New Report on Limits of “Consent” in Vietnam’s Data Protection Law
Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the ninth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Vietnam, including:
notice and consent requirements for processing personal data;
the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Vietnam’s Evolving Data Protection Landscape
Vietnam currently does not have a comprehensive law on protection of personal data, and instead, Vietnam’s personal data framework is made up of a patchwork of different legal instruments.
At the fundamental level, Vietnam’s Constitution provides for an inviolable right to privacy and legal protection of information regarding personal privacy and personal and familial secrecy.
The Civil Code gives expression to these rights in a limited manner by, among others, requiring an individual’s consent for collection, use, retention, or publication of information about that individual’s private life.
These are complemented by a number of sector specific laws and regulations which provide for protection of personal data in a number of specific contexts, including cyberspace, healthcare, commerce, banking, and finance.
However, it is expected that Vietnam will enact a comprehensive data protection law in the coming months. In February 2021, Vietnam’s Ministry of Public Security (MPS) initiated consultation on a draft legislation, releasing a draft Decree on Personal Data Protection (Draft PDP Decree) for public comment.
This Draft PDP Decree sought to introduce several major additions to Vietnam’s personal data protection framework, including:
establishment of a Personal Data Protection Committee within MPS that would be responsible for, among others, enforcing the PDP Decree;
a framework for cross-border data transfers;
a unified set of overarching principles (including data minimization and purpose limitation) that would govern the collection, use, and disclosure of personal data; and
a number of data subject rights, including rights to be notified of and object to processing of one’s personal data and to access and correct personal data about oneself; and
a set of general obligations that would apply to all entities that process personal data.
It is understood that in the year and a half since this public consultation, MPS has been further developing a revised draft of the legislation internally. However, to date, this revised draft has not been released publicly. While the report and this blog post refer to the February 2021 version of the Draft PDP, note that this draft legislation has not yet been enacted, and its provisions remain subject to change.
Consent in Vietnam’s Existing Data Protection Framework
Under Vietnam’s existing data protection framework, consent is generally the default basis for processing individuals’ personal information or information about an individual’s private life, unless an applicable legal instrument provides an exception to consent.
Vietnamese law also imposes confidentiality requirements on certain providers of regulated services – such as medical professionals, credit institutions, and banks – and generally requires these service providers to obtain consent from users of their services before disclosing users’ personal information to third parties, subject to narrow exceptions, such as requests from state authorities or necessity for medical care.
Generally, under Vietnamese law, consent for processing of personal information must be freely given. Prevailing laws generally require entities that handle personal data to inform the data subject of the scope and purpose for collection and use of the data subject’s personal information before obtaining the data subject’s consent. Vietnamese law does not generally require consent for processing of personal information to be given in any specific form. However, more stringent requirements apply in the contexts of e-commerce and advertising/marketing communications.
Consent in the Draft PDP Decree (Not Yet Enacted)
Consent plays a prominent role in the Draft PDP Decree: it is one of several legal bases for processing personal data (including sensitive personal data) and is one of several requirements for transferring personal data out of Vietnam.
Under the Draft PDP Decree, consent must be affirmative, voluntary, informed, and recorded in a written form.
If an entity seeks to rely on consent to process a data subject’s personal data, the entity must inform the data subject of the type of data to be processed, the purpose for processing, any third parties with whom the data may be shared and the conditions sharing the data, the data subject’s legal rights regarding processing of the personal data, and whether the personal data to be processed is sensitive personal data.
Interestingly, the Draft PDP Decree recognizes a form of deemed consent in the narrow context of audio or video recording by competent state agencies. By default, the collecting agency must notify data subjects of the recording in a way that data subjects understand unless recording is for the purposes of national defense, security, social order and safety, social ethics, or the health of the community.
The Draft PDP Decree also permit processing of personal data without consent where the processing is:
pursuant to other applicable provisions of law;
in the interests of national security, social order, and safety;
required by law in emergency events that threaten life or seriously affect the health of the data subject or the public health;
in support of investigation and handling of regulatory violations;
in compliance with specific provisions of international agreements or treaties to which Vietnam is a signatory; or
of de-identified personal data for research or statistics purposes, in compliance with certain other requirements in the Draft PDP Decree.
Additionally, the Draft PDP Decree permits disclosure of personal data without consent where the disclosure is in the media:
for the purposes of national defense and security, social order and safety, social ethics, and community health; or
according to the provisions of the Press Law in a manner that does not cause economic, reputational, psychological, or material damage to the data subject.
New Report on Limits of “Consent” in Malaysia’s Data Protection Law
Introduction
Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the eighth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Malaysia, including:
notice and consent requirements for processing personal data;
the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Malaysia’s Data Protection Landscape
The Personal Data Protection Act 2010 (PDPA) is the main data protection legislation in Malaysia and gives effect to the 7 Data Protection Principles (PDP Principles):
The General Principle requires data controllers to obtain data subjects’ consent to process their personal data.
The Notice and Choice Principle requires data controllers to provide data subjects with certain information when their personal data is processed.
The Disclosure Principle limits the circumstances in which data controllers can share personal data with third parties.
The Security Principle requires data controllers to protect personal data during processing.
The Retention Principle limits how long data controllers may retain personal data and establishes a positive obligation to delete or destroy personal data when it is no longer required.
The Data Integrity Principle requires data subjects to ensure that personal data is accurate, complete, not misleading, and kept up to date.
The Access Principle provides data subjects with a right to access and correct personal data about them.
The PDPA also establishes the Personal Data Protection Commissioner (PDP Commissioner) as the public body responsible for enforcing and administering the PDPA.
The PDPA is complemented by other sectoral laws, regulations, and guidelines. In addition to various sector-specific laws which limit the disclosure of personal data held by certain regulated entities (e.g., providers of financial services, medical practitioners), the PDP Commissioner has approved and registered seven Personal Data Codes of Practice, which provide more detailed requirements for entities in certain sectors to comply with the PDPA. These sectors include:
Role and Status of Consent as a Basis for Processing Personal Data in Malaysia
Consent plays a prominent role in the PDPA, as it is the default basis for collecting, using, and disclosing personal data under the PDPA and is also one of several legal bases for transferring personal data out of Malaysia.
The General Principle in Section 6 of the PDPA establishes the default rule that data controllers may only process personal data if they obtain consent from the data subject. However, this default rule is subject to other data protection principles (including purpose limitation) as well as a number of exceptions that apply where processing of personal data is necessary:
to perform a contract to which the data subject is a party;
to take steps at the request of the data subject while negotiating a contract;
to comply with any legal obligation to which the data controller is the subject;
to protect the vital interests of the data subject;
for the administration of justice; or
for the exercise of any functions conferred on any person by or under any law.
These alternatives to consent are similar to those provided under the EU Data Protection Directive 95/46 and its successor, the GDPR.
However, if the personal data in question falls within any of the categories of “sensitive personal data” specified in the PDPA, then the data controller would have to obtain “explicit consent” from the data subject unless an exception applies. These exceptions address a wide range of purposes for which processing of sensitive personal data may be necessary, including:
engagement in various legal acts, such as seeking legal advice, engaging in a legal proceeding, and exercising legal rights;
protection of the vital interests of the data subject or another person, where consent cannot be obtained;
exercise of professional duties under a duty of confidentiality; and
exercise of other duties prescribed by law.
These categories are not fixed, as the PDPA empowers the Minister of Communications and Multimedia to specify other purposes for which processing of sensitive data is permitted on the basis of necessity.
A challenge when interpreting the PDPA is that the PDPA does not define consent, and the PDPA and its sub-regulations also only provide limited guidance on the forms that valid consent may take. The PDPA’s sub-regulations specify that consent for the processing of personal data may take any form, provided that the consent is capable of being recorded and maintained by the data controller. Consent forms must also be structured to distinguish consent for a specific matter from any other matters included in the form.
While Malaysia’s data protection law would likely recognize express consent (provided that the foregoing requirements are met), it remains unclear whether Malaysia’s data protection law recognizes implied or deemed forms of consent and, if so, whether these forms of consent would be recognized in all instances.
In addition to the obligation to obtain consent under the General Principle in Section 6 of the PDPA, the Notice and Choice principle in Section 7 of the PDPA specifies the minimum information that a data controller must include in its written privacy policy.
ADPPA Would Surpass California’s Laws, but Improvements Remain
The American Data Privacy and Protection Act (ADPPA) was passed through the House Energy and Commerce Committee on July 20, a proposal which experts and advocates agree is long overdue. However, objections from California leaders may threaten the bill’s passage.
Stacey Gray, the FPF’s Director of Legislative Research & Analysis, argues otherwise in a new editorial for Lawfare. Gray explains how the ADPPA compares to – and surpasses – state privacy protections established by California’s Privacy Protection Agency (CPPA) and Privacy Rights Act (CPRA).
In substance and privacy protections, the current version of the ADDPA addresses and is “significantly stronger” than both the CPPA and CPRA “in nearly every way,” Gray argues. The ADPPA incorporates “substantive rights,” establishes groundbreaking new national civil rights protections, and preserves current state administrative enforcement powers.
“Any successful federal privacy law in the United States must be at least as protective as California’s current data protection framework for reasons that are both political and substantive,” said Stacey. “Congress can continue to strengthen and clarify the law to ensure that it exceeds the CPRA’s substantive provisions; preserves the CPPA’s existing enforcement powers; and establishes a single, strong comprehensive national privacy standard.”
ADPPA Helps Protect Civil Rights for All Americans
Today, The Hillpublished an op-ed from the Future of Privacy Forum’s (FPF) Senior Policy Counsel for Data, Decision Making, and Artificial Intelligence Bertram Lee. The piece highlighted that privacy, particularly in the context of digital services, electronic data flows, and personal data, is a civil right.
Yesterday, the House Energy and Commerce Committee voted to advance the American Data Privacy and Protection Act (ADPPA). If passed, the bill would enact the first national standard for privacy. In its current form, ADPPA would modernize civil rights for the digital age and update existing civil rights protections.
“What is at stake is bigger than the interests of individual states: it affects the lives of a majority of Americans,” Lee said in the piece. “State laws, including the California Privacy Rights Act and laws passed in Colorado, Utah, Connecticut, and Virginia, typically codify existing civil rights laws, but to date have not extended civil rights protections. The U.S. needs a law that will implement clear and meaningful civil rights safeguards.”
FPF Announces new APAC Director, Hosts Panel for Singapore Personal Data Protection Week 2022
As part of this year’sPersonal Data Protection Week in Singapore, the Future of Privacy Forum (FPF) — a global non-profit focused on data privacy, data protection and emerging technology policy — will host “Data Sovereignty, Data Transfers and Data Protection – Impact on AI and Immersive Tech” on July 21, 2022, from 9:30 a.m. to 12:30 p.m. GMT+8.
The panel will feature FPF’s recently appointed Managing Director for the Asia-Pacific (APAC) region, Josh Lee Kok Thong, who will discuss principles, practices, and policies to help businesses elevate their data governance practices and build trust in the use of advanced technologies such as artificial intelligence.
Lee joins FPF after working at the Personal Data Protection Commission Singapore (PDPC) for three years, where he helped draft Singapore’s Model AI Governance Framework and worked on the country’s strategy in AI governance. He is an Advocate and Solicitor of the Singapore Bar, a former international arbitration practitioner, and a former Assistant Director for Legal Policy in Singapore’s Ministry of Law.
Additionally, Lee co-founded LawTech.Asia, Singapore’s foremost publication on legal technology, as well as the Asia-Pacific Legal Innovation and Technology Association (ALITA). Lee is also a Research Affiliate in the Singapore Management University’s Centre for AI and Data Governance and a Voting Member of the IEEE Standards Association. For his work, he was identified as one of Asia’s Top 30 Persons to Watch in the business of law (Asia Law Portal, 2019).
As Managing Director for APAC, he and his team will drive FPF’s agenda in the region, particularly focusing on AI governance, cross-border data flows, and emerging realms like immersive technologies.
“We’re excited to welcome an experienced data protection expert and innovative thinker to our Asia Pacific team,” said Jules Polonetsky, FPF’s CEO. “FPF Asia-Pacific aims to serve in the wider Asia region as a cooperative and trusted platform of reference to advance principled privacy and data protection practices and policies supporting emerging technologies. Josh Lee and the FPF Singapore team will work closely with local stakeholders to develop these conversations within the Asia-Pacific but also will operate as a trusted communication hub between APAC and the other regions of the world.
At the upcoming panel discussion during Personal Data Protection Week in Singapore, Lee, and others, will explore the foundational differences between data localization requirements, international data transfer frameworks in data protection law, and data sovereignty. Attendees will learn about the latest APAC and global regulatory and policy developments and how businesses can better safeguard data against potential risks.
“I am excited to join the renowned team at the Future of Privacy Forum’s APAC office in Singapore and represent them at this year’s Personal Data Protection Week,” said Lee. “In my new role, I hope to work with like-minded partners to continue fostering data best practices in the APAC region as we prepare for the new opportunities and challenges in technology.”
FPF launched the Asia-Pacific office based in Singapore in August 2021. The office expands FPF’s international reach in Asia and complements FPF’s offices in the U.S., Europe, and Israel, as well as partnerships around the globe.
To see all the events FPF will support during PDPC’s Personal Data Protection Week, visit FPF.org. Follow the FPF APAC team’s activities here and sign up for the FPF APAC email list to stay in touch.
FPF Files Comments on White House Office of Science and Technology Policy Actions to Advance Privacy-Enhancing Technologies
FPF Files Comments on White House Office of Science and Technology Policy Actions to Advance Privacy-Enhancing Technologies
On July 8, 2022, FPF filed comments with the White House Office of Science and Technology Policy (OSTP) regarding specific actions that would advance the adoption of privacy-enhancing technologies (PETs).
As emerging technologies continue to offer increased speed, efficiency, productivity, commercial output, and connectivity, they rely more on the extensive collection and processing of personal data. This processing can result in data protection and security challenges. The Future of Privacy Forum (FPF) has long supported the development of PETs that can help mitigate data protection risks posed by emerging technologies.
In response to the Office’s invitation for comments and concerning the particular categories of information requested, FPF provided the following recommendations to the OSTP for the development of a national strategy on privacy-enhancing technologies:
1. Support the growing discipline of privacy engineering aimed at bridging the gap between technologies and policies through direct funding of academic research, building expertise within government, encouraging business-academia dialogues, and directing agencies to require federal contractors to incorporate PETs as appropriate to promote common standards in the discipline;
2. Recommend the establishment of a trusted inter-agency and multi-stakeholder body, including the FTC, NIST, HHS, NSF, and experts from the private sector, civil society, and academia, to provide guidance and standards-setting for de-identification and the role of PETs, with particular regard to their utility for compliance with state and federal legislation; and
3. Encourage the establishment of Administrative Data Research Networks (ADRNs) that offer de-identification tools to facilitate researcher access to data in a secure manner.
Meet Josh Lee Kok Thong, FPF Asia Pacific’s Managing Director
The Future of Privacy Forum (FPF) is thrilled to announce Josh Lee Kok Thong, FPF Asia Pacific’s new managing director. Lee is deeply passionate about the issues at the intersection of law, policy, and technology, and is a changemaker in the spheres of the law of tech, and the tech of law.
As a legal architect that hopes to re-shape relationships disrupted by technology, Josh will lead a team furthering FPF’s mission of advancing data protection best practices and the trusted development and use of emerging technologies in the region.
Learn more about Josh in the Q&A below.
Tell us about yourself. How did you come to be at FPF as the new Managing Director of our Asia-Pacific office?
It all happened rather serendipitously. While pursuing my postgraduate law degree at Berkeley, I was asked to be interviewed for an article by the Singapore Global Network (a global networking community for Singaporeans set up by Singapore’s Economic Development Board). It wasn’t anything fancy–they had just wanted to feature Singaporeans in the Bay Area. After sharing the article on LinkedIn, Dr. Clarisse Girot (whom I had previously worked with while in the Singapore Government) reached out and put me in touch with FPF CEO Jules Polonetsky; after our conversation, Jules said, “actually, we’re looking to have you in as someone more senior.”
The next thing I knew, I was connected to senior members of the team in FPF, and FPF offered me this role–which I was delighted but also very humbled to receive. It also came at a time when another global tech company had also provided an offer. All things considered, joining FPF was the right choice, as it offered me the opportunity and chance to build something unique and shape it based on my vision.
TL, DR: I’m grateful for the connections and coincidences that came together that made this role possible, and I am excited to help the wonderful team at FPF take the office–and its mission–forward!
How do you see the role of the FPF Asia-Pacific office in the essential debates in the region on protecting personal data and advancing principled data practices in support of emerging technologies?
I think the FPF Asia-Pacific office (or FPF APAC) will be able to play a key and essential role in these dialogues.
Regionally, I see three fundamental shifts impacting the emerging technology and data protection landscape—first, the demographic shift. Second, the technological shift. Third, the regulatory shift.
First, the sheer demographic gravity of the Asia-Pacific means that jurisdictions like China, India, Indonesia, and others – have not just the largest but also some of the youngest and fastest-growing populations globally.
With a young, highly digitally-savvy population that is more conscious and careful about how their information is being used and how technology impacts them, there will be a stronger impetus to implement or update data protection regimes across the region to adapt to the changing sensibilities of these constituents.
Second, there are many technological developments occurring in the region. China is a world leader in AI and blockchain technology. Jurisdictions like South Korea and Japan are investing heavily in the future of the Web and media. In Hong Kong and Southeast Asia, fintech is revolutionizing how financial services are provided. With COVID-19 still fresh in everyone’s minds, healthtech is also an area with rapid development and opportunities. These technological developments, all of which rely on vast amounts of data, mean that trust in the collection, use, processing, and transferring personal data is a critical need for regulators, industry, and civil society.
Third, regulators in the region are, one, increasingly aware of the benefits and risks of emerging technologies; two, increasingly concerned about striking a balance between data innovation and data protection and control; and three, increasingly confident of regulating in a unique way that works for them. This comes amidst a backdrop of increased geopolitical focus on Asia, greater industry competition, and heightened awareness of finding a balance between innovation and technological risk–all adding to greater regulatory uncertainty in data protection and technology regulation.
Therefore, there is a significant role for FPF– through its unique approach of listening to governments, industry, civil society, and academia–to help foster the connections and dialogues critical to building trust.
We also want to use our unique centrist position – of focusing not on what appears good or bad, but on what is objectively important – to help regulators make the most informed choices on why, how, and when to regulate data and technology. We, therefore, want to be the most effective conduit, convenor, and collaborator in the region in this space. In short, when one thinks of technology, data protection, and trust, we want FPF APAC to be top-of-mind in this region.
What are your top three priorities as you take the helm of the FPF Asia-Pacific office?
To advance FPF’s mission, the APAC office will focus on three themes: continuity, construction, and visibility.
First, continuity. Unlike other places where transitions spell sudden shocks to how things are done, the FPF APAC office will continue many of its key projects already embarked upon. These include continuing the office’s tremendous work on the 14 jurisdictional reports on consent regimes and monthly privacy landscape calls, among others. We also want to emphasize our desire to build upon and nurture relationships already built with existing stakeholders, even as we also foster new ones.
Second, construction. FPF APAC will seek to construct a regional ecosystem of members, partners, and friends that is able to share perspectives, intelligence, and insights. After all, in a huge region with a multitude of views and stakeholders, it takes more than just two hands to clap. This collaborative network of partnerships is ultimately how we can be of value to our members and stakeholders, and further FPF’s mission and vision in the region.
Third, visibility. To ensure that FPF becomes and remains top-of-mind in policy and regulatory discussions in the region, we want to be a lighthouse amidst the constant changes and shifts in this space. FPF APAC will focus on being the trusted partner and advisor in understanding regulatory and technology developments as they come, and understand how to convey this information across in the most digestible way possible–so that important insights reach members and stakeholders in the right place, at the right time, and in the right way.
What are you reading or what podcasts are you listening to these days in relation to data protection?
Interested in learning more about FPF APAC and the APAC Council? Contact [email protected] to connect with the FPF Membership Team to learn more.
New Report on Limits of “Consent” in Indonesia’s Data Protection Law
Introduction
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the seventh in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Indonesia, including:
notice and consent requirements for processing personal data;
the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Indonesia’s Data Protection Landscape
Currently, Indonesia has no comprehensive data protection law, though draft legislation in the form of a Personal Data Protection Bill (PDP Bill) was introduced in Indonesia’s Parliament in 2020. Under Indonesia’s existing law, provisions on personal data protection can be found in several different sectoral laws and regulations, including the digital, health, and finance sectors.
Role and Status of Consent as a Basis for Processing Personal Data in Indonesia
Indonesia’s existing laws rely heavily on consent as a mechanism for privacy self-management.
Consent serves as the primary or default justification for collecting, using, and disclosing personal data, subject to narrow exceptions and, at least in some sectors, other data protection principles, such as data minimization, purpose specification, and lawfulness and fairness of data collection.
It is also usually mandatory to obtain data subjects’ express consent as existing laws and regulations generally do not recognize implied or inferred forms of consent.
In the digital sector, operators of electronic systems must obtain consent in written form in the Indonesian language and provide information on the purpose and objective of data collection before collecting and processing personal data. It remains unclear whether laws and regulations provide alternative legal bases beyond consent for processing personal data.
In the health sector, consent is required to use personal data and/or medical records in health research and must generally be informed and recorded in written form. Data subjects must be provided with clear information on the purpose, method, and risks of the research, and the possible research outcomes, including any potential negative impact on them.
In the financial sector, banks, insurance providers, and peer-to-peer lenders must obtain written consent from consumers before providing or disclosing consumer information to any third party, unless applicable laws and regulations provide otherwise. Peer-to-peer lenders must also obtain consent to collect and process personal data and must ensure the confidentiality and integrity of the personal data, transactional data, and/or financial data from the time that such data is collected until it is erased.
Looking to the future: legal bases for processing in the PDP Bill
Compared with Indonesia’s existing laws, the current draft of the PDP Bill provides several legal bases for processing personal data.
One such basis is consent, which must be:
specific to one or more purposes communicated to the data subject; and
recorded (though consent may be given in writing or verbally).
Apart from consent, the current draft of the PDP Bill provides for other legal bases which apply where the processing of personal data is:
necessary:
for the performance of a contract to which the data subject is a party;
to fulfill a request of the data subject prior to entering into a contract; or
to comply with a statutory obligation that weighs on a data controller;
to protect the vital interests of the data subject;
in exercise of the data controller’s authority under applicable laws and regulations;
to fulfill the data controller’s obligation to provide services in the public interest;or
to fulfill other legitimate interests, after balancing the data controller’s and data subject’s respective interests.
However, note that since the PDP Bill has not yet been enacted, these provisions are still subject to change.
FPF Files Comments on Colorado Privacy Act Pre-Rulemaking Activity
Today, the Future of Privacy Forum (FPF) filed comments with the Colorado Department of Law regarding forthcoming rulemaking under the Colorado Privacy Act (CPA). The CPA, which goes into effect in July 2023, will establish important new data privacy rights, controls, and protections for individuals in Colorado.
FPF’s comments are directed toward ensuring that forthcoming regulations support the effective exercise of new privacy rights, maximize clarity for business and nonprofit compliance efforts, and promote interoperability with emerging U.S. and global privacy frameworks where appropriate, particularly where the CPA uses consistent language as other jurisdictions.
Specifically, FPF recommends that forthcoming CPA regulations should:
Clarify the approval and role of universal opt-out mechanisms in the context of today’s labyrinth of existing permission frameworks, including in non-authenticated interactions and their application to off-site data.
Ensure that the CPA’s high standard for obtaining valid consumer consent is realized in practice by providing that consent must be freely revocable and establishing limits on inappropriate “bundling” of consent for disparate processing purposes.
Provide appropriate guidance, flexibility, and interoperability for conducting meaningful data protection impact assessments, informed by best practices developed by regulators in both U.S. and global jurisdictions with comparable requirements.
Establish that a broad range of ‘profiling’ decisions are subject to consumer opt-out rights and follow best practices for automated decision-making transparency so that Coloradans are fully empowered to exercise their rights.
Adopt a definition of “biometric data” that protects individual privacy interests by limiting invasive and non-consensual tracking and identification.
Future of Privacy Forum and Israel Tech Policy Institute Cyber Week Delegation, 2022
Last week, The Future of Privacy Forum’s (FPF) Israel Tech Policy Institute (ITPI) welcomed a delegation of trailblazing privacy professionals from around the world to participate in Tel Aviv University’s Cyber Week conference and to meet with start-ups, regulators, and academics.
The week started with an illuminating tour of the Peres Center for Peace & Innovation, followed by a trip to Team8 headquarters and a roundtable discussion with Duality, a leading developer of privacy protection homomorphic encryption technology.
Around the table sat government officials (from Europe and the U.S.) alongside chief privacy officers of leading fintech, education, and transportation companies, gathering to discuss the current and future landscape of privacy regulation and practice.
At night, the delegation gathered to celebrate Cyber Week at an FPF and Goodwin reception, providing an opportunity to socialize, eat, and network with leading attorneys in the privacy space from around the world.
For the next morning’s event, Stacey Gray, FPF’s Director of Legislative Research and Analysis, led an engaging discussion surrounding the rapidly changing landscape of U.S. Privacy Policy, featuring Chegg Sr. Assistant General Counsel Bekah Putz, Streetlight Data CPO Kara Selke, Plaid CPO Sheila Jambekar, and Gravy Analytics CPO Jason Sarfati.
Together, the group discussed the difficulties inherent in reconciling state laws and instability across sectorial regimes of enforcement, and assessed the uncertain path forward for federal legislation. Speakers flagged the need to establish shared definitions when drafting contracts, and the general practice of referring to California’s CCPA as a benchmark for compliance across the nation. An interesting discussion surrounding “Dark Patterns” – and how far symmetry in website design must truly go – ensued, with critiques on the concept of total symmetry. Amit, Pollack, Matalon & Co graciously hosted the FPF event, which included breakfast for participants to connect over before the event began.
Apple’s Jane Horvath, the Federal Trade Commission’s Noah Phillips, and the European Commission’s Karolina Mojzesowicz examined methods of ensuring competition and innovation while supporting consumer data protection. Consumer role inhabited much of the conversation, with Horvath advocating for the consumer to be at the center of the discussion regarding tensions between security and privacy; Mojzesowicz echoed this desire, hoping to place decision-making power – regarding what is done with data and who profits from it – at the hands of the individual. Mojzesowicz explained that “there is no privacy without security,” while FTC Commissioner Phillips elaborated that online security is a necessary prerequisite to people feeling protected in their privacy. Throughout the discussion, panelists examined how to navigate the technical and legal complexities of these tensions, their roles in the marketplace, and visions for their hopes in finding the right balance.
Panelists included FTC Commissioner Noah Phillips, eBay CPO Dr. Anna Zeiter, AppsFlyer Legal Counsel Leor Hurwitz, and Apple CPO Jane Horvath, who each commented on their optimism regarding advertising’s future. While Commissioner Phillips highlighted the importance of carefully balancing trade-offs in user experience and increased privacy, Zeiter discussed limiting 3rd party cookies and investigating uses of Privacy Enhancing Technologies. Horvath explained the appropriate uses and restrictions for the use of Apple’s technical identifiers, the importance of educating consumers on the implications of their consent, and the need for patience as companies adjust from opt-out to the newly implemented opt-in data access system. Hurwitz highlighted the value in developing new data technologies to improve the ecosystem as a whole, citing data clean rooms, scalable cryptographic solutions, aggregation, and conversion modeling as some potentially useful models of privacy by design. All panelists shared optimism about a future where privacy and advertising co-exist, leveraging technological innovation, careful regulation, and user experiences as key avenues to navigate the path forward.
Goodwin’s Lore Leitner then led a panel discussion entitled International Data Flows: From Legal Restrictions to Sufficient Safeguards. EU Commission’s Bruno Gencarelli, Google CPO Keith Enright, Duke University Professor David Hoffman, and TransUnion CPO Shoshana Gillers spoke on the varying international legal regimes, frustration over the lack of a Safe Harbor between the US & EU, and the complexity of the issue. Key comments included focusing on increased consumer demand and expectations of privacy, concerns about data localization, and insights on positive developments in technology coexisting with opportunities to improve regulation. Audience questions further sparked discussion on the complexity of regulating smaller entities within the space, and the importance of cost-benefit analysis regarding every contract, transaction, and international data transfer.
FPF’s Data Protection Conference at Cyber Week continued with a presentation of the Distinguished Public Service Award to Amit Ashkenazi, a leading public figure in Israeli privacy and security law. Goodwin’s Omer Tene provided an overview of how Ashkenazi helped set up the Israel Privacy Protection Authority–serving as its first Head of Legal Department–after spending a decade at the Ministry of Justice Legislation and Counseling Department. Ashkenazi reflected on his time in service after the award presentation, emphasizing the importance of creating agile regulations with sufficient resources for enforcement. Ashkenazi shared his excitement for bringing the GDPR’s abstract concepts to new, Israel-specific legal formulations, and demonstrated pride in the experiment of regulating technology through government action, displaying a clear enthusiasm that continuous innovations in law can protect, build, and empower both technology and privacy industries.
FPF’s delegation concluded their Cyber Week formal events by meeting with the Israel Privacy Protection Authority (IPPA) for a conversation about Privacy Enhancing Technologies (PETs). Gilad Semama, IPPA’s commissioner, highlighted that Israel serves as a world leader in the PET space, fostering Privacy by Design solutions alongside innovative technologies from start-up companies.
Commissioner Semama emphasized the importance of tailoring PETs to specific circumstances, data, and usage, and explained how certainty in legal standards could support broader uses of PETS by government and industry. In an animated roundtable discussion, the FPF delegates had an opportunity to comment on their company’s PET uses, potential new solutions, and the role of regulation. Many advocated for the creation of regulatory sandboxes, while others explained the tension between innovation and safety teetering with PETs, as regulatory uncertainty places a cooling effect on innovation. Placing privacy at the heart of responsible technologies can help balance human rights of all types with company interests, and PETs can serve as a potential solution; however, instilling a sense of urgency in understanding, building, scaling, and implementing these technologies may be key to their successes (or failures). FPF plans to work on efforts to collaborate globally with regulators interested in advancing PETS.
Later that evening, FPF’s Delegation reconvened to explore Tel Aviv’s Jaffa neighborhood through a guided walking (and eating) tour of the neighborhood, filled with historical information, Shakshuka, and rooftop sunset views. The next day, the group ventured to Jerusalem for a day of touring and activities.
The tour started at the Israel Museum, with an explanation of historic Jerusalem alongside mini modeling of the city, followed by a visit to the Mount of Olives, the Dead Sea Scrolls, and a guided tour of the Western Wall Tunnels and the Church of the Holy Sepulcher.
FPF and ITPI are proud to have hosted this incredible group of delegates in Israel for this year’s Cyber Week Conference, and confident that all who joined gained an in-depth awareness of the complexity surrounding many privacy debates, technologies, and regulations. Through social events, informal conversations, and informative programming, the delegation gathered insights to bring back to their companies while forming bonds, memories, and conversations with other privacy professionals.
To all who participated, thank you! FPF members or prospective members interested in participating in next year’s Israel delegation and future trips to the APAC region should contact Membership Director Judy Gawczynski at [email protected].
