative AI policies or as a final check to ensure an organization has provided comprehensive and robust guidelines for their teams.

Click here to view the Checklist.

“It is imperative that both organizations and their employees understand the benefits and risks of generative AI tools, and that organizations have appropriate safeguards in place to support responsive and ethical use,” said Amber Ezzell, AI policy counsel at FPF and author of the checklist. “Employee use of generative AI tools is inevitable and may bring new and unexpected benefits to employers as employees find ways to be more productive and creative in even the most mundane tasks. Developing thoughtful generative AI policies is essential to ensure you’re well prepared for the changing way of work.”

The Checklist provides guidance in four areas:

For more information, please contact FPF Policy Counsel Amber Ezzell at [email protected] or [email protected].

Old Laws & New Tech: As Courts Wrestle with Tough Questions under US Biometric Laws, Immersive Tech Raises New Challenges

Extended reality (XR) technologies often rely on users’ body-based data, particularly information about their eyes, hands, and body position, to create realistic, interactive experiences. However, data derived from individuals’ bodies can pose serious privacy and data protection risks for people. It can also create substantial liability risks for organizations, given the growing volume of lawsuits under the Illinois Biometric Information Privacy Act (BIPA) and scrutiny of biometric data practices by the Federal Trade Commission (“FTC” or “Commission”) in their recent Policy Statement. At the same time, there is considerable debate and lack of consensus about what counts as biometric data under existing state privacy laws, creating significant uncertainty for regulators, individuals, and organizations developing XR services.

This blog post explores the intersection of US biometric data privacy laws and XR technologies, particularly whether and to what extent specific body-based data XR devices collect and use may be considered “biometric” under various data protection regimes. We observe that:

A. Face Templates, Hand Scans, and Iris Scans Used to Authenticate an Individual’s Identity Are Regulated Biometrics, Therefore User Authentication in XR is Covered by Biometric and Comprehensive Privacy Laws

In the US, there are three biometric data privacy laws: the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture and Use of Biometric Identifier Act (CUBI), and the Washington Biometric Privacy Protection Act (BPPA). Other states like California, Connecticut, and Virginia also maintain comprehensive data privacy laws that regulate biometric data, and the FTC regulates “unfair and deceptive” biometric data practices. But because BIPA is the only privacy law to have a private right of action for any person “aggrieved” by a violation of a biometric privacy  statute, Illinois cases abound and Illinois courts play a fundamental role in determining the scope of what policymakers, companies, and consumers consider to be “biometric data.” 

With the exception of CUBI (and to a certain extent, BIPA), most biometric and comprehensive data privacy statutes tie their definitions of “biometric data” to identification, meaning the laws are intended to regulate unique physiological characteristics that entities use to identify an individual. Generally, each biometric and comprehensive law focuses on five forms of biometric data: retina or iris scan, fingerprint, voiceprint, hand scan, and face scan. BIPA, in particular, applies to “biometric identifiers,” defined as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” as well as “biometric information,” which includes “any information…based on an individual’s biometric identifier used to identify an individual.” Therefore, any entity that uses technology to scan an individual’s iris, finger, hand, or face to uniquely identify an individual (1:many) or authenticate their identity (1:1) must comply with BIPA’s requirements, unless they fall within one of BIPA’s exemptions or exclusions. The same conclusion applies to CUBI, BPPA, and comprehensive data privacy laws. 

XR devices often use iris, face, or hand scans to authenticate a user’s identity to log in to their profile or enable in-app payments. Much like computers or smartphones, more than one user may use a single XR device, so authenticating the specific person using the device at a given time allows for more personalization and secure transactions. As a result, iris or face authentication systems in XR devices are likely covered by U.S. biometric and comprehensive data privacy laws. The laws typically require organizations to obtain user consent before enrolling individuals in this sort of biometric XR system, and BIPA has potentially thorny provisions requiring “written consent,” which can be challenging to implement for many XR applications. The face and eye scans that XR technologies use for authentication may also be considered “sensitive data” under comprehensive data privacy laws, such as the California Privacy Rights Act (CPRA) or the Connecticut Data Privacy Act, requiring organizations to provide individuals opt-out rights, including the right to opt out of data sales and other transfers.

Most XR authentication technologies employ live capture of biometrics. Iris, face, or hand scans are captured in real-time when an individual first enrolls, and subsequent scans are likewise captured in real-time when the individual authenticates their identity to the device or app. These scenarios are typically covered by biometrics laws as described above. However, there is some uncertainty regarding biometric laws’ application to XR devices that create a biometric template from non-real-time photos, videos, and audio recordings.  Most biometric and comprehensive privacy laws exclude photos, videos, and audio recordings from the scope of “biometric data” to varying degrees (with the exception of CUBI and the CPRA). Utah and Virginia’s comprehensive privacy laws, for example, broadly exempt photographs “or any data generated therefrom” from coverage, making their biometric regulations perhaps less likely to apply to photographic scanning. But case law under BIPA shows that these provisions may not exclude “biometric templates” derived from non-real-time photos, videos, or audio recordings. In Shutterfly v Monroe, the United States District Court for the Northern District of Illinois concluded that narrowly reading “biometric identifier” only to mean real-time scans would swallow the intent of the law, thus photographic scanning to create “templates” were still within scope. Laws like the Connecticut Data Privacy Act (CTDPA) and the final rules for the Colorado Privacy Act (CPA) that do not exclude photos or data generated from these sources if an entity uses them for identification purposes, or CUBI, which contains no exemptions for photographs at all, are likely to follow this analysis. The FTC’s conception of biometric information similarly and explicitly encompasses photos, videos, audio recordings, and certain data derived from these sources, making it likely that most regulators will still consider “biometric templates” created from photographic scanning subject to applicable biometric regulations. 

B. Laws with Broad Definitions of Biometrics May Apply to Systems that Use Face Detection, as Seen in Emerging Case Law from Illinois Regarding Virtual Try-On XR Applications

Despite most laws’ goal to regulate biometric data  that is uniquely identifying, several statutes’ text can be interpreted to apply to biometric technologies that merely distinguish a face from other objects or analyze facial characteristics, without identifying a particular individual. Depending on a privacy law’s definition of “biometric data,” courts may hold that the term regulates technologies that utilize data derived from an individual’s face, eyes, or voice even when they are not used for identification purposes. In XR, devices may use inward-facing cameras to conduct facial analysis for non-identification purposes, such as rendering expressive avatars. Augmented reality (AR) products like “virtual try-on” may also use facial analysis for people to visualize how different products – like eyeglasses – might look on them. Like many other XR applications, VTO primarily uses facial scans to detect and correctly align the product with an individual’s physical features, rather than for identification purposes. 

Some laws with broad definitions can apply to these non-identification technologies unless a specific exception applies. CUBI does not require “biometric identifiers” to uniquely identify an individual, which has prompted the Texas Attorney General to claim that CUBI applies to the capture of face geometry regardless of whether an entity uses these facial maps for individual identification. The FTC’s conception of biometric technologies also broadly encompasses “all technologies that use or purport to use biometric information for any purpose.” But most notably, BIPA is complex because its definition of “biometric identifiers” does not explicitly require that the data be used for identification (in contrast to the statute’s definition of “biometric information,” which does require identification). As a result, Illinois courts have largely found that any facial scan may create a “biometric identifier,” such as with doorbell cameras, photo grouping, and Snapchat filters. This is true even when that technology’s facial scan feature was not used to identify the individual in the photo or video frame. 

Recent BIPA lawsuits brought against companies that offer (VTO) illustrate how broad biometric laws might apply to XR devices that use facial analysis. In Theriot v. Louis Vuitton North America, Inc., a federal court permitted BIPA claims to proceed against Louis Vuitton’s VTO sunglasses application, finding that the technology’s use of facial scans was analogous to BIPA case law holding that face scans derived from photographs constitute biometric identifiers. Other VTO cases have had similar outcomes. Only VTO technology used for healthcare-related purposes, such as trying on prescription eyeglasses, have been found by courts to be outside the scope of BIPA. But this result did not rest on BIPA’s overall definition of biometric data, but rather arose from a narrow exception for “information captured from a patient in a health care setting.” So BIPA may not apply to medical providers’ use of XR apps or other immersive technologies, such as brain computer interfaces (BCIs), for diagnostic purposes, but BIPA’s coverage of non-identifying, non-medical uses remains a source of substantial confusion. This confusion undermines individuals’ understanding of their privacy rights and presents liability risks for organizations.

C. Organizations May Reduce their Liability Risk by Minimizing Collection of Identifying Data or Processing Biometric Data on Individuals’ Devices

Some organizations have taken steps to limit their liability risks by minimizing the collection of identifying data or processing biometric data on individuals’ devices. Case law suggests that some facial detection technologies fall outside the scope of BIPA and other biometric regulations if (1) there is no mechanism for the technology to retain facial scans or link scans to a user’s individual identity or account; and/or (2) all of the data is stored on-device. 

First, in Daichendt and Odell v. CVS Pharmacy, the Northern District of Illinois dismissed a case against CVS for its passport photosystem, which scans facial geometry in photos to confirm that they meet government requirements for passports (e.g., a person’s eyes are open, their mouth is closed and not smiling, and eyeglasses are not present). The court held that the plaintiffs failed to allege that CVS’ photosystem enabled CVS to determine their identities, nor did the plaintiffs provide CVS “with any information, such as their names or physical or email addresses, that could connect the voluntary scans of face geometry with their identities.” 

Separately, in Apple v. Barnett, the Illinois’ appellate court held that Apple was not subject to BIPA requirements regarding their Face ID on iPhone because the company was not “collecting” or “possessing” users’ biometric data since the data was completely stored on the device and never stored on Apple servers. Thus, XR devices that do not retain facial scans that can link to users’ accounts, or only store data on-device (such as Apple’s recently announced Vision Pro) may be out of scope of even some of the broadest biometrics laws. 

D. Eye-tracking and Voice Analysis May Also be Considered “Biometric” if the Technology and Data are Capable of Identifying an Individual

In addition to face-based biometric technologies, most XR devices also use other forms of body-based detection or characterization systems for device functionality, such as voice analysis and eye-tracking. As seen with facial detection, these features are developed to detect or create predictions regarding bodily characteristics or behavior, but the subject is typically not identifiable and PII is typically not retained. For example, XR devices often contain microphones to capture a user’s voice and surroundings, which can enable voice commands, verbal interactions with other users, spatial mapping, and realistic sound effects. XR devices may also maintain inward-facing cameras that collect data about a user’s gaze—where they look and for how long—to enable eye tracking. This may be used to improve graphics and allow for more expressive avatars, including avatars that can display microexpressions.

Whether these systems that collect voice or gaze data are covered by biometric or comprehensive data privacy laws may depend on whether an organization can use the technology to identify an individual, even if not used in that capacity. As seen in CVS Pharmacy, many Illinois courts focus on the capacity of the technology to identify an individual. As an initial matter, biometric and comprehensive privacy laws typically apply to “voiceprints,” and not voice recordings. As stated by the Illinois Attorney General, “a voiceprint, which is a record of mechanical measurement, is not the same as a simple recording of a voice.” 

However, the line between a voice recording and a voiceprint is blurry, particularly as it relates to the gray area of natural language processing (NLP)—a kind of artificial intelligence (AI) that can use audio to understand, interpret, and manipulate language. In Carpenter v. McDonald’s Corp., the U.S. District Court for the Northern District of Illinois found that McDonald’s drive-through voice assistant technology could be used for identification purposes, and thus could be considered a “voiceprint” under BIPA, since the technology’s patent application states that the technology may capture voice characteristics “like accent, speech pattern, gender, or age for the purpose of training the AI.” In a similar ongoing case against Petco, an Illinois federal judge permitted BIPA claims to proceed regarding employee voice data, stating “[w]hat matters [at the dismissal stage] is not how defendant’s software actually used plaintiffs’ data, but whether the data that Petco gathered was capable of identifying [the employees].” As a result, if  an XR device captures vocal characteristics that are capable of unique identification, certain voice data may be considered a “voiceprint” under BIPA. This analytical framework will likely apply to jurisdictions that define biometric data to include biological characteristics that have the potential to identify an individual, such as in the final rules under the Colorado Privacy Act regarding biometric identifiers, or under the FTC’s Policy Statement on Biometric Information.

Whether privacy laws apply to gaze data, however, is even less clear. BIPA lawsuits against online exam proctoring services, autonomous vehicles, and “smart advertising screens” suggest that eye-tracking could be a biometric identifier under BIPA, even if not used for identification. In each of these cases, the technology conducted eye-tracking to determine where a user was looking—whether on the screen, the road, or in the store—but did not identify the individual. Instead, these technologies made inferences about whether someone may be cheating, not paying attention to the road, or what product they were looking at. Plaintiffs in these cases argue that eye-tracking is part of the technology’s collection and analysis of facial geometry, thus making it a “biometric identifier” under BIPA.

Unfortunately, state and federal courts in Illinois have not analyzed whether and to what extent eye tracking, without additional face analysis, constitutes a biometric identifier, nor whether it is a subset of facial analysis. Rather, most cases proceed based solely on the software’s overall facial analysis features, if at all. If courts are prone to equate facial detection scans to “facial geometry,” and voice analysis to “voiceprints,” they may also conflate eye tracking with “a retina or iris scan,” and thus treat eye tracking as a biometric identifier. Or they may follow the BIPA plaintiffs’ analysis, lumping eye-tracking into facial analysis as “facial geometry.” Alternatively, courts could characterize eye tracking as altogether separate from BIPA’s “facial geometry” and “retina or iris scan” categories. In any event, like with voice analysis, if an XR device collects gaze data that could be used for identification purposes, laws with broad biometrics definitions will apply, while other laws that have narrower definitions focused on the data or technology’s current use, may exclude the technology. 

Takeaways

Statutory language and court opinions vary in how they define and/or apply to biometric data and identifiers. Though the plain text of most U.S. biometric and comprehensive data privacy laws tie their definition of a “biometric” to the identification of an individual, some laws may be more broadly applied to technologies that use body-based data for non-identification purposes. While most of the body-based data XR collects is not used for identification, litigation brought under BIPA and other state laws suggest that lawmakers and judges may consider certain kinds and uses of such data—for example, AR “facial scans,” eye tracking, and voice— to be biometrics. Whether this will be the case (or continue to be the case) depends on how policymakers draft these laws, and how courts, enforcement bodies, and other parties to litigation interpret statutes regulating biometrics. 

Insights into Brazil’s AI Bill and its Interaction with Data Protection Law: Key Takeaways from the ANPD’s Webinar

Authors: Júlia Mendonça and Mariana Rielli

The following is a guest post to the FPF blog by Júlia Mendonça, Researcher at Data Privacy Brasil, and Mariana Rielli, Institutional Development Coordinator at Data Privacy Brasil. The guest blog reflects the opinion of the authors only. Guest blog posts do not necessarily reflect the views of FPF.

On July 6, 2023, the Brazilian National Data Protection Authority (ANPD) held a webinar event entitled: The interplay between AI regulation and data protection. The dialogue unfolded in the broader context of developments in AI regulation in Brazil which has, as its main drivers, the bills that propose a Regulatory Framework for Artificial Intelligence in the country. The bills were jointly analyzed by a Commission of 18 jurists appointed by the Federal Senate, which promoted meetings, seminars, and public hearings to substitute them with a new draft proposal. At the beginning of May, the draft produced by the Commission was transformed into a new bill that is currently going through the legislative process: Bill PL nº2338 (AI draft bill). 

The ANPD, noting the need to harmonize any upcoming AI regulation with the existing data protection regime (as well as future enforcement matters), organized this webinar, in addition to having published a preliminary analysis of the AI draft bill. The discussions during the webinar offer a glimpse into the AI lawmaking and policymaking in Brazil, one of the largest jurisdictions in the world – one that is also covered by a general data protection law applicable to personal data processed in the context of an AI system. This brief blog post outlines the main topics discussed during the event, particularly in relation to the interplay between the current AI draft bill and Brazil’s General Data Protection Law (LGPD).

The webinar’s opening welcomed Waldemar Gonçalves (President, ANPD, Brazil), Eduardo Gomes (Senator of the Republic, Brazil), and Estela Aranha, (Special Advisor, Ministry of Justice and Public Security, Brazil). The panel that followed was formed by representatives of the National Data Protection Council (CNPD) – a multisectoral advisory body, part of the ANPD structure – namely, Ana Paula Bialer (Founding Partner, Bialer Falsetti Associados, Brazil), Bruno Bioni, (Director and Founder, Data Privacy Brasil), Fabrício da Mota (Vice President, Conselho Federal da OAB, Brazil), and Laura Schertel (Visiting researcher, Goethe Universität Frankfurt; and private law Professor and lawyer, Brazil/EU).

Key representatives highlight the need for ongoing harmonization between AI regulation and data protection law in Brazil 

As the President of the ANPD, Waldemar Gonçalves highlighted the Authority’s ongoing work on the AI agenda, noting that data protection rules under the LGPD are closely interconnected with those provided for in the AI draft bill, such as with regard to the right to information. With such similarities in mind, Gonçalves noted the need for harmonization between different tools, such as the Data Protection Impact Assessment (DPIA) and the Algorithm Impact Assessment (AIA). 

Another initiative of the ANPD highlighted by Gonçalves as relevant to the AI agenda and the current AI regulatory efforts was the technical agreement between the Authority and the Latin American Development Bank (CAF), which will include a regulatory sandbox pilot program on data protection and AI

ANPD’s current president closed his remarks recalling the various recent cases in which data protection authorities around the world have spoken out on issues concerning AI-based systems, thereby reinforcing the importance of the ANPD in assuming an active role in this discussion. Eduardo Gomes, rapporteur of the AI draft bill, started from the same premises to support the efforts with the president of the Senate, Rodrigo Pacheco. In addition to reinforcing the importance of work of the Commission of Jurists in laying the groundwork for the debate in Brazil, he also recognized the need to foster other opportunities to “mature the subject.”

Concluding the opening panel, Estela Aranha focused her presentation on the topic of algorithmic discrimination in the context of the interplay between AI and existing data protection norms. Aranha mentioned examples with regards to data mining and how the resulting massive collection of data can generate the most varied risks, including risks of discrimination, and can go beyond the most obvious examples of sensitive and inferred data. The relevance of this specific point in the debate stems from the fact that the proposed AI draft bill is quite detailed, both in terms of definitions and obligations created, with regards to direct and indirect discrimination potentially created or enhanced by AI systems in the Brazilian context. Finally, Aranha also reaffirmed the Ministry of Justice’s support for the Bill. 

A deeper dive into the proposed AI draft bill and possible future(s) of AI regulation  

The following panel focused on a deeper look at the proposed AI draft bill and some of the specific provisions therein. The first panelist, Ana Paula Bialer, highlighted that there is already a robust framework for data protection that grants the data subject greater control over their data, based on the principle of “informational self-determination.” However, Bialer made a point that there may be a certain difficulty in applying the rationale of data protection to AI. Not in the sense that the data used is presumably not protected, but rather that there should be a thorough exercise of extension and “revalorization” of the principles of the LGPD, combined with a review of the set of rights put in place in the context of AI systems. 

Already assessing the current draft bill, Bialer also considered that the meaning of a human-centered approach can be different when thinking about different applications of AI in varying socio-economic contexts, exemplifying her reflection through the topic of recruitment and new hires’ selection and the right to full employment in Brazil. Bialer concluded by reaffirming the benefits that can be brought by AI for social and economic development in the country, as well as for the exercise of fundamental rights. In this context, Bialer welcomed the ANPD’s regulatory sandbox initiative and positioned herself more favorably to a strongly risk-based approach to AI regulation.

Bruno Bioni began by emphasizing the importance of having a dose of skepticism with regards to the broader debate – both on AI, and in respect to AI regulation – especially in a scenario where the almost “apocalyptic” narrative around AI continues gaining notoriety. This is important because, in Bioni’s opinion, such discourse may end up underestimating the regulatory tools that already exist. The very field of personal data protection has already provided positive and negative lessons when it comes to an object of regulation that is very plastic and polyvalent, “with a regulatory mission that is transversal and not sectoral.”

Bioni continued by pointing out that the intersection of data protection, AI regulation, and governance is very much related to the idea of a “toolbox” that opens opportunities for a more collaborative, collective regulatory production, relying on companies themselves to participate and to some extent, be rewarded, for example, if they demonstrate a good level of accountability. 

Among the various existing tools and how they can support each other, Bioni highlighted Algorithmic Impact Assessments (AIA) and Data Protection Impact Assessments (DPIAs) as  documentation that can foster and unfold into the other in such a way as to optimize both. The ANPD has already positioned the DPIA prescribed by the LGPD as an instrument to be better regulated and better standardized, which, for the expert, will be a significant advancement, even in a hypothetical scenario where it takes a long time for an AI regulation to be passed. 

According to Bioni, it is for this reason that data protection authorities around the world have led enforcement actions, in the  absence of AI laws or authorities created with this specific mission. Bioni concluded his remarks by pointing out that it is essential to think about a more collective or networked governance approach.

Fabrício da Mota Alves focused on the issue of institutional arrangements and of thinking about future legislation inserted in a regulatory environment that is founded on the administrative action of the Brazilian State. Fabrício pondered on the possibility that, following other countries in the world, the ANPD promotes some degree of administrative action (supervisory and sanctioning, in addition to regulation and awareness) related to AI, reinforcing that there is a concern to understand and call for the ANPD to build a very robust regulatory environment. Above all, there is a call for formal protocols so that companies and experts can understand the limits and the scope of ANPD’s actions in this dynamic scenario.

Celebrating the space provided by the webinar as one of the first and most qualified to take place outside of the legislative environment, Alves emphasized that it is imperative that, also in the context of regulating and enforcing AI-related cases (regardless of specific frameworks), the Brazilian ANPD maintains the stance it has adopted so far, with broad public participation, hearings, public consultations, and processes that are open to criticism from all affected sectors.

What’s next for the Brazilian AI bill?

Brazil’s AI draft bill is in its early stages, although it has already been the result of lengthy discussions by the expert committee assigned to prepare a new draft in 2022. There is an expectation that it will now be analyzed by a special committee of parliamentarians designated specifically to debate the Bill, with the prospect of new rounds of public hearings. After the text is approved by the plenary of the Brazilian Senate, the proposal still goes through the Chamber of Deputies, the reviewing house, until a common text is reached, which will then be sanctioned by the President of the Republic.

The whole webinar, in Portuguese, can be watched here

Newly Updated Report: The Spectrum of Artificial Intelligence – Companion to the FPF AI Infographic

Today, we are re-releasing the report: The Spectrum of Artificial Intelligence – Companion to the FPF AI Infographic with new updates to account for the development and use of advanced generative AI tools. In December 2020, FPF published the Spectrum of Artificial Intelligence – An Infographic Tool, designed to visually display the variety and complexity of Artificial Intelligence (AI) systems, the fields this science is based on, and a small sample of the use cases these technologies support for consumers. 

Artificial Intelligence (AI) has become an integral part of our lives, transforming how we interact, work, and make decisions. From virtual assistants and recommendation systems to autonomous vehicles and medical diagnostics, AI technologies have made remarkable progress. However, as AI continues to advance, it is essential to understand how it works and the ethical considerations that accompany it. 

This updated report places generative AI within the larger AI Landscape to address foundational questions about the operation and development of the technology, including generative AI’s use of personal information, the ability of individuals to meaningfully utilize access, correction, or deletion rights, as well as means and methods available to minimize inaccurate information and hallucinations in outputs.

As generative AI becomes mainstream through tools such as Open AI’s ChatGPT and Google’s Bard, it introduces new and transformational use cases for AI in everyday life, including the workplace. However, there are also risks and ethical considerations to manage throughout the lifecycle of these systems. A better understanding of all the kinds of AI systems and how they relate to one another benefits organizations, policymakers, and the general public is essential. The re-release of The Spectrum of Artificial Intelligence – Companion to the FPF AI Infographic strives to do this.

Download the updated version of the report.

The First Japan Privacy Symposium: G7 DPAs discussed their approach to reign in AI, and other regulatory priorities

The Future of Privacy Forum and S&K Brussels LPC hosted the first Japan Privacy Symposium in Tokyo, on June 22, 2023, following the G7 Data Protection and Privacy Commissioners roundtable. The Symposium brought global thought leadership on the interaction of data protection and privacy law with AI, as well as insights into the current regulatory priorities of the G7 Data Protection Authorities (DPAs) to an audience of more than 250 in-house privacy leaders, lawyers, consultants and journalists from Japan and the region.

The program started with a keynote address from Commissioner Shuhei Ohshima (Japan’s Personal Information Protection Commission), who shared details about the results of the G7 DPAs Roundtable from the day before. Two panels followed, featuring Rebecca Kelly Slaughter (Commissioner, U.S. Federal Trade Commission), Wojciech Wiewiórowski (European Data Protection Supervisor, EU), Philippe Dufresne (Federal Privacy Commissioner, Canada), Ginevra Cerrina Feroni (Vice President of the Garante, Italy), John Edwards (Information Commissioner, UK), and Bertrand du Marais (Commissioner, CNIL, France). Jules Polonetsky, FPF CEO, and Takeshige Sugimoto, Managing Partner at S&K Brussels LPC and FPF Senior Fellow, hosted the Symposium. 

The G7 DPA Agenda, built on three pillars: Data Free Flow with Trust, emerging technologies, and enforcement cooperation

The DPAs of the G7 nations started to meet annually in 2020, following the initiative of the UK’s Information Commissioner Office during UK’s G7 Presidency that year. This is a new venue for international cooperation of DPAs, limited to Commissioners from Canada, France, Germany, Italy, Japan, the United Kingdom, the United States, and the European Union. Throughout the year, the DPAs maintain a permanent channel of communication and implement a work plan adopted during their annual Roundtable.

In his keynote at the Japan Privacy Symposium, Commissioner Shuhei Oshshima laid out the results of this year’s Roundtable, held in Tokyo on June 20 and 21. The Commissioner highlighted three pillars guiding the group’s cooperation this year: (I) Data Free Flow with Trust (DFFT), (II) emerging technologies, and (III) enforcement cooperation. 

The G7 Commissioners’ Communique expressed overall support for the DFFT political initiative, welcoming the reference to DPAs as stakeholders in the future Institutional Arrangement for Partnership (IAP), a new structure the G7 Digital Ministers announced earlier in April to operationalize the DFFT. However, in the Communique, the G7 DPAs emphasized that they “must have a key role in contributing on topics that are within their competence in this Arrangement.” It is noteworthy that, among their competencies, most G7 DPAs have the authority to order the cessation of data transfers across borders if legal requirements are not met (see, for instance, this case from the CNIL – the French DPA, this case from the European Data Protection Supervisor, or this case from the Italian Garante). 

The IAP seems to provide a key role for governments themselves currently, in addition to stakeholders and “the broader multidisciplinary community of data governance experts from different backgrounds,” according to Annex I of the Ministerial Declaration announcing the Partnership. The DPAs are singled out only as an example of such experts. 

In the Action Plan adopted in Tokyo, the G7 DPAs included clues as to how they see the operationalization of DFFT playing out: through interoperability and convergence of existing transfer tools. As such, they endeavor to “share knowledge on tools for secure and trustworthy transfers, notably through the comparison of Global Cross-Border Privacy Rules (CBPR) and EU certification requirements, and through the comparison of existing model contractual clauses.” (In an analysis touching broadly beyond the G7 jurisdictions, the Future of Privacy Forum published a report earlier this year emphasizing many commonalities, but also some divergence, among three sets of model contractual clauses proposed by the EU, the Iberoamerican Network of DPAs, and ASEAN).

Arguably, though, DFFT was not the main point on the G7 DPAs agenda. They had adopted a separate and detailed Statement on generative AI. In his keynote, Commissioner Shuhei Ohshima remarked that “generative AI adoption has increased significantly.” In order to promote trustworthy deployment and use of the new technology “the importance of DPAs is increasing also on a daily basis,” the Commissioner added.

Generative AI is not being deployed in a legislative void, and data protection law is the immediately applicable legal framework

Top of mind for G7 data protection and privacy regulators is AI, and generative AI in particular. “AI is not a law-free zone,” said FTC Commissioner Slaughter during her panel at the Symposium, being very clear that “existing laws on the books in the US and other jurisdictions apply to AI, just like they apply to adtech, [and] social media.”  This is apparent across the G7 jurisdictions: in March, the Italian DPA issued an order against OpenAI to stop processing personal data of users in Italy following concerns that ChatGPT breached the General Data Protection Regulation (GDPR); in May, the Canadian Federal Privacy Commissioner opened an investigation into ChatGPT jointly with provincial privacy authorities; and, in June, Japan’s PIPC issued an administrative letter warning OpenAI that it needs to comply with requirements from the Act on the Protection of Personal Information, particularly regarding the processing of sensitive data.

At the Japan Privacy Symposium, Ginevra Cerrina Feroni, VP of the Garante, shared the key concerns guiding the agency’s enforcement action against OpenAI, which was the first such action in the world. She highlighted several risks, including a lack of transparency about how OpenAI collects and processes personal data to deliver the ChatGPT service; uncertainty regarding a lawful ground for processing personal data, as required by the GDPR; a lack of avenues to comply with the rights of data subjects, such as access, erasure, and correction; and, finally, the potential exposure of minors to inappropriate content, due to inadequate age gating. 

After engaging in a constructive dialogue with OpenAI the Garante suspended the order, seeing improvements in previously flagged aspects. “OpenAI published a privacy notice to users worldwide to inform them how personal data is used in algorithmic training, and emphasized the right to object to such processing,” the Garante Vice President explained. She continued, noting that OpenAI “provided users with the right to reject their personal data being used for training the algorithms while using the service, in a dedicated way that is more easily accessible. They also enabled the ability of users to request deletion of inaccurate information, because – and this is important – they say they are technically unable to correct errors.” However, Vice President Cerrina Feroni mentioned that the investigation is ongoing and that the European Data Protection Board is currently coordinating actions among EU DPAs on this matter. 

The EDPS added that purpose limitation is among his chief concerns with services like ChatGPT, and generative AI more broadly. “Generative AI is meant to advance communication with human beings, but it does not provide fact-finding or fact-checking. We should not expect this as a top feature of Large Language Models. These programs are not an encyclopedia; they are just meant to be fluent, hence the rise of possibilities for them to hallucinate,” Supervisor Wiewiorowski said. 

Canadian Privacy Commissioner Philippe Dufresne emphasized that how we relate to generative AI from a privacy regulatory perspective “is an international issue.” Commissioner Dufresne also added, “a point worth repeating is that privacy must be treated as a fundamental right.” This is important, as “when we talk about privacy as a fundamental right, we point out how privacy is essential to other fundamental human rights within a democracy, like freedom of expression and all other rights. If we look at privacy like that, we must see that by protecting privacy, we are protecting all these other rights. Insofar as AI touches on these, I do see privacy being at the core of all of it,” Commissioner Dufresne concluded.

The G7 DPAs’ Statement on Generative AI outlines their key concerns, such as lack of legal authority to process personal data at all stages

In the aforementioned Generative AI Statement, the G7 data protection regulators laid out their main concerns in relation to how personal data is processed through this emerging type of computer program and service. First and foremost, the commissioners are concerned that processing of personal data lacks legal authority during all three relevant stages of developing and deploying generative AI systems: for the data sets used to train, validate and test generative AI models; for processing personal data resulting from the interactions of individuals with generative AI tools during their use; and, for the content that is generated by generative AI tools.

The commissioners also highlighted the need for security safeguards to protect against threats and attacks that seek to invert generative AI models, and that would technically prevent extractions or reproductions of personal data originally processed in datasets used to train the models. They also advocated for mitigation and monitoring measures to ensure personal data created by generative AI is accurate, complete, and up-to-date, as well as free from discriminatory, unlawful, or otherwise unjustifiable effects.

It is clear that data protection and privacy commissioners are proactive about ensuring generative AI systems are compatible with privacy and data protection laws. Only two weeks after their roundtable in Tokyo, it was reported that the US FTC initiated an investigation against OpenAI. And this proactive approach is intentional. As UK’s Information Commissioner, John Edwards, made clear, the commissioners are “keen to ensure” that they “do not miss this essential moment in the development of this new technology in a way that [they] missed the moment of building the business models underpinning social media and online advertising.” “We are here and watching,” he said.

Regardless of the adoption of new AI-focused laws, DPAs would remain central to AI governance

The Commissioners also discussed the wave of legislative initiatives targeting AI in their jurisdictions. AI systems are not built and deployed in a legislative void: data protection law is largely and immediately relevant, as is consumer protection law, product liability rules, and intellectual property law. In this environment, what is the added value of specific, targeted legislation addressing AI?

Addressing the EU AI Act proposal, European Data Protection Supervisor Wiewiórowski noted that the EU’s initiation of the legislation is not because the legislator thought there was a vacuum. “We saw that there were topics to be addressed more specifically for AI systems. There was a question whether we approach it as a product, service, or some kind of new phenomenon as far as legislation is concerned,” he added. As for the role of the DPAs once the AI Act will be adopted, he brought up the fact that in the EU, data protection is a fundamental right: which means that all legislation or policy solutions governing processing of personal data in a way or another must be looked at through this lens. As supervisory authorities tasked with guaranteeing this fundamental right, DPAs will continue playing a role.

The framework ensuring the enforcement of the AI Act is still under debate, as EU Member States are tasked with designating competent national authorities, and the European Parliament hopes to create a supranational collaborative body to play a role in enforcement. However, one thing is certain: in the proposal, the EDPS has been designated the competent authority to ensure that EU agencies and bodies comply with the EU AI Act. 

The CNIL seems to be eyeing the designation as EU AI Act enforcer as well. Commissioner du Marais pointed out that “since 1978, the French Act on IT and Freedom has banned automated decisions. We have a fairly long and established body of case law.” Earlier this year, the CNIL created a dedicated department including data and computer scientists among staff to monitor how AI systems comply with legal obligations stemming from data protection law. “To be frank, we don’t know yet what will come out of the legislative process, but we have started to prepare ourselves. We have also been designated by domestic law as supervisory and certification authority for AI during the 2024 Olympic Games.” 

The Garante has a long track record of enforcing data protection law on algorithmic systems and decision-making that impacted the rights of individuals. “The role of the Garante in safeguarding digital rights has always been prominent, even when the issue was not yet widely recognized by the public,” said Vice President Cerrina Feroni. Indeed, as shown by extensive research published last year by the Future of Privacy Forum, European DPAs have long been enforcing data protection law in cases where automated decision-making was central. The Garante led impactful investigations against several gig economy apps and their algorithms’ impacts on people.

Canada is also in the midst of legislating AI, introducing a bill last year that is currently under debate. “There is similarity with the European proposal, but [the Canadian bill] focuses more on high impact AI systems and on preventing harms and biased outputs and decision-making. It provides significant financial fines,” Commissioner Dufresne explained. As part of the bill, enforcement is currently assigned to the relevant ministry in the Canadian government. The Privacy Commissioner explained that the regulatory activity would be coordinated with his office, but also with the competition, media, and human rights regulators in Canada. When contributing recommendations during the legislative process, Commissioner Dufresne noted that he suggested “privacy to be a key principle.” In light of his vision that privacy as a fundamental right is essential for the realization of other fundamental rights, the Commissioner had a clear message that “the DPAs need to be front and center” of the future of AI governance.

UK Commissioner Edwards echoed the value of entrenched collaboration among digital regulators, adding that the UK already has an official “Digital Regulators Cooperation Forum,” established with its own staff. The entity “is important to provide a coherent regulatory framework,” he said.

Children’s privacy is a top priority across borders, with new regulatory approaches showing promising results

One of the key concerns that the G7 DPAs have in relation to generative AI is how the new services are dealing with children’s privacy. In fact, the regulators have made it one of their top priorities to broadly pursue the protection of children’s privacy when regulating social media services, targeted advertising, or online gaming, among others. 

Building on a series of recent high-profile cases brought by the FTC in this space, Commissioner Slaughter couldn’t have been clearer: “Kids are a huge priority issue for the FTC.” She reminded the audience that COPPA (Children’s Online Privacy Protection Act) has been around for more than two decades, and it is one of the strongest federal privacy laws in the US: “The FTC is committed to enforcing it aggressively.” Commissioner Slaughter explained that the FTC’s actions, such as their recent case against Epic Games, include considerations related to teenagers as well, even if they are not technically covered by COPPA protections, but are covered by the “unfair practices” doctrine of the FTC. 

UK Commissioner John Edwards gave a detailed account of the impact of the UK’s Age Appropriate Design Code in the design of online services provided to children, which was launched by his office in 2020. “We have seen genuine changes, including privacy settings being automatically set to very high for children. We have seen children and parents and carers being given more control over privacy settings. And we have seen that children are no longer nudged to lower privacy settings, with clearer tools and steps in place for them to exercise their data protection rights. We have also seen ads blocked for children,” Commissioner Edwards said, pointing out that these are significant improvements for the online experience of children. These results have been obtained primarily through a collaborative approach with the service providers, who have implemented changes after their services were subject to audits conducted by the regulator. 

Children’s and teenagers’ privacy is also top of mind for the CNIL. Among a series of guidance, recommendations, and actions, the French regulator is adding another layer to its approach – digital education. “We have made education a strategic priority. We have a partnership with the Ministry of Education and we have available a platform to certify digital skills for children, as well as with resources for kids and parents,” Commissioner du Marais said. Regarding regulatory priorities, he emphasized attention to age verification tools. Among the principles the French regulator favors for age verification are no direct collection of identity documents, no age estimates based on web browsing history, and no processing of biometric data to recognize an individual. The CNIL has asked websites not to carry out age verification themselves, and to instead rely on third-party solutions. 

The discussions of the G7 DPA Commissioners who participated in the first edition of the Japan Privacy Symposium laid out a vibrant and complex regulatory landscape, centered around new challenges posed to societal values and rights of individuals by AI technology, but also making advancements in perennial topics like cross-border data transfers and children’s privacy. More meaningful and deeper enforcement cooperation is to be expected among the G7 Commissioners, whose Action Plan espoused their commitment to move towards constant exchanges related to enforcement actions and to revitalize existing global enforcement cooperation networks, like GPEN (Global Privacy Enforcement Network). Next year, the G7 DPA Commissioners will meet in Rome. 

Japan Privacy Symposium G7 regulators

Editor: Alexander Thompson  

A New Domicile for Comprehensive Privacy in Delaware

On June 30, 2023, in the final hours of the Delaware legislative session, lawmakers in Dover passed House Bill 154, the Delaware Personal Data Privacy Act (“DPDPA”). If enacted by Governor Carey, the DPDPA will take effect on January 1, 2025 and follows the general model established by the Connecticut Data Privacy Act (CTDPA), with some notable differences. Delaware will become the twelfth U.S. state to adopt a comprehensive data privacy law to govern the collection, use, and transfer of personal data.

1. Broad Scope

The DPDPA establishes the lowest primary coverage threshold of any state comprehensive privacy law passed so far, applying to organizations that control or process the data of at least 35,000 Delaware residents annually. Typically, state-level comprehensive privacy laws cover organizations that control or process the data of at least 100,000 state citizens each year. The DPDPA’s scope was likely tailored to fit Delaware’s small size and population: by land area Delaware is smaller than any other U.S. state save Rhode Island, and has one of the lowest populations in the country, estimated by U.S. Census data at 1.018 million in 2022.

The Act exempts specific data that is subject to existing laws, including Health Insurance Portability and Accountability Act (HIPAA) and Fair Credit Reporting Act (FCRA)-covered data while broadly carving out Gramm-Leach-Bliley Act (GLBA) covered entities. However, the DPDPA diverges from most other state-level comprehensive privacy laws by not broadly exempting non-profits or higher education institutions.

2. Timely Sensitive Data Categories

The DPDPA establishes a category of “sensitive” personal information that is subject to greater protections, which includes categories such as “[d]ata revealing racial or ethnic origin,” “religious beliefs,” and “[p]recise geolocation data.” However, the DPDPA expands this list beyond that seen in many other states, including “status as transgender or nonbinary,” which is also recognized as a sensitive information category in Oregon’s recently-passed comprehensive privacy law, and “mental or physical health condition or diagnosis (including pregnancy).”  

Although all currently enacted comprehensive privacy laws recognize some version of “mental or physical health condition or diagnosis” as sensitive, the DPDPA is the first state-level comprehensive privacy law to explicitly include pregnancy as a category of sensitive data. The recently-passed Connecticut Senate Bill 3 (SB 3), which partially updates the Connecticut Data Privacy Act (CTDPA), also specifically classifies data related to pregnancy and reproductive health as sensitive. Both SB 3 and the DPDPA likely reflect lawmaker focus on the privacy of reproductive health and pregnancy data in the wake of the Supreme Court’s overturning of Roe v. Wade. 

3. Protections for Teens

The DPDPA forbids covered entities from selling or processing for targeted advertising purposes the data of consumers that the controller knows, or willfully disregards, are between the ages of 13 and 17 without consent. This prohibition goes farther than similarly-structured prohibitions in California, Connecticut, and Montana, which place restrictions on the sale and processing of the data of consumers between the ages of 13 and 15. The DPDPA’s broader coverage of teen’s data reflects the ongoing attention to  youth privacy that has permeated state legislatures this session. While this is the first time a state-level comprehensive privacy law has structured it’s protections to cover teens up to the age of 17 (although CT SB 3 creates similar protections for 13-17-year olds), child-directed privacy and online safety laws, including the California Age-Appropriate Design Code and Utah Senate Bill 152, have increasingly applied to the data and activity of teenagers up to age 17.

4. Expanded Rights to Access and Delete

In line with other comprehensive privacy laws, the DPDPA grants consumers the right to require controllers to delete their personal data. Unlike comparable laws, however, the DPDPA requires controllers to delete data obtained about a person from a third-party source (such as a data broker) except for “a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records,” which they may not use for any other purpose. In contrast, other state privacy laws typically permit controllers to retain data obtained about a person from third-party sources so long as they opt that person out of the processing of their personal data for all non-exempt purposes. The DPDPA also creates a unique affirmative right to “obtain a list of the categories of third parties to whom the controller has disclosed the consumer’s personal data.”

5. Unique Treatment of Nonprofits

Delaware joins Colorado and Oregon in not generally carving out nonprofit organizations in its scope. Like Oregon, however, the Delaware law carves out nonprofits that combat insurance fraud. The DPDPA also creates a novel data-level exemption for the “[p]ersonal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.”

6. UOOM Uncertainty

The DPDPA would be the seventh comprehensive state privacy law to permit consumers to exercise certain rights on a default basis through what is commonly known as a “Universal Opt-Out Mechanism” (UOOM), joining California, Colorado, Connecticut, Montana, Texas, and Oregon. The UOOMs that are currently in use often take the form of a browser extension, which sends out an automatic signal to web pages visited by a consumer with the extension enabled, notifying it that they would like to exercise a certain consumer right. 

The DPDPA establishes that consumers have the right to opt out of the processing of their personal information for: targeted advertising, data sales, and profiling for the purposes of automated decision-making with significant impact on the consumer. Drafting ambiguities make it unclear whether the DPDPA permits opting-out of profiling via device signals, which would be a first for a state comprehensive privacy law. The DPDPA does not allow for rulemaking.