Shining a Light on the Florida Digital Bill of Rights

On May 4, 2023, the Florida ‘Digital Bill of Rights’ (SB 262) cleared the state legislature and now heads to the desk of the Governor for signature. SB 262 bears many similarities to the Washington Privacy Act and its progeny (specifically the Texas Data Privacy and Security Act). However, SB 262 is unique given its narrow scope of businesses regulated and other significant deviations from current trends in U.S. state privacy legislation, as well as its inclusion of a section in the style of Age-Appropriate Design Code (AADC) regulations but with broader application than the “comprehensive” parts of the bill. This blog highlights five unique and key features of the Florida Digital Bill of Rights: 

1) SB 262 includes a section on “Protection of Children in Online Spaces”, which draws inspiration from the California AADC but diverges in many key aspects.

2) The scope of the comprehensive privacy provisions of SB 262 covers only businesses making $1 billion in revenue and meeting other threshold requirements. 

3) SB 262 creates both familiar and novel consumer rights surrounding sensitive data and targeted advertising, raising compliance questions. 

4) Under SB 262, controllers and processors will have new responsibilities including creating retention schedules and disclosure obligations for the sale of sensitive or biometric data. 

5) Businesses regulated under SB 262 that utilize voice or face recognition, or have video or audio features in devices, will be subject to heightened restrictions for data collected through these services, regardless of whether the device can identify an individual.

Additionally, FPF is releasing a chart to help stakeholders assess how SB 262’s “Protections for Children in Online Spaces” compares to the California Age-Appropriate Design Code Act (California AADC).

1. The “Protection of Children in Online Spaces” Section Draws Inspiration from the California AADC but Diverges in Many Key Aspects

Many amendments were added to SB 262 at the eleventh hour, including several provisions on the ‘Protection of Children in Online Spaces’ (“Section 2”). FPF’s comparison chart assesses each requirement of Section 2 against the California AADC. Section 2 will govern a far broader set of covered entities than the bulk of SB 262’s provisions on privacy, and while it clearly incorporates language and concepts from the California AADC, it contains significant deviations in both scope and substance.

Scope of covered entities

The scope of entities subject to Section 2 is both broader and narrower than the California AADC. While the California AADC broadly applies to all online products, services, and features that are “likely to be accessed by children” under age 18, Section 2 only applies to “online platforms,”  covering social media and online gaming platforms. The definition of “social media platform” includes “a form of electronic communication through which users create online communities or groups to share information, ideas, personal messages, and other content” and does not list any exemptions. “Online gaming platforms” is undefined. While seemingly narrower in scope than the California AADC, Section 2 contains no minimum revenue or user applicability thresholds, meaning that smaller businesses not subject to California’s law may be within scope. Additionally, it is possible that the scope of “social media platform” could encompass a number of non-obvious organizations, depending on how broadly the definition is construed.

No explicit DPIA or age estimation requirements

While Section 2 does not require a data protection impact assessment (DPIA) as required by the California AADC, it instead places a burden of proof on online platforms to demonstrate that processing personal information does not violate any of the law’s prohibitions. Covered platforms may therefore ultimately need to conduct a DPIA or similar assessment to meet this burden of proof.

Like the California AADC, Section 2 defines a child as an individual under 18, though, unlike the AADC, Section 2 does not affirmatively require age estimation. Section 2 also modifies the California AADC’s “likely to be accessed by children” standard to include predominantly likely to be accessed by children, but does not lay out any factors for assessing whether a service is likely to be accessed by children.

Prohibitions

Two key points on which Section 2 of SB 262 diverges from the California AADC are in the restrictions on processing and profiling.

Under Section 2, covered services may not process the personal information of a person under 18 if they have actual knowledge or willfully disregard that processing may result in “substantial harm or privacy risk to children.” The absence of affirmative age estimation requirements and the inclusion of an “actual knowledge or willfully disregard” knowledge standard modifier could be a response to First Amendment objections raised in the NetChoice v. Bonta litigation seeking to strike down the California AADC. The “substantial harm or privacy risk” language is reminiscent of California AADC’s prohibition on processing children’s data in a materially detrimental manner. However, while “material detriment” is undefined in California AADC, Section 2 defines “substantial harm or privacy risk” to include: mental health disorders; addictive behaviors; physical violence, online bullying and harassment; sexual exploitation; the promotion and marketing or tobacco, gambling, alcohol, or narcotic drugs; and predatory, unfair, or deceptive marketing practices or other financial harms.

Both the California AADC and Section 2 contain limits on profiling of people under 18 except in certain circumstances. While both contain an exception for when necessary to provide an online service, product, or feature, the California AADC contains an exemption if the business can demonstrate a “compelling reason that profiling is in the best interests of children.” In contrast, Section 2 contains an exemption if an online platform can demonstrate a compelling reason that profiling does not “pose a substantial harm or privacy risk to children.” It is possible that the affirmative showing required by the California AADC may be a higher threshold to meet than that of Section 2, especially given that the “best interests of children” standard is undefined and is not an established U.S. legal standard outside of the family law context. Furthermore, profiling is defined more broadly in Section 2 to include “any form of automated processing performed on personal information to evaluate, analyze, or predict personal aspects relating to the economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of a child,” rather than “any form of automated processing of personal information to evaluate aspects relating to a person.”

2. The Digital Bill of Rights’ ‘Comprehensive’ Privacy Provisions Will Cover Very Few Businesses.

The types of entities subject to the remaining bulk of SB 262’s ‘comprehensive’ privacy provisions outside of Section 2 are much narrower than comparable U.S. state privacy laws, even the more limited ones. Florida SB 262 will only apply to a handful of companies that meet a threshold annual gross revenue requirement of $1 billion and either (1) make over 50% of revenue from targeted advertising, (2) operate a “consumer smart speaker and voice command component,” or (3) operate an app store with at least 250,000 software applications. This can be compared to recently enacted privacy laws in Iowa and Indiana, which will apply to businesses that either process personal data of at least 100,000 state residents or derive 50% of gross revenue from the sale of personal data of at least 25,000 consumers. Though the terms “targeted advertising” and “consumer smart speaker” in SB 262 could be construed liberally, the revenue requirement means that Floridans will not receive new rights or protections with respect to the vast majority of businesses that collect their personal data in the Sunshine State.

3. The Bill Creates A Complex Stack of both Familiar and Novel Consumer Rights 

SB 262 will establish many rights that are now familiar from U.S. state privacy laws, including confirmation of processing, correction of inaccuracies, deletion, obtaining a copy of a person’s personal data in a portable format, and the ability to opt out of “solely” automated profiling in furtherance of decisions that produce legal or similarly significant effects. However, there are a number of new and unique provisions in the consumer rights sections: 

4. Controllers and Processors Will Have New Responsibilities for Purging Data and Disclosing Certain Practices

Unlike existing comprehensive state privacy laws, SB 262 would require that covered businesses and their processors implement a retention schedule for the deletion of personal data. The text of this provision appears influenced by the Illinois Biometric Information Privacy Act (BIPA). Under SB 262, controllers or processors may only retain personal data until (1) the initial purpose for the collection was satisfied; (2) the contract for which the data was collected or obtained is expired or terminated; or (3) two years after the consumer’s last interaction with the regulated business (subject to exceptions). However, unlike BIPA, SB 262 would not require that the retention schedule be made publicly available and would permit retention necessary to prevent or detect security incidents.

Further, in addition to the typical privacy notices required by state comprehensive laws, SB 262 creates two distinct disclosure requirements. First, again similar to Texas HB 4, if a controller sells sensitive or biometric data, they must provide the following notice: “NOTICE: This website may sell your [sensitive and/or biometric] personal data and/or biometric personal data.” Second, a controller that operates a search engine is required to disclose the main parameters in ranking results, “including the prioritization or deprioritization of political partisan or political ideology” in search results.

5. Businesses that Utilize Voice or Face Recognition, or Have Video or Audio Features in Devices, Have Particular but Perplexing Obligations

Finally, one of SB 262’s most unique provisions is a requirement that covered businesses may not provide consumer devices that engage in “surveillance” when not in active use unless “expressly authorized” by the consumer. Though “surveillance” and “active use” are not defined, the prohibition applies to devices that have any of the following features: voice recognition, facial recognition, video recording, audio recording, “or other electronic, visual, thermal, or olfactory feature” that collects data. SB 262 further fails to define “express authorization,” raising questions as to whether express authorization is analogous to “consent” under the bill, or if a higher standard will be required for express authorization, such as that required in the recently enacted Washington State “My Health, My Data” Act.

SB 262 further provides consumers with the right to opt out of personal data collected by voice or face recognition systems. Voice recognition is broadly defined as collecting, storing, analyzing, transmitting, and interpreting spoken words or other sounds – seemingly encompassing almost all audio-based consumer-facing systems. Facial recognition and the other features are not defined, though one can infer they would have a similarly broad definition as voice recognition. As a result, despite SB 262’s requirement that “biometric data” be used for unique identification of an individual in order to be subject to the legislation’s requirements for sensitive data, most general voice and face systems unrelated to identification will still need to provide consumers’ the ability to opt-out under these provisions. These restrictions and requirements may prove difficult for the functionality of some products that rely on these features, such as accessibility features that use natural language processing to transcribe spoken words. Moreover, despite SB 262’s revenue threshold, these prohibitions and restrictions will likely flow down to any other entity utilizing (or has a software plug-in to) voice assistant devices like Amazon Echo or Apple Siri for customer service, customer ordering, or other forms of user engagement through contractual agreements and requirements.

Conclusion

Given that many of the consumer rights and business obligations of SB 262 will directly apply to very few businesses, it is understandable why the Florida Digital Bill of Rights may have flown under the radar thus far. However, SB 262 is worth a close read, particularly the short-but-impactful section on “Protection of Children in Online Spaces” and provisions creating novel consumer rights. Given Governor DeSantis’ public support for the legislation, we can anticipate the Digital Bill of Rights will be enacted shortly and will go into effect on July 1, 2024–giving stakeholders just over a year to understand compliance obligations. We note, however, that the specific consumer rights and business obligations under SB 262 may evolve as the State Attorney General’s office is granted both mandatory and permissive rulemaking authority. 

New FPF Report: Unlocking Data Protection by Design and by Default: Lessons from the Enforcement of Article 25 GDPR

On May 17, the Future of Privacy Forum launched a new report on enforcement of the EU’s GDPR Data Protection by Design and by Default (DPbD&bD) obligations, which are outlined in GDPR Article 25. The Report draws from more than 92 data protection authority (DPA) cases, court rulings, and guidelines from 16 EEA member states, the UK, and the EDPB to provide an analysis of enforcement trends regarding Article 25. The identified cases cover a spectrum of personal data processing activities, from accessing online services and platforms, to tools for educational and employment contexts, to “emotion recognition” AI systems for customer support, and many more.

The Report aims to explore the effectiveness of the DPbD&bD obligations in practice, informed by how DPAs and courts enforced Article 25. For instance, we analyze whether DPAs and courts find breaches of Article 25 without links to other infringements of the regulation and what provisions enforcers tend to apply together with Article 25 the most, including the general data protection principles and requirements related to data security under Article 32. We also look at what controls and controller behavior are and are not deemed sufficient to comply with Article 25.

The GDPR’s DPbD&bD provisions in Article 25 oblige controllers to: 1) adopt technical and organizational measures (TOMs) that, by design, implement data protection principles into data processing and protect the rights of individuals whose personal data is processed; and 2) ensure that only personal data necessary for each specific purpose is processed. Given the breadth of these obligations, it has been argued that Article 25 makes the GDPR “stick” by bridging the gap between its legal text and practical implementation. GDPR’s DPbD&bD obligations are seen as a tool to enhance accountability for data controllers, implement data protection effectively, and add emphasis to the proactive implementation of data protection safeguards.

Our analysis on the enforcement, and ultimately the effectiveness, of Article 25 is all the more important, given the increasing development and deployment of novel technologies involving very complex personal data processing, like Generative AI, and rising data protection concerns. Understanding how Article 25 obligations manifest in practice and the requirements of DPbD&bD may prove essential for the next technological age.

This Report outlines and explores the key elements of GDPR Article 25, including the:

Additionally, we analyze the individual concepts of “by Design” and “by Default,” identify divergent enforcement trends, and explore three common applications of Article 25 (direct marketing, privacy preservation and Privacy Enhancing Technologies (PETs), and EdTech). This Report also includes a number of Annexes that seek to provide more information on the specific cases analyzed and a comparative overview of DPA enforcement actions. 

Our analysis determines that European DPAs diverge in how they interpret the preventive nature of Article 25 GDPR. Some are reluctant to find violations in cases of isolated incidents or where Article 5 GDPR principles are not violated, while others apply Article 25 preventively before further GDPR breaches or even planned data processing. Our research also finds that most DPAs are reluctant to specify appropriate protective measures and to explicitly outline the role of PETs. Ultimately, the Report shows that despite the novelty of Article 25, and the criticism surrounding its vague and abstract wording, it is a frequent source of some of the highest GDPR fines, highlighting the need for organizations to maintain a firm grasp over the concepts of DPbD&bD.

Download the Report

Vietnam’s Personal Data Protection Decree: Overview, Key Takeaways, and Context

Author: Kat MH Hille

The following is a guest post to the FPF blog from Kat MH Hille, an attorney with expertise in corporate, aviation, and data protection law. She graduated with a J.D. from the University of Iowa, School of Law, and has extensive experience practicing law in both the United States and Vietnam (contact: https://www.linkedin.com/in/katmhh/). The guest blog reflects the opinion of the author only. Guest blog posts do not necessarily reflect the views of FPF.

On April 17, 2023, the Vietnamese Government promulgated the Decree of Personal Data Protection (Decree), which was initially published as a draft on February 9, 2021 and went through several revisions. Before the Decree’s issuance, personal data protection in Vietnam was governed by 19 different laws and regulations, resulting in a fragmented legal framework. The Decree aims to fill these gaps and provide a comprehensive and uniform approach to personal data protection in Vietnam, extending safeguards for personal data to over 97 million people.

This post provides an overview of the Decree, including key dates, context, legal effects, requirements and how they fare with other comprehensive data protection law regimes around the world. Building on this foundation, certain key provisions and notable features of the Decree that warrant attention, including:

These provisions will be discussed in detail below.

1. Overview

The Decree is significant despite its lower status in Vietnam’s hierarchy of laws

As personal data protection is a new and developing area of law in Vietnam, Vietnam’s first legislative instrument on personal data protection takes the form of a “decree,” which is ranked lower in Vietnam’s statutory hierarchy than a code or law, and it is the result of executive action. A benefit of enacting a decree is that it can be done so more easily, without the need for approval from the National Assembly. Nevertheless, the Vietnamese Government’s goal is to ultimately enact a comprehensive and robust law for effective and enforceable personal data protection in 2024, according to a Decision issued by the Prime Minister in January 2022.

However, the Decree’s status means that in the event of conflicting regulations on the same issue, codes and laws would take precedence over the Decree. That said, the Decree remains the first comprehensive personal data protection regulation in Vietnam. Despite its lower legal status,  the Decree still carries significant weight and impact in regulating personal data protection in Vietnam, and those who fail to comply with its provisions will still face legal consequences.

The Decree incorporates a unique blend of global standards and Vietnamese characteristics

Like other data protection laws inspired by the European Union (EU)’s General Data Protection Regulation (GDPR), the Decree sets out the responsibilities of organizations and individuals that process personal data, as well as the rights of  individuals over their personal data. 

However, the Decree also includes unique provisions that are specific to Vietnam’s context, such as a prohibition on the sale and purchase of personal data through any means, unless otherwise provided by law (Article 3.4), which may have significant consequences on the activity of data brokers and other businesses engaged in commodification of personal data. Additionally, organizing the collection, transfer, purchase, or sale of personal data without the consent of the data subject or the act of establishing software systems, as well as implementing technical measures for these purposes constitutes a violation of the Decree.

The Decree introduces the concept of “Personal Data Controllers and Processors,” which are entities or individuals that function both as Personal Data Controllers and Personal Data Processors. This definition is unique to the Decree and distinguishes it from other data protection laws around the world that typically only recognize the separate categories of Personal Data Controllers and Personal Data Processors. While the inclusion of Personal Data Controllers and Processors is meant to provide greater clarity and precision in defining the roles and responsibilities of different actors involved in personal data processing, it may actually add unnecessary complexity to the already complex landscape of privacy laws. This is because a single entity could be classified as both a Personal Data Controller and a Personal Data Processor depending on the specific definition being used, making it difficult to navigate and comply with the requirements of different privacy laws across different jurisdictions.

Further, the enacted Decree does not include a specific fine structure for violation of the Decree (the 2021 draft of the Decree proposed specific fines for single violations of the Decree, including fines of up to 5% of a personal data processor’s revenue for the most serious violations). Rather, the enacted Decree outlines a general provision that violators may be subject to disciplinary action, administrative penalties, or criminal prosecution, depending on the seriousness of the offense. 

Furthermore, compared with the 2021 draft of the Decree, the final Decree does not provide for the establishment of a personal data protection commission to enforce the regulation. Rather, the Decree assigns responsibility for enforcing its requirements to an existing agency within the Ministry of Public Security (MPS), the Cybersecurity and High-Tech Crime Prevention Department (A05).

While MPS will need to clarify key provisions in subsequent regulations, the Decree creates the first comprehensive foundation to govern data processing activities in Vietnam. The Decree will take effect on July 1, 2023, giving organizations only two months to make the necessary adjustments to their business and operations in order to comply with the new regulations. Significant aspects of the Decree are explored below in greater detail.

2. The (extra)territorial scope introduces a nationality criterion for covered entities

The Decree applies to Vietnamese agencies, organizations, and individuals (whether based within or outside of Vietnam), and to foreign agencies, organizations, and individuals that are either based in Vietnam or that are based overseas and directly participate in or are otherwise involved in personal data processing activities in Vietnam. 

Note that “personal data processing” covers a wide range of activities in relation to personal data, including collection, recording, analysis, verification, storage, alteration, disclosure, combination, access, retrieval, erasure, encryption, decryption, copying, sharing, transmission, provision, transfer, and deletion, as well as other related actions (Article 2.7).

There is still ambiguity as to the distinction between being “involved in” and “directly participating in” personal data processing activities, as well as the level of involvement with such activities that would bring a party within the scope of the Decree. Clarity on these issues through further regulations or guidance would be useful, especially considering that many third-party service providers or software vendors may arguably have some involvement in processing personal data.

3. The Decree recognizes a slightly different set of covered actors than other data protection laws

The Decree covers four categories of parties who process personal data:

In recognizing a distinction between controllers and processors, the final Decree removes ambiguity that was present in the 2021 draft of the Decree, which only provided for two categories of actors: personal data processors and third parties.

4. New processing principles, such as “no sale and purchase of personal data by any means”

The Decree outlines eight principles that govern data processing activities, which are similar to those recognized by the GDPR, including lawfulness, transparency of processing, purpose limitation, data minimization, accuracy, storage limitation, and appropriate measures to ensure the security of personal data. However, there are some notable differences.

Sale or Purchase of Personal Data: The Decree takes a more stringent stance than the GDPR by explicitly prohibiting the sale and purchase of personal data in any form, unless otherwise permitted by law. However, another provision in the Decree states that the act of “setting up software systems, technical measures or organization of the … purchase and sale of personal data without the consent of the data subject” is a violation (Article 22). Read together, the two provisions appear to imply that the purchase or sale with consent from the data subject could be permissible. Due to its ambiguity, further clarification is needed.

This stringent prohibition is a direct response to the numerous cases of personal data misuse that have occurred in Vietnam in recent years, including identity theft, financial fraud, intrusive advertising, and the exploitation of vulnerable individuals. A report showed that in 2022 alone, more than 17 million pieces of personal data were illegally harvested and sold for fraud and each personal data entry has been traded 987 times per day. However, the inclusion of a strict prohibition may conversely have a significant impact on industries that rely heavily on the use of personal data to drive innovation and business growth. It is possible that future circulars or guidelines may provide more clarity on this issue, including potential exceptions or allowances for certain use cases.

Notwithstanding this broad prohibition, PDCs and PDCPs may still share personal data with others if they obtain the data subject’s consent to do so, except when such sharing could harm national defense, national security, or public order and safety or could affect the safety or physical or mental health of others (Article 14). However, business entities and individuals providing marketing, product launching, and advertising services may only utilize personal data of their customers collected through their own business activities for conducting such services, if they obtain the data subject’s consent (Article 21).

Purpose Limitation: The Decree imposes a stricter purpose limitation compared to the GDPR, which allows for additional processing if it is compatible with the original purpose. Under the Decree, personal data can only be processed for the specific purposes that have been “registered” or “declared” by the PDC, PDP, PDCP, or TP. This requires these entities to ensure that their data processing activities do not deviate from or expand upon the registered and declared purposes. However, it is important to note that the Decree does not provide any guidance on how processing purposes are to be registered.

5. Covered data: broad definition of sensitive personal data, and stricter accountability rules for its processing

The Decree provides a broad definition of personal data, aligned with other comprehensive data protection laws. It defines personal data as any information that is expressed in the form of symbol, text, digit, image, sound or in similar forms in an electronic environment that is associated with a particular natural person or helps identify a particular natural person. Personally identifiable information means any information that is formed from the activities of an individual and, when used with other maintained data and information, can identify such particular natural person.

The Decree categorizes personal data into two groups: basic personal data and sensitive personal data, and includes an additional set of rules for the latter. 

Basic personal data includes the following forms of personal data:

Sensitive personal data is defined as personal data related to an individual’s privacy, a breach of which would directly affect the individual’s legitimate rights and interests. 

The Decree provides a non-exhaustive list of types of personal data that would be considered sensitive, including:

The list of sensitive personal data provided is more extensive than the GDPR’s definition of sensitive personal data. It includes types of data such as customer information from financial institutions and location data obtained through location services. As non-cash transactions and targeted advertising become increasingly prevalent in Vietnam, these types of data are frequently collected by most businesses. As a result, a wider range of entities, including small and medium businesses, may be subject to sensitive personal data protection requirements due to the broad scope of the list.

The Decree imposes more stringent protection measures for sensitive personal data than for basic personal data. For instance, regulated entities that process sensitive personal data must specifically notify data subjects of any processing of their sensitive personal data. Organizations that are covered by the Decree also must designate a department within their organization and appoint an officer which will be responsible for overseeing the protection of sensitive personal data and communicating with the A05.

Nevertheless, it is important to note that small, medium, and start-up enterprises are given a grace period of 2 years from their establishment to comply with these sensitive data requirements, unless such enterprises are directly engaged in processing personal data (Article 43). To qualify for the exemption, companies in agriculture, forestry, aquaculture, industrial, and construction sectors must have fewer than 200 employees and annual revenue below 200 billion Vietnamese dong (equivalent to approximately 8.7 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD), while commercial and service sector companies must have fewer than 100 employees and annual revenue below 300 billion Vietnamese dong (approximately 13 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD) in accordance with Decree No. 80/2021/ND-CP (2021) on Elaboration of Articles of the Law on Provision of Assistance for Small and Medium Enterprises.

6. Legal bases for processing personal data: no “legitimate interests,” but introducing “publicly disclosed” personal data

The Decree recognizes six legal bases for processing personal data, namely:

Additionally, under Article 18 of the Decree, competent governmental agencies may obtain personal data from audio and video recording activities in public places without the consent of data subjects. However, when conducting recording activities, the authorized agencies and organizations are responsible for informing data subjects that they are being recorded.

Notably, the Decree does not provide a “legitimate interests” lawful ground like the GDPR. Nevertheless, legitimate interests are recognized in other provisions of the Decree. In particular, Article 8 stipulates “Prohibited Acts,” including processing personal data to create information that affect “legitimate rights and interests of other organizations and individuals”.

As for “valid consent”, there are several conditions that must be met when obtaining it, pursuant to Article 11 of the Decree:

The given consent remains valid until it is withdrawn by the data subject or until a competent state agency requests otherwise in writing. PDCs and PDCPs bear the burden of proof in case of a dispute regarding the lack of consent from a data subject. 

Data subjects may request to withdraw their consent to processing of their personal data (Article 12). When a data subject does so, the PDC or PDCP must inform the data subject of any potential negative consequences or harms from the withdrawal of consent.

If the data subject still wishes to proceed, all parties involved in processing the personal data, including the PDC or PDCP and any PDPs or TPs, must cease processing the personal data. There is no set time frame for fulfilling this obligation, but it should be done within a reasonable period of time. 

The withdrawal of consent must be in a format that can be printed, copied in written form, or verified electronically. The withdrawal of consent shall not render unlawful any data processing activities that were lawfully performed based on the consent given prior to the withdrawal.

7. The rights of the data subject include transparency and control rights, but also rights to legal remedies

Article 9 of the Decree provides data subjects with 11 rights over their personal data, which are linked to corresponding obligations on entities that process personal data:

Note that all of these rights are subject to exceptions provided by the Decree or other relevant laws.

7.1. Transparency requirements include detailed notices and access rights on a tight deadline

According to Article 11 and 13, before processing a data subject’s personal data, a PDC or PDCP must provide a notification to the data subject containing the following information:

However, such notification is not required when personal data is being processed by a competent state authority or if the data subjects have been fully informed of, and have given valid consent to, the processing of their personal data.

Data subjects have the right to request that PDCs and PDCPs provide them with a copy of their personal data or share a copy of their personal data to a third party acting on their behalf (Article 14). The PDC or PDCP must fulfill such a request within 72 hours of receiving it. 

The request must be submitted in the Vietnamese language and made in a standardized format as set out in the Appendix to the Decree. The request must include the requestert’s full name, residential address, national identification number, citizen identification card number, or passport number; fax number, telephone number, and email address (if any); and the form of access and the reason and purpose for requesting the personal data. The data subject must also specify the name of the document, file, or record to which their request pertains (Article 14.6). This requirement can impose a significant burden on data subjects as they may not always be fully aware of which documents or records their personal data is contained within. Additionally, the complexity of data processing can further complicate matters and make it difficult for the data subject to identify the relevant documents.

It is important to note that, unlike the GDPR, the Decree does not require a PDC or PDCP to provide data subjects with comprehensive information about the processing of their personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. 

Moreover, there are certain circumstances in which a PDC or PDCP are not required to provide the data subject with a copy of their personal data. These include where:

7.2. The Decree provides for an absolute right to object to processing, as well as correction and deletion rights

A PDC or PDCP must promptly fulfill a data subject’s request to access their personal data, correct their personal data, or have their personal data corrected, according to Article 15.

The PDP and any third party shall be authorized to edit the personal data of the data subject only after obtaining written consent from the PDC and PDCP and ensuring that the data subject has given their consent

If the PDC or PDCP is unable to fulfill the request due to technical or other reasons, the PDC or PDCP must notify the data subject within 72 hours. 

If a data subject requests that the processing of their personal data be restricted or otherwise objects to the processing of their personal data, the PDC or PDCP must respond to the request within 72 hours of receiving it (Article 9). 

One important difference between this requirement and the one in the GDPR is that the Decree does not provide any exceptions to this requirement. Under the GDPR, a controller may be able to demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or may be able to claim that they need the data for the establishment, exercise, or defense of legal claims.

According to Article 16, the PDC or PDCP must delete personal data about a data subject within 72 hours of a request by the data subject, if:

Personal data shall be deleted irretrievably by the PDC, PDCP, PDP, and/or TP if it was processed for improper purposes or the consented purpose(s) has been fulfilled, if storage is no longer necessary, or if the entity responsible for the data has dissolved or terminated business operations due to legal reasons.

Like the GDPR, the Decree recognizes certain exceptions to the right to delete personal data, such as where:

However, unlike the GDPR, personal data that has been lawfully made available to the public is also exempt from the right to deletion (Article 18). As a result, the PDC or PDCP may reject a data subject’s request to delete personal data that has become public, regardless of whether there are any other lawful grounds for retaining such data. This differs from the GDPR, which does not provide exceptions based solely on the public availability of data.

8. Obligations of Controllers and Processors, from written processing agreements to data security and accountability obligations

PDPs are under an obligation to only receive personal data from a PDC after signing an agreement on data processing with the PDC and only process the data within the scope of that agreement (Article 39). The Decree also provides that personal data must be deleted or returned to the PDC upon completion of the data processing.

8.1. Data security and data breach notification requirements

The Decree has dedicated data security requirements for PDCs. For instance, Article 38 asks them to implement organizational and technical measures, as well as appropriate security and confidentiality measures to ensure that personal data processing activities are conducted lawfully. They also need to review and update these measures as necessary, and record and store a log of the system’s personal data processing activities.

Appropriate security measures are also relevant in the PDC – PDP relationship, as PDCs must select a suitable PDP for specific tasks and only work with a PDP that has in place appropriate protection measures. Interestingly, both PDCs and PDPs have a distinct obligation to cooperate with the MPS and competent state agencies by providing information for investigation and processing of any violations of the laws and regulations on personal data protection.Organizations and individuals involved in personal data processing must implement measures to protect personal data and prevent unauthorized collection of personal data from their systems and service devices. Article 22 of the Decree also prohibits the use of software systems, technical measures, or the organization of activities for the unauthorized collection, transfer, purchase, or sale of personal data without the consent of the data subject.

Under Article 23 of the Decree, in the event of a violation of personal data protection regulations, both the PDC and the PDP, or PDCP, are required to promptly inform the A05. The notification must be made no later than 72 hours after the violation occurred. If the notification is delayed, the reason for the delay must be provided. The current wording in the Decree is broad and without further clarifications and guidance it could be interpreted as meaning a notification is required for any violation of the Decree, not just for data breaches. 

The notification must include a detailed description of the violation, such as the time, location, act, organization or individual involved, types and amount of personal data affected, contact details of those responsible for protecting personal data, potential consequences and damages of the violation, and measures taken to resolve or minimize harm. If it is not feasible to provide a complete notification at once, it can be done incrementally or progressively.

However, Decree 13 does not provide a specific procedure for A05 to handle complaints related to personal data protection violations. Further guidance or clarifications may be issued in the future.

8.2. “Impact Assessment Reports” that have to be made available for inspection

Article 24 of the Decree requires PDCs and PDCPs to compile an impact assessment report (IAR) from the commencement of personal data processing and make the report available for inspection by the A05 within 60 days thereafter.

The IAR must contain:

PDPs are also required to compile an IAR. However, the required content is slightly different, reflecting the difference in roles between PDCs/PCDPs and PDPs. For instance, the Decree requires a PDP to provide a description of the processing activities and types of personal data processed, rather than stating the purpose(s) for processing the data.

9. Cross-Border Data Transfers have a legal definition and a registration requirement

Article 25 of the Decree defines a cross-border transfer of personal data as:

This definition includes the:

In the absence of further specification and relying on a literal reading of the wording in Article 25, a possible interpretation of this definition is that processing outside of Vietnam the personal data of Vietnamese citizens who live outside Vietnam would also qualify as a cross-border data transfer under the Decree. If this interpretation is correct, it would mean that all foreign organizations or individuals processing personal data outside of Vietnam would be subject to the Decree’s “cross-border data transfer” requirements even if there is no actual border of Vietnam involved, insofar as they process the personal data of Vietnamese citizens. It should be noted that the scope of the Decree, as stipulated in Article 1.2, only applies to foreign agencies, organizations, and individuals that are in Vietnam or that directly participate or are involved in the personal data processing activities in Vietnam. This ambiguity may be clarified in a guidance document in the future.

Before a covered entity may transfer personal data out of Vietnam, the Decree requires that the entity must:

The DTA must contain the following information:

In light of the consent disclosure required as part of the DTA and in the absence of further regulatory guidance, it seems that consent is the only basis for cross-border transfers. In addition to all requirements for a valid consent, in the context of cross-border transfers, the consent shall include a clear explanation of the feedback mechanism and the available procedures for lodging complaints in the event of incidents or requests, ensuring a comprehensive understanding for the individuals involved.

The MPS will conduct inspection of the DTA annually unless a violation, data incident, or leakage occurs. The MPS may cease transfers in cases where:

It should be noted that data localization is separately governed under Decree No. 53/2022/ND-CP, which implements the Law on Cybersecurity. The decree applies to both domestic and foreign companies operating in Vietnam’s cyberspace, specifically those providing telecom, internet, and value-added services that collect, analyze, or process private information or data related to their service users. According to the decree, these companies must store the data locally and have a physical presence in Vietnam. They are also required to retain the data for a minimum of 24 months. The types of personal data subject to localization include “(i) personal information of cyberspace service users in Vietnam in the form of symbols, letters, numbers, images, sounds, or equivalences to identify an individual; (ii) data generated by cyberspace service users in Vietnam, including account names, service usage timestamps, credit card information, email addresses, IP addresses from the last login or logout session, and registered phone numbers linked to accounts or data; (iii) data concerning the relationships of cyberspace service users in Vietnam, such as friends and groups with whom these users have connected or interacted.” (Article 26, Decree 53). The governing authority responsible for these regulations is A05 as well.

However, it remains unclear from the provided information whether personal data falling within the scope of Decree 53 can be transferred cross-border after fulfilling all requirements, including obtaining valid consents from data subjects. It is possible that the regulations are strictly interpreted to prohibit cross-border transfers for such types of data.

10. Specific Requirements for Children Personal Data

Like the GDPR, Article 20 of the Decree provides special protection for children’s personal data, with a focus on safeguarding their rights and best interests. However, the age threshold for obtaining valid consent differs between the two laws. In Vietnam, the Decree requires the consent of a parent or legal guardian and of children aged seven or older, while the GDPR only allows individuals over 16 to give consent independently for processing of their personal data. 

It is important to note that in Vietnam, children under the age of 16 are not considered to have legal  capacity, meaning that they cannot legally enter into contracts on their own behalf except in exceptional cases. As such, the effect of the child’s consent absent that of a parent or legal guardian is not entirely clear, although the requirement to obtain consent from the child was likely included in the Decree to reflect the child’s opinion on the processing of their personal data.

PDCs, PDPs, PDCPs, and TPs must verify the age of children before processing their personal data. However, the Decree does not explicitly provide an age verification process. Processing of children’s personal data must cease, and the personal data must be deleted irretrievably, where:

The Decree states that only the child’s parent or legal guardian can withdraw consent for the processing of the child’s data, leaving it unclear whether the child can revoke their consent and have their data deleted if they wish to do so.

Conclusion

Vietnam’s new Decree on Personal Data Protection marks a significant milestone in protecting personal data in the country. The Decree introduces key concepts and principles of personal data protection, and sets out specific requirements for data processors and controllers. It also establishes a regulatory framework for obtaining consent for data processing activities, cross-border data transfers, and children data protection, which can contribute to safeguarding the privacy and security of individuals’ personal data.

While the Decree addresses many of the current challenges facing personal data protection in Vietnam, there are still gaps that need to be addressed in forthcoming guiding documents, including the lack of a specific procedure for handling complaints related to personal data protection violations, the conflicting provisions on the sale of personal data need to be clarified, the impact of cross-border data transfers and clear guidelines and requirements for such transfers and a more defined fine structure. It should also provide guidance on automated processing and establish regulations for biometric data. As Vietnam continues to develop its data protection laws, it is important for the law to address key issues such as automated personal data processing, biometrics or facial recognition, global data transfer baseline standards, and the need to balance business development with data protection.

In conclusion, the country’s commitment to personal data protection and privacy is a crucial step in the digital age. As Vietnam continues to strengthen its data protection framework, it will be interesting to see how it aligns with, and how it contributes to emerging frameworks in the region and around the world.

Editors: The success of this article would not have been possible without the dedicated efforts of Dominic Paulger, Josh Lee Kok Thong, and Isabella Perera, as well as the tremendous encouragement of Dr. Gabriela Zanfir-Fortuna from the Future of Privacy Forum.

Analysis of a Decade of Israeli Judicial Decisions Related to Data Protection (2012-2022)

Adv. Rivki Dvash with the assistance of Mr. Guy Zomer1

Background

The Future of Privacy Forum’s office in Tel Aviv (Israel Technology Policy Institute – ITPI) sought to examine the judicial decisions in civil actions under Israel’s Privacy Law, which includes rules that regulate data protection. We examined the extent to which the general public demands protection of the right to privacy through judicial proceedings. We also analyzed the privacy and data protection issues that concern the public enough to appeal to the court, as well as identified any patterns in the appeals.

It is important to note that there is a contradiction inherent in taking civil actions to remedy privacy and data protection violations since appealing to judicial bodies brings attention to and publicly catalogs the disputes. 2 As such, there is an occasional interest to not pursue these matters in order to prevent additional publication or exposure of information that could increase the harm of the initial violation of privacy. Accordingly, the data gathered in this analysis does not necessarily reflect the complete interest and desire the public has in protecting privacy, but rather the cases in which individuals chose to seek judicial remedy under the Privacy Law.

In order to examine all of these cases, we asked Mr. Guy Zomer of Octopus – Public Information for All (R.A.) – which works to make public information, including that related to judicial proceedings, accessible through the Tolaat Hamishpat – to compile all the rulings since 2012 that mention privacy violations and retrieve relevant metadata for our analysis.

The overview below highlights the information and insights gathered from the metadata.

Methodology

Collection of rulings from the Nevo website

In order to locate rulings related to privacy violations, we queried all published rulings issued from January 1, 2012, to December 31, 2022 to find those that included reference to Section 2 of the Privacy Law, 5741-1981 (from now on referred to as “the Law”), which defines an invasion of privacy and what constitutes a civil tort (and a criminal offense). The dataset only includes rulings issued in ordinary courts (magistrate, district, and supreme), and not those issued in special courts such as the Family Court and the Labor Court.

Initial screening

Since we wanted to concentrate on civil proceedings to discover common patterns, we removed criminal judgments and appeal proceedings from the dataset. We also chose to examine and compare decisions related to class actions separately from other civil proceedings.

We identified a total of 293 judgments issued in civil lawsuits and 29 judgments in class actions that referred to privacy violations.

Data collection

The dataset of civil claim decisions related to privacy violations initially only contained primary data such as the opening and closing dates of proceedings and the amount of the claims. We then added the following secondary data:

  1. The additional grounds in the civil lawsuit (defamation,  spam, etc.), if any;
  2. The specific grounds for which the claim was filed (in other words, which subsection of Section 2 is used), even if the court did not recognize the requested cause or all the grounds for which the claim was filed;
  3. The relationship between the plaintiff and the defendant (neighbor, employer-employee3, family, etc.);
  4. Whether the plaintiff claimed concrete damage or compensation without proof of damage;
  5. Whether the court recognized defense claims (this refers to the acceptance of defense claims in a judicial decision, and not to the fact that the defending party raised them);
  6. Who won the lawsuit;
  7. The amount of compensation mandated due to the violation of privacy;
  8. The amount of expenses that have been mandated; and
  9. The total amount of compensation that was mandated, including expenses or other grounds.

We examined class action cases separately from civil lawsuits since class actions focus more on potential harm to a group of people rather than an individual and the monetary compensation is structured differently with three components: individual winnings, group winnings, and lawyer fees, which are higher than is usually customary and serve as an incentive to file class actions.

Preliminary research findings

1) It should be noted that the data we examined only related to published judgments. We have yet to learn about the number of relevant claims in which the proceedings were stopped for various reasons (such as a settlement or lack of legal proceedings by the plaintiff or closed-door proceeding). Given that there is no labeling of privacy protection procedures in the Net HaMishpat (the computerized system for managing court cases in Israel), it is impossible to locate such information.

2) There is a small number of verdicts related to privacy violations and there are only several dozen privacy cases yearly. In comparison, in 2019, about 200,000 cases were closed in the Magistrates’ and District Courts. 4 Furthermore, in 2020, about 192,400 cases were closed in these courts. 5 In other words, the judgments in matters of privacy in Israel are a negligible percentage of all civil proceedings.

screenshot 2023 04 27 at 12.32.46 am

3) We looked at the approximate weight of published privacy violation claims as a percentage of total published civil lawsuits over several years to see whether there are any patterns. Although this method is not statistically accurate, it is still useful to examine the variable ratio between all judgments and privacy judgments published in Nevo.

However, even in the test mentioned above, we could not locate or indicate a clear trend, as seen below.

screenshot 2023 04 27 at 12.33.54 am

Findings

Civil Lawsuits

1. In all the cases, except for one,7 the plaintiffs preferred to claim compensation without proof of damage under section 29A of the Law.

2. The most common issue in civil lawsuits is the photographing of a person and placing of cameras in public, and sometimes even private spheres, accounting for 5.1% of claims. 

3. We did not find any civil lawsuits for torts from privacy violations in databases. The initial assumption was that such claims are found in class actions (see below).

4. Civil lawsuits for privacy violations were generally connected to legal claims for other torts. Less than 20% of the claims filed for privacy violations were filed as a single damage (17%).

5. 19.8% of plaintiffs chose to file their claim in “Small Claims Courts,” which allow for relatively quick and no-frills compensation in an amount limited to up to NIS 36,400 (roughly USD 10,000).

6. The main ground for civil lawsuits is the “spying on or tracing of a person,” or other harassment. This ground appears in 36.9% of civil court rulings. For context of how dominant this cause is, the second most common ground (photographing a person without their permission) is cited in only 16% of all judgments.

screenshot 2023 04 27 at 12.35.48 am

7. The most common relationship between plaintiffs and defendants is a consumer relationship (24%) or a neighbor’s dispute (21.8%). A citizen’s claims against the authorities account for 8.9% of all claims, with the leading cause of action for this type of relationship being a breach of the confidentiality obligation established by the Law (40%).

8. Although privacy violations from media exposure create significant harm due to their broad exposure of information, only a low percentage of filed claims are due to this type of violation (7.5%). Additionally, claims due to this type of violation are always accompanied by a civil lawsuit for other claims such as defamation. Generally, defamation claims appear next to privacy violation claims (52%).

9. 9.9% of privacy claims also involved spam claims filed under Section 30A of the Communications Law. This finding is interesting because during the legislative process for spam regulations, it was determined that they should be incorporated into the Communications Law instead of the Privacy Law. Regardless, even in decisions that recognized both privacy and spam violations, the compensation amounts remained extremely low (no more than a few thousand shekels).

10. In most cases (57.3%), the plaintiff won the claim, compared to 34.4% of cases in which the defendant won (in the other claims, there was no definitive decision). However, a deeper examination of these claims shows that only 46.7% of them were compensated for the privacy violation. In other words, sometimes the plaintiff won the case, but not on the grounds of the privacy violation, or general compensation was provided without specifically referring to the privacy violation.

screenshot 2023 04 27 at 12.38.47 am

11. In almost a quarter of the rulings (24.5%), the court recognized legal defense protections under the Law. 9 The most recognized protection (40.3%) is in the case of “legitimate personal interest” (section 18(2)(c)).

Class Actions

12. Class actions related to privacy violations  (29 cases) account for a small number of all class actions (6493 cases). However, the relative share (4.5%) is larger than the ratio of civil privacy violation claims compared to all civil claims (about 0.09%). This larger relative share is even more significant given that  privacy violation class actions in Israel are more limited tools than civil lawsuits since class actions can only apply to the specific types of claims listed in the second addendum to the Class Actions Law, 5766-2006. 10

13. Most of the class actions that include grounds for privacy violations are also related to consumer protection.

14. Spam violations constitute the additional (or, more precisely, the primary) ground in a significant share of privacy violation class actions (69%). Four cases (15.4%) also mentioned the issue of registering the databases that are the subjects of the claims.11 Furthermore, in four cases (15.4%), it was claimed that the information security of the databases in question were compromised.

15. In 17.2% of privacy violation cases the court rejected the motion to file a class action.

16. Of the 29 cases in which a judgment was given (including court rejection to form a class action), in 41.4% of cases, the court approved the settlement, and in 37.9% of cases, the court approved the plaintiff’s motion for leave.

screenshot 2023 04 27 at 12.40.54 am

17. 69.2% of claims ended in favor of the plaintiff, and only about 26.9% of the decisions favored the defendant, with plaintiffs liable for expenses in only four cases (15.4%).

screenshot 2023 04 27 at 12.41.29 am

Conclusion

Despite the difficulty in getting clear insights into privacy violation civil lawsuits and class actions due to the scarcity of rulings in this area, it is still necessary to examine these decisions.

The small number of claims in this area may indicate the public’s lack of interest in exercising its right to compensation when privacy violations occur. Part of this disinterest is likely due to the desire to prevent additional publication or exposure of information that could increase the harm from the initial privacy violation.  Interestingly, the larger amount of privacy violation class actions as a percentage of all class action lawsuits (compared to civil lawsuits) indicates that given a larger financial incentive and decreased risk of exposure of individuals’ personal information, the desire to file lawsuits may increase. This tentative hypothesis is supported by the higher numbers of class action and civil lawsuits related to spam violations, both of which have high compensation potential and do not reveal additional personal information about plaintiffs. However, given the small absolute number of both class action and civil lawsuits related to privacy violations, more research is needed to fully examine the motivations of plaintiffs.

Even with the small number of claims, there are still several interesting findings, including clarity into the types of privacy violations that concern the public. For example, it is evident that plaintiffs mostly bring violations related to neighbor disputes and placement of cameras in public spaces for surveillance. The research also shows that despite the higher potential for privacy violations from state authorities or the greater harm from violations of database-related provisions of the Law, there are almost no lawsuits concerning these issues. One potential hypothesis for the lack of these claims is that there are power gaps between citizens and authorities, as well as data subjects and database owners, that disincentivize lawsuits.  Although class actions can strengthen the power of the consumer, they still require proof of damage and also cannot be filed against the state.

In conclusion, it is impossible to point to a change or a clear trend of citizens exercising their right to privacy in civil lawsuits over the past decade.

Editor: Isabella Perera

This text has been translated and adapted into English from the original report published on January 30, 2023, available in Hebrew following this link.

1 Thanks to Adv. Limor Shmerling-Magazanik, former Director of ITPI, for her comments on this report.

2 In Israel, the default is that legal proceedings are published stating the parties’ names.

3 It should be noted that even in civil proceedings in ordinary courts (not the Labor Court), we still found claims related to employee-employer relationships.

4 See Annual Report 2019 – Court Administration (in Hebrew), pp. 25 and 37. In the district courts, 8,278 civil cases were closed, and in magistrates’ courts, 191,444 such cases were closed.

5 See Annual Report 2020 – Court Administration (in Hebrew), pp. 25 and 37. In the district courts, 7,578 civil cases were closed, and in magistrates’ courts, 184,874 such cases were closed.

6 We did not include 2022 because there was a change in the classification of cases in civil lawsuits that altered how the selected group was sampled.

7 Civil Action (Magistrate court – Haifa) 54043-11-12 Naor v. Clal Pension and Provident Fund Ltd. (11/4/2014) (in Hebrew), in which the plaintiff lost.

8 As of January 2023.

9 Section 18 of the Privacy Law.

10 Such as dealers, banking corporations, financial services providers, etc.

11 In Israel, there is still an obligation to register databases.

A New Paradigm for Consumer Health Data Privacy in Washington State

The Washington ‘My Health, My Data’ Act (MHMD or the Act) establishes a fundamentally new legal framework within U.S. law to regulate the collection, use, and transfer of consumer health data. Signed into law by Governor Inslee on April 27, MHMD was introduced by request of the Washington Attorney General in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (2022) (Dobbs).

While drafting quirks have caused uncertainty around the effectiveness dates of some of MHMD’s provisions, in general the Washington Legislature seems to intend for MHMD’s substantive data privacy requirements to come into effect on March 31, 2024 (or June 30, 2024 for small businesses). Other provisions, including the Act’s sections on geofencing and enforcement, will take effect in 90 days time. 

This post highlights six aspects of MHMD that could have paradigm-shifting consequences for data privacy regulation. For a more in-depth analysis of the Act, check out the Future of Privacy Forum’s MHMD Policy Brief.

1. ‘My Health, My Data’ applies to organizations that collect, process, or transfer covered data in any way that touches Washington State:

MHMD will impact a broad range of entities, both within and outside of Washington State. The Act imposes obligations on regulated entities that do business in Washington or that “target” products or services at Washington consumers. Such targeting likely includes actions as simple as making a business website available to access from within Washington or advertising in Washington.​​ In addition, MHMD applies to businesses and nonprofit organizations of any size that collect, hold, or transfer consumer data that has “any operation” performed on it in the state at any point. Significantly, MHMD defines “consumer” as any natural person whose health data is processed in “any manner” within the state. Therefore, if customer health data is at any point accessed in, travels through, or is stored in Washington State, MHMD is likely to apply. Unlike many other U.S. privacy laws, the Act does not exempt entities covered by other legal regimes, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Family Educational Rights and Privacy Act of 1974 (FERPA), but instead only the data regulated thereby. 

2. ‘My Health, My Data’ defines “health data” far more broadly than any other U.S. privacy framework:

MHMD regulates collection and transfers of “consumer health data,” defined as any form of “personal information” that “identifies the consumer’s past, present, or future physical or mental health status.” The Act provides a non-exhaustive list of 13 categories of information that constitute de facto “health status” under the Act, including biometric data, “[p]recise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies,” and health information that is inferred from non-health data. This definition of health data is far broader than the definitions established by other contemporary legal frameworks, and will encompass information that is not typically treated as health data. Any entity with a nexus to individually-identifying health information should assess potential operational impacts of MHMD.

While more expansive than other legislative frameworks, one significant aspect of MHMD’s definition of “consumer health data” aligns with the Federal Trade Commission’s (the Agency) approach to health information in its recent enforcement actions against GoodRx and BetterHelp. In its complaint against BetterHelp, the Agency alleged that the company wrongfully disclosed consumer information, including email addresses, IP addresses and unique advertising IDs, that revealed that consumers had accessed a website seeking mental health care services. Similarly, MHMD’s definition of “personal information” includes “data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier.” These definitions demonstrate an emerging regulatory attention to ways in which common online activities and user data can be processed to reveal sensitive health information.

3. ‘My Health, My Data’ establishes recurring, notice and consent obligations for the collection, transfer, sale, and secondary use of health data:

MHMD requires businesses to make disclosures and obtain separate consumer consent for any collection and transfer of health data beyond what is necessary to provide a consumer-requested product or service. For the “sale” of health data, the Act requires regulated entities to obtain “valid authorization,” a more exacting form of consent that expires after one year. MHMD defines “sale” broadly to include exchanges for valuable consideration, and will likely implicate current digital advertising practices for covered entities. 

While MHMD’s opt-in framework will provide individuals with increased ability to control how their health data is collected and transferred, users will likely face a significant increase in the volume of notices and pop-ups when accessing many common products and services. Furthermore, since MHMD relies on a “notice and consent” framework rather than creating new baseline rules around how entities may collect, use and transfer covered health data, the efficacy of the Act’s framework will depend on whether users are able to successfully navigate this new menu of consent options while obtaining desired products and services. 

4. ‘My Health, My Data’ creates consumer rights of access and deletion that go beyond those established by other state privacy laws:

MHMD creates several consumer rights that have become standard in global privacy laws, including the right to know how an organization uses personal data, the right to access that data, and the right to have covered health data deleted. However, MHMD does not contain common exemptions for these rights such as for protecting trade secrets or for complying with legal obligations. 

Furthermore, the Act’s rights of access and of deletion are significantly different from comparable state laws, and will require modifications to organizations’ compliance programs. For example, MHMD’s right to access not only gives users the right to obtain a copy of their data, but also to procure a list of the names and email addresses of third-parties with whom their data was shared or sold. The Act’s deletion right gives individuals the right to delete their health data from all records managed by a regulated entity, including from archived or backup systems and from within the records of processors, contractors, and other third parties, with no exception for data that is retained in order to comply with deletion requests on an ongoing basis. 

5. ‘My Health, My Data’ places novel restrictions on the geofencing of wide-ranging set of facilities that provide in-person “health care services:” 

MHMD forbids both covered entities and individual actors from geofencing physical “health care facilities” in order to identify individuals, collect health data, or send health data or health-service related messages to consumers. This restriction may impact several common practices, including security operations and the use of push notifications for advertising consumer goods. Furthermore, MHMD’s far-reaching definition of “health care services” means these restrictions could include geofencing conducted in order to collect data from or advertise to individuals visiting gyms, complexes that include healthcare offices, and general consumer goods stores.

6. ‘My Health, My Data’ provides for enforcement through a private right of action:

MHMD gives the Washington Attorney General authority to enforce the Act and also creates a private right of action by establishing that a violation of the Act is an unfair or deceptive trade practice under the Washington Consumer Protection Act (WCPA). While MHMD’s inclusion of a private right of action sets it apart from many other state privacy laws, entities should note that MHMD does not provide for statutory damages. Instead, MHMD grants plaintiffs the right to sue to recover for any injury to their “business or property” caused by a violation of the Act, and gives courts the discretion to award treble damages up to $25,000. While the Washington Attorney General’s office can likely issue interpretive guidance, the opportunity for private litigation suggests that Judges are likely to resolve drafting ambiguities. 

Conclusion

MHMD will set new standards for the protection of non-HIPAA covered personal health data. The Act’s broad scope and exacting requirements could create compliance hurdles for a wide range of covered entities, and its private right of action provides a private enforcement mechanism not usually available under U.S. privacy laws. Organizations of all sizes, even those who operate outside of Washington State, should investigate whether they are, or could become, covered by the Act and understand MHMD’s requirements. Likewise, individuals should determine when their data is covered by MHMD and what rights they are afforded under the Act. Finally, policymakers working on these issues should consider not only the scope of new health privacy legislation, but also how new regulations will interact with existing frameworks, including the sensitive data protections established under the various state comprehensive privacy laws.

FPF Announces Recipients of the Third Annual Award for Research Data Stewardship

Today, the Future of Privacy Forum (FPF) — a global non-profit focused on data protection headquartered in Washington, D.C. — announced the winners of the third annual Award for Research Data Stewardship

FPF is a long-standing advocate for privacy-protective data sharing by industry to the research community to advance scientific insights and drive progress in medicine, public health, education, social science, and many other fields. FPF established the Award for Research Data Stewardship in 2020 to recognize companies and academics that demonstrate innovative approaches and best practices for sharing private, corporate data to advance scientific knowledge. 

With the third-annual Award for Research Data Stewardship, FPF honors two teams of researchers and corporate partners for their commitment to privacy and ethical uses of data in their efforts to help with emergencies related to diseases and natural disasters. The winning team is a collaboration between the Mayo Clinic researchers led by Rozalina McCoy, MD, MS, and health services company Optum. The honorable mention is a collaboration between Assistant Professor Xilei Zhao, PhD, at the University of Florida and location intelligence company Gravy Analytics. These partnerships were awarded based on the strength of their research, adherence to privacy protection in the sharing process, and the company’s commitment to supporting academic research. 

“Our panel of judges were incredibly impressed reading through each meaningful and forward-thinking data-sharing partnership,” said Shea Swauger, FPF’s Senior Researcher for Data Sharing and Ethics. “Data plays a significant role in social progress. When companies share data responsibly with academic researchers, they can unlock new scientific insights, expand human knowledge and provide solutions to society’s most difficult challenges.”

Winner: Mayo Clinic and Optum:
“Predicting the Risk of Severe Hypoglycemic and Hyperglycemic Events in Adults with Diabetes”

Honorable Mention: University of Florida Transportation Institute Partnership with Gravy Analytics: “Using Location Analytics to Enhance Natural Disaster Emergency Response Planning and Management”

The Award is a part of FPF’s “Corporate Data Sharing for Research: Next Steps in a Changing Legal and Policy Landscape” project to accelerate the safe and responsible sharing of privacy-protected data between companies and academic researchers. This project is supported by the Alfred P. Sloan Foundation, a non-profit grantmaking institution whose mission is to enhance the welfare of all through the advancement of scientific knowledge.

FPF’s Award Ceremony will be held virtually on May 10, 2023, and is free for anyone interested in learning more about these winning programs and data sharing. Register for the event here to RSVP.

FPF at the 2023 IAPP Global Privacy Summit

Earlier this month, IAPP held its annual Global Privacy Summit (GPS) in Washington, DC. FPF played a major role in bringing together a team of seven renowned privacy experts on 11 panel discussions and varying peer-to-peer roundtables ranging from U.S. privacy law to AI tech and regulation to regional contractual frameworks for data transfers. FPF remained active through these expert discussions and engaged with FPF members at networking events and meetings, as well as at our expo booth during the three-day conference.

1680733043878

Most notably, our CEO Jules Polonetsky was the recipient of the 2023 IAPP Leadership Award, given to individuals who “demonstrate an ongoing commitment to furthering privacy policy, promoting recognition of privacy issues, and advancing the growth and visibility of the profession.” Jules has served as FPF’s CEO for the last 15 years.

“The Privacy Leadership Award is an incredible recognition, I am honored. I thank the team at IAPP for the award and my staff at FPF, who continue serving as global privacy leaders and publishing influential scholarship that is imperative to advancing privacy safeguards, protections, and policy.”

Jules Polonetsky, CEO, FPF

1680544426174

On the first day of the conference, FPF, in partnership with GW Law, hosted a reception featuring Chairperson Haksoo Ko of the Personal Information Protection Commission (PIPC) to welcome privacy professionals to Washington, D.C. In a packed room, Jules offered opening remarks and Chairperson Ko a keynote address to guests.

image from ios 16 copy

U.S. Privacy Law at a Crossroads: The Past, Present and Future

In an engaging conversation, FPF CEO Jules Polonetsky was joined alongside an expert panel of speakers, including Elliot Golding (Partner, McDermott Will & Emery), Alastair Mactaggart (Board Member, California Privacy Protection Agency; Board Chair, Founder, Californians for Consumer Privacy), and Lydia de la Torre (Board Member, California Privacy Protection Agency; Partner, Golden Data Law). GPS attendees heard the panel discuss relevant issues such as U.S. employment laws and data, state legislation from California and Utah (notably Utah’s social media bill), children’s privacy, and more.

“We need to get legislation done in the responsible ways that California did; otherwise we lean towards a poorer direction”

Jules Polonetsky, CEO, FPF

What Are the Long-term Implications of the Trans-Atlantic Data Privacy Framework

Former FPF Senior Counsel Sebastião Barros Vale discussed the long-term implications of the Trans-Atlantic Data Privacy Framework (TADPF) alongside experts Paul Breitbarth (Senior Fellow, Maastricht University Faculty of Law; Data Protection Lead, Catawiki), Caitlin Fennessy (Vice President & Chief Knowledge Officer, IAPP), and Alexander Joel (Tech, Law & Security Program, American University Washington College of Law). In this discussion, they touched on how the TADPF is an important chapter in the ongoing story of trans-Atlantic data flows, why privacy professionals should seek to enhance mutual understanding among governments, companies, and the public to help lay the groundwork for potential solutions, and more. View the presentation.

Great Expectations: Will the EU’s Data Strategy Laws Change the Digital World?

This panel moderated by FPF VP for Global Privacy Dr. Gabriela Zanfir-Fortuna, discussed the state of play in Brussels with regard to the EU’s new generation of data laws such as the DMA, DSA, DGA, Data Act, and the AI Act. She was joined by renowned global experts Brando Benifei (Member of the European Parliament, co-Rapporteur of the AI Act), Irene Roche Laguna (Deputy Head of Unit, Digital Services, European Commission), and Wojciech Wiewiórowski (European Data Protection Supervisor). 

Attendees learned how the GDPR interacts with the EU’s new generation of data laws and how these data laws coming from Brussels may impact jurisdictions around the world.

“Law is as good as its enforcement is”

Dr. Gabriela Zanfir-Fortuna, VP for Global Privacy, FPF

Oh, the Places We Might Go: U.S. Privacy Law and Regulation

In this standing-room-only, Dr. Seuss-themed panel, FPF Senior Counsel Tatiana Rice discussed the Washington, D.C. data privacy and security landscape as it relates to significant movement in privacy in 2022 and assessing developments from the FTC, Congress, the White House, the Supreme Court, and more. Tatiana was joined by D.C. privacy experts Brandon Pugh (Director and Senior Fellow, R Street Institute, Cyber and Emerging Threats Team), Divya Sridhar, Ph.D., (Director of Privacy Initiatives, BBB National Programs), and Cobun Zweifel-Keegan (Managing Director, D.C., IAPP). 

The panel explored data minimization, a principle likely to appear in state and federal law and regulations, as well as federal agency action and enforcement trends. Notably, speakers discussed protecting vulnerable populations, specifically kids and teens, as attendees heard discussion surrounding age-appropriate design codes. View the presentation here.

The Tip of the AI Iceberg: Views on Bias, Digital Discrimination & Data Rights

On day three, attendees joined an early-morning panel with FPF Senior Policy Counsel Bertram Lee as he discussed views on bias, digital discrimination, and data rights with moderator Anupam Chander (Scott K. Ginsburg Professor of Law and Technology, Georgetown Law), Yvette Badu-Nimako (Interim Executive Director, VP, Policy, National Urban League, Washington Bureau), Travis Hall (Acting Deputy Associate Administrator, National Telecommunications and Information Administration), and Ben Winters (Senior Counsel, Electronic Privacy Information Center (EPIC)). 

Attendees heard Bertram and the expert panel explore AI systems’ risks to privacy, biases and discriminatory outcomes of algorithms, and responsible AI systems, bringing a local D.C. angle to the conversation by discussing how District housing authorities and law enforcement utilize AI systems in their work that is inherently biased and harmful to underserved areas of the city.

“I believe that AI will change the world for the better, but that doesn’t mean that it shouldn’t be accountable to the many communities, and particularly underserved communities, that are impacting their lives. It’s important for us to think about that in the privacy community – how do we mitigate those harms? How do we design responsibly to offset those harms?”

Bertram Lee, Senior Policy Counsel, FPF

Preparing for the Next Generation of AI Tech and Regulation as Privacy Pros

In FPF Senior Policy Counsel Bertram Lee’s second panel of the day, he was joined by Nia Castelly (Co-Founder, Legal Lead, Google), Che Chang (Deputy General Counsel, OpenAI), and Filippo Raso (Senior Associate, Hogan Lovells). In another standing-room-only session, Bertram and the panelists discussed the latest on AI research and development, recent developments on AI commercialization, AI regulatory policy developments, and implementing AI governance.

“AI regulation is not going anywhere. It’s only here to stay”

Bertram Lee, Senior Policy Counsel, FPF

Not-so-standard Contractual Clauses: Comparing Global Data Transfer Tools

An engaging discussion moderated by FPF Senior Counsel for Global Privacy Lee Matheson on trans-border data flows took place on day three of the conference. Lee was joined by Mariano Peruzzotti (Partner, Ojam Bullrich Flanzbaum), Isabelle Vereecken (Head of Secretariat, European Data Protection Board), and Yeong Zee Kin (Deputy Commissioner, Personal Data Protection Commission of Singapore). This global panel covered three different model regional contractual frameworks for data transfers, the Ibero-American model clauses, Association of Southeast Asian Nations (ASEAN) MCCs and other SEA national rules, and the EU’s SCCs. 

When asked by an attendee about “the best scenario for what can be achieved in a dialogue between the EU and other regions,” the panelists offered differing perspectives. There may never be “one set of clauses to rule them all” because of cultural and legal differences, but the dialogue reveals that, at least in some ways, data protection principles related to transfers are moving towards convergence. There can be valid discussions about interoperability for different regional sets without having to agree on one set that will apply everywhere. View a recording of the session here.

A Conversation with the U.S. Ambassador for Cyberspace and Digital Policy

To close off this exciting conference, FPF CEO Jules Polonetsky sat down with Ambassador Nathaniel Fick, U.S. Ambassador for Cyberspace and Digital Policy, in a conversation highlighting several topics, including U.S. digital policy priorities globally, AI systems’ risks to privacy, biases and discriminatory outcomes of algorithms, responsible AI systems, and more.

“Data protection is increasingly becoming the law of everything.”

Jules Polonetsky, CEO, FPF

We hope you enjoyed this year’s IAPP Global Privacy Summit as much as we did! If you missed us at our booth, visit FPF.org for all our reports, publications, and infographics. Follow us on Twitter, LinkedIn, and subscribe to our newsletter for the latest.

Tenn. Makes Nine? ‘Tennessee Information Protection Act’ Set to Become Newest Comprehensive State Privacy Law

On Friday April 21, Nashville lawmakers approved the Tennessee Information Protection Act (TIPA) following unanimous votes. Tennessee now joins Iowa, Indiana, and Montana as the four states in 2023 that have advanced baseline privacy legislation governing the collection, use, and transfer of consumer data.

TIPA is closely modeled on the Virginia Consumer Data Protection Act (VCDPA) that was enacted in March 2021 and went into effect on January 1 of this year. The frameworks share key definitions, business obligations, and core consumer rights. For example, TIPA and the VCDPA both require companies to obtain consent for the processing of sensitive personal data and allow consumers to opt out of data sales, targeted advertising, and significant profiling decisions.

Nevertheless, the Tennessee proposal contains several unique deviations that will make it an overall less protective privacy regime than Virginia’s landmark law. Below, we highlight the key ways that TIPA differs from the VCDPA.

Not every distinction in the Tennessee proposal is weaker than the VCDPA. For instance, while Tennessee and Virginia both allow the Attorney General to recover $7,500 in civil penalties for each violation of the law, in Tennessee a court may award treble damages for willful or knowing violations. Should TIPA be enacted, it will take effect on July 1, 2025.

The ‘Montana Consumer Data Privacy Act’ Reminds us that Privacy is Bipartisan

On Friday, April 21st, the Montana State Legislature approved the ‘Montana Consumer Data Privacy Act’ (MCDPA) to be sent to the Governor’s desk. If enacted by Governor Gianforte, Montana would join the 6 states that have adopted comprehensive privacy frameworks. Notably, at almost every stage of the legislative process, the MCDPA received unanimous bipartisan support and strengthening amendments.

The MCDPA includes what would be the strongest baseline consumer privacy rights and protections of any Republican-led U.S. state, comparable in substance and scope to leading privacy frameworks in Connecticut and Colorado. Furthermore, the MCDPA is unlikely to require significant modifications to the compliance programs of organizations that are already subject to either of these existing state laws.

Significant privacy-protective elements of the MCDPA include:

So far in 2023 three states, including Montana, have passed privacy legislation through their legislative branch, and one state, Iowa, has seen privacy legislation signed into law. If enacted, the MCDPA will take effect on October 1, 2024.

Tanzania’s Personal Information Protection Act: Overview, Key Takeaways, and Context

On November 27 2022, the President of Tanzania signed the Personal Information Protection Act, 2022 (PIPA) after it garnered unanimous Parliamentary support following its September 2022 introduction during the 8th Parliamentary sitting. The Act’s passage makes the United Republic of Tanzania (henceforth referred to as “Tanzania”) the 35th country in Africa to enact a standalone data protection law and effectively extends data protection safeguards to more than 63 million people. The law is in Swahili.

Prior to the passage of PIPA, Tanzania made several unsuccessful attempts to pass a data protection law. The 2003 National ICT Policy called for policy changes to facilitate enactment of a specific and effective legislative instrument on privacy after the initial recognition of a right to privacy as part of the 1984 Constitution’s Bill of Rights, which followed failed attempts to include the right in previous iterations of the constitution. Data protection reforms for a comprehensive data protection law began in 2013 in connection with the African Union’s Harmonization of ICT Policies in Sub-Saharan Africa (HIPSSA) project. Tanzania received financial and technical support from the International Telecommunication Union (ITU) and the European Commission to develop its first comprehensive data protection law, which was ultimately unsuccessful. The second attempt at a draft of a comprehensive data protection bill began in August 2022 when a draft was released for public consultation; this bill ultimately became PIPA.

The commencement date of PIPA will be determined by the Minister of Communications through a gazette notice (Section 1). The stated objectives of PIPA are laid out in Section 4 and include:

Overview of Key Features: From Recognizing Broad Categories of Sensitive Data, to Specifically Allowing Monetization of Personal Data

PIPA establishes a data protection framework for Tanzania that provides obligations related to processing of personal data. Specifically, it defines the forms of personal data covered under the law, covered actors and extent of application of the law, registration requirements of controllers and processors, and obligations of controllers and processors towards data subjects. The structure and provisions of PIPA coincide with laws in other parts of the world, however, there are unique provisions under PIPA that differentiate Tanzania from other countries.

For example, the law contains broad provisions on categories of sensitive personal data and imposes a mandatory requirement on all controllers and processors to appoint a data protection officer. Further, the law establishes unique situations where it is not applicable, including, among others, situations where processing is carried out for the purpose of identifying and preventing tax evasion, investigating embezzlement of public funds, or performing due diligence prior to appointment in a public service position. 

Interestingly, the law has an obligation for controllers to collect personal data directly from data subjects with priority. Only where this is not possible can they collect personal data from third parties, under specific conditions which are akin to “lawful grounds for processing”.

With regards to using a data subject’s personal data for commercial advertising, the law specifically allows the monetization of personal data by permitting a data subject to enter into a contract with the data controller, on the basis of which the controller may process the data subject’s personal data for financial gain. 

Another unique feature of the law relates to how data subjects exercise their rights. The law mediates the relationship between a data subject and a controller in certain cases. For example, a request by a data subject to have a controller or processor to modify, block, delete, or destroy incorrect personal data relating to them must be first made to the Personal Information Protection Commission (the data protection authority established by the law) for onward transmission to the controller or processor. 

The structure of the Commission to be created also carries unique features, especially the creation of a board to oversee the conduct of the Commission. With regards to cross border data transfers, the Commission and the Minister of Communications maintain wide discretion on whether a transfer can be made, even upon fulfilling the conditions stipulated in the law.

Territorial Application, Covered Actors, and Data: Introducing a Limited Extraterritorial Scope and “Data Collectors”

Territorial Scope

Per express language in Section 2, PIPA shall apply to mainland Tanzania, as well as in Zanzibar. In Zanzibar, the law shall only apply to Union matters. The First Schedule of the Constitution of Tanzania enumerates the “union matters” that includes the Constitution of Tanzania and the government of the United Republic. Laws passed by the Union Parliament can only apply to Zanzibar where there is an express provision declaring so, or the law relates to Union affairs and is in compliance with the provisions of the Union Constitution. 

This specification is necessary due to the fact that Tanzania was formed from the 1964 merger of two formerly sovereign states: Republic of Tanganyika and People’s Republic of Zanzibar. The 1964 union did not throw out Zanzibar’s sovereignty, and, as such, the unified state maintains two governments. Zanzibar retains its own constitution and governs itself with regard to non-Union matters while the Union government based in Dodoma (the united republic’s capital) maintains power over the entire territory with regards to Union matters. Zanzibar’s House of Representatives has legislative powers limited to non-Union matters as stipulated in the 1984 Constitution.

PIPA applies extraterritorially, but in a more limited way than other data protection laws like the EU’s General Data Protection Regulation (GDPR) or Indonesia’s Personal Data Protection Act. According to the law, Section 4 of PIPA shall apply to processing of personal information carried out by a controller residing in Tanzania or in a place where the laws of Tanzania are applied in accordance with international laws, as well as to any processing of personal information carried out by a controller or processor residing outside the United Republic if the processing has taken place in the country and not for the purpose of transferring personal information to another country (Section 22(b) and (c)). The condition that the processing takes place in the country to trigger the extraterritoriality of the law limits its reach. However, by specifying that extraterritoriality does not apply when personal data is transferred outside of the country to be processed there, the law solves a common conundrum appearing with other data protection laws between extraterritorial effect and the rules governing international data transfers.

Like many other African personal data protection laws, PIPA exempts processing of personal data for household purposes (Section 58(2)(a)). Other exemptions under Section 58 include where processing is:

The Minister of Communications is empowered to expand the list of exempt circumstances and the means of implementing such exemptions are provided in Section 58(3). However, these exemptions do not preclude a data collector (defined below) from complying with the principles relating to collection and processing of personal information or the security safeguards requirement of the law (Section 58(1)).

Covered Actors

Opting to use the term “data collectors”1 to refer to data controllers, PIPA applies to data controllers, processors, and recipients, which may be individuals, private entities, or public entities that process personal data.

The Act defines a controller as a person, individual institution, or public institution that alone or together with other institutions determines the purposes and methods of personal information processing; and where the purposes and methods of processing are specified in the law, the controller is a person, entity, or public institution appointed in accordance with the law and will include its representative.

A processor is defined as a person, individual entity, or public entity that processes personal information for and on behalf of the controller and under the instructions of the controller, except for persons who under the direct authority of the controller are permitted to process personal information, including their representatives. A recipient is defined as a person, entity, public institution, or any other person who receives personal information from the controller.

Covered Data: Broad definition of “sensitive data”

PIPA covers personal data that is defined as information about an identifiable person that is maintained in any form, including (Section 3):

PIPA further lists the following as “sensitive personal data”:

Beyond the categories listed above, PIPA creates a broad definition of categories of sensitive personal data. According to Section 3 of the law, personal data becomes sensitive if, or when, processed it reveals the race, ethnicity, political ideologies, religious or philosophical beliefs, trade union associations, gender, health data, or sexual relationships of a data subject. Sensitive personal data also includes “any personal information that, according to the laws of Tanzania, is considered to have a significant impact on the rights and interests of a data subject.” “Significant impact” is not defined in the law but could potentially be clarified at a later time through the Minister’s power to create regulations (Section 64(1)).

The Act imposes restrictions on the processing of these forms of sensitive personal data. PIPA prohibits processing sensitive personal data without the written consent of the data subject (Section 30(1)). A data subject may withdraw consent at any time, without reason and at no cost (Section 30(2)). Additionally, the Minister has regulatory discretion to designate circumstances where the prohibition on processing sensitive personal data may not be lifted even with a data subject’s written consent (Section 30(3)). Section 30(5) also gives circumstances where a data controller or processor does not need a data subject’s written consent to process sensitive personal data, including when the:

Obligations of Controllers and Processors: From Old School Registration Obligations, to Compulsory Appointment of DPOs

Registration as Data Controllers and Processors

PIPA, like many other African data protection laws, requires data controllers and processors to register with the data protection authority before collecting and processing personal data (Section 14). The Communications Minister recently released draft regulations on the registration of data controllers and processors that provide the conditions for registration. These requirements have similarities to those in other African jurisdictions, such as Kenya. Upon fulfilling the conditions for registration a controller or processor receives a certificate of registration (Section 14(3)), which is valid for 5 years after it is issued (Section 15(2)). 

Unlike Kenya’s Data Protection Act, 2019, PIPA does not provide a threshold for registration as a data controller or processor. This lack of a threshold implies that all individuals and private entities acting as controllers or processors are required to register with the authority, regardless of their size. Furthermore, PIPA’s certificates of registration are good for 5 years, in contrast to Kenya’s which are valid for 2 years. Interestingly, PIPA assumes that upon commencement of the law, public bodies shall be automatically registered as controllers and processors, and no action is required from them (Section 21).

Compliance with the Principles of Data Processing: From purpose limitation to security safeguards

Section 5 of PIPA requires controllers and processors to process personal data in accordance with the principles set forth under the law, including:

All Data Controllers and Processors Must Appoint Data Protection Officers

Section 27(3) of PIPA requires controllers and processors to appoint a Data Protection Officer (DPO). There are no thresholds or criteria that trigger appointment of a DPO, which means that all data controllers and processors must have a DPO. 

Collection of Personal Data: An Obligation to Prioritize Collection Directly from the Data Subjects

According to Section 23(1) of PIPA, data controllers are generally required to collect personal data directly from the data subject. Prior to such direct collection of personal data, a controller shall ensure that a data subject (Section 23(2)):

This obligation to collect personal data directly from a data subject is not commonly found in other regional or global frameworks, but a similar provision can be found in Kenya’s Data Protection Act, 2019.

However, a data controller is not obliged to directly collect personal data under certain circumstances (Section 23(3)), including if:

Notably, the law does not define what “publicly available” means in the context of personal data collection. However, it is possible that this definition will be provided at a later time through the Minister’s power to create regulations (Section 64(1)).

Duty to Ensure Accuracy of Data

PIPA requires a data controller to take steps that ensure that the information is complete, correct and consistent with the intended purpose of processing, and is not misleading before any processing occurs (Section 24).

Further Processing of Personal Data Beyond the Initial Purpose

Section 25(2) of PIPA sets the conditions for when further processing of personal data is permitted, including when:

Establishing a Data Processing Agreement

PIPA requires that the relationship between a controller and processor be mediated by a data processing agreement (Section 27(4)). Activities of the processor must be governed by a contract that specifies the relationship between the processor and the controller and includes the controller’s instructions to the processor. 

Data Retention

A controller is required to consider the existing laws that stipulate data retention periods for various data processing activities or develop a retention policy consistent with forthcoming regulations (Section 28(1)).

Security and Data Breach Processes

PIPA obligates controllers to take necessary steps to safeguard personal data (Section 27(1)). A processor has a duty to adhere to the levels of security stipulated under the Act (Section 27(4)). In the event of a security breach relating to data processed on behalf of the controller by a data processor, the data controller is obliged to inform the data protection authority (Section 27(5)). This implies that a processor is obligated to inform the controller in the event of a security breach. However, there is no obligation for controllers under the law to notify data subjects in the event of a data breach.

Creation of Codes of Ethics

Controllers are required to develop codes of ethics for processing personal data in compliance with the provisions of the law and submit to the Commission for review and approval. Where the Commission deems fit, it may seek the input of data subjects or their representatives before approval (Section 65). The Act does not specifically mention that each controller must develop their own code of ethics; the broad provision gives leeway for controllers to either do so independently or as a group.

Data Subject Rights: From Absolute Opt-Out of Commercial Advertising, to The Right not to be Subject to Solely Automated Decision-Making

Part 6 of PIPA enumerates the rights of data subjects that controllers must adhere to – the right to access personal data, the right to restriction of processing, an absolute opt-out from commercial advertising – which might have important consequences for online advertising in the country, a right not to be subject to solely automated decision-making, and a right to have personal data modified, blocked, deleted, or destroyed. Protection of rights of data subjects is one of the principles of data protection under PIPA, which may support interpretation of the legal provision towards enhancing protections for individuals exercising their rights.

Under Section 33, data subjects are entitled to know that their personal data is being processed and the details of the processing, including:

However, a data controller is not obliged to provide the above information to a data subject if the information is incorrect, if it is being used in an investigation in accordance with the law, or if it is withheld by court order. Notably, data subjects must convince the Commission that data held by a controller is incorrect in order to exercise their right to deletion or modification of that data under Section 38. 

As for the right to restriction of processing, where a processing activity “may cause serious harm” to the data subject or any other person, the data subject has the right to ask the data controller to not initiate the processing or to stop the processing. The methodology to restrict processing shall be stipulated in regulations to be issued by the Minister of Communications. 

Under Section 35(1), a data subject, through procedures that shall be specified in future regulations, has the right to ask the data controller to stop processing their personal data for the purpose of commercial advertisements (i.e., presentation, in any form, of a commercial advertisement addressed to a particular person). This provision seemingly equates to an absolute opt-out of any processing of personal data for “commercial advertising”, which could potentially be interpreted much broader than the GDPR’s “direct marketing”. 

As per Section 35(2), a data subject may, with regards to commercial advertising, execute a contract with the data controller, on the basis of which the controller may process the data subject’s personal data for financial gain.

According to Section 36(1), data subjects have the right to ask the controller, through procedures that will be stipulated by regulations, to ensure that no decision based solely on automated means is made, where that decision has a significant impact on the data subject. The way the right is drafted indicates a departure from the GDPR’s approach to consider it a prohibition with exceptions rather than a right that must be actively exercised by data subjects. Where the data controller proceeds to make a decision solely on the basis of automated means, the controller must, as soon as possible, inform the data subject that a decision was made based on automated processing and have the right to request that the automated decision be reconsidered (Section 36(2)). However, these rights shall not apply if a decision based on automated processing is necessary to enter into or enforce a contract between the data controller and the data subject, if it is permitted by any law, or if the data subject has given their consent (Section 36(3)).

Lastly, Section 38 provides that the data subject may ask the Commission to make an order to a controller or processor to modify, block, delete, or destroy personal data relating to them if the personal data is incorrect, even if the controller or processor received this data as part of an accurate record given to them by the data subject or another person. 

Cross Border Data Transfers and Data Localization: A Three-Tiered Approach to Data Transfers

Part 5 begins by providing that, in consideration with the provisions of PIPA, the Commission may prevent the export of personal data out of Tanzania (Section 31(1)). Such a restriction notwithstanding, personal data may be transferred out of Tanzania to other countries considered to have an adequate level of protection under certain circumstances, including (Section 31(2)) when the recipient determines:

In transferring the personal data to an adequate country, the controller is required to conduct an initial assessment of the importance of transferring the personal data and the recipient is required to ensure that the necessity of such a transfer is ascertainable at a future date (Section 31(3) &(4)). The controller is required to ensure that the recipient processes personal data only for the purpose for which the data was transferred (Section 31(5)).

Personal data may also be transferred to a country without an adequate level of protection if adequate protection is guaranteed and personal data is transferred for the purpose of processing that is allowed by the controller (Section 32(1)). Criteria for assessing whether adequate protection is offered by a country include (Section 32(2)):

Despite the provisions on transferring personal data to countries without adequate protection and the conditions to be fulfilled in this respect, the Minister of Communications is required, after consulting with the Commission and through regulations, to specify the type of processing and the circumstances under which the export of personal information to countries without adequate protections will not be allowed (Section 32(3)). In other words, the Minister of Communications will have the discretion to ban transfers in certain situations and for certain purposes. 

Notwithstanding the provision under Section 32(3), personal data may be transferred to non-adequate jurisdictions when:

Finally, the Commission may affirmatively permit specific transfers of personal data to a country without adequate protection (even if the other adequacy criteria cannot be fulfilled) where the controller assures the Commission that there are adequate security safeguards in place, there is a guarantee of the rights and freedoms of the data subject in the domestic laws of the recipient’s country, there is an ability to enforce the rights of data subjects, and that the protection can be implemented through adequate legal, security, and regulatory measures.

Enforcement: New Data Protection Authority, Processes, and International Cooperation

Data Protection Authority

Section 6(1) of the Act establishes the Personal Information Protection Commission. The Commission shall be headed by a Director General who shall be appointed by the president (Section 11(1)) and will have the following duties:

The management of the Commission shall be overseen by a seven-member Board (Section 8) with a Chairperson, vice chairperson, and five at-large members. The Chairperson and the vice-chairperson shall be appointed by the president of Tanzania; if the Chairperson is from Tanzania, the vice chairperson shall be appointed from Zanzibar, and vice versa. The Board shall, among other functions, oversee the activities and performance of the Commission (Section 9(2)(b)) and approve and oversee financial management procedures and service rules (Section (9)(g)). The board may form committees to conduct its functions (Section 10).

Financial Resources

Per Section 51, funding for the Commission includes an amount set by the Parliament, along with paid fines, donations, gifts or grants, loans, and any other income derived from the Commission’s activities. The Act also describes the internal mechanisms for management of the Commission’s financial resources, the role of the Board and the Director General, and the Commission’s accountability duties. Annual budgets must be approved by the Minister of Communications, who has the power to ask the Commission to adjust a proposed budget. Additionally, the Director General must submit an annual report to the Minister, who will in turn submit it to the Parliament (Section 57). The Act does provide for the Minister or the Parliament to otherwise intervene in the Commission’s activities.

Initiating a Complaint

Data subjects may issue complaints to the Commission on the basis of violation of the Act by a controller and/or a processor (Section 39(1)). Upon receipt of a complaint, the Commission shall notify the data controller or processor of the complaint and its intention to conduct investigations (Section 40). Investigations shall be conducted and completed within 90 days from when the complaint was submitted (Section 39(3)). The Commission may, depending on the circumstances of the investigation, extend an investigation up to a maximum of another 90 days (Section 39(4)). The investigation process shall be done confidentially and with all security requirements in place.

Commission’s Authority During Investigations

Section 42 enumerates the Commission’s investigatory powers, including to:

The Commission will also receive submissions from the complainants and the data controller or processor. The Commission may engage other individuals or authorities to assist in enforcement of the law (Section 44). The Commission may apply to the courts for preservation orders when personal data involved in an investigation is at the risk of loss or alteration (Section 59).

Section 43 of PIPA makes it an offense to obstruct the Commission during performance of its investigations. The offense of obstructing the Commission attracts a fine between 100,000 and 5,000,000 Tanzania Shillings (approximately between 42 and 2,130 US Dollars) or imprisonment for not more than two years, or both.

Outcome of Investigations

If the Commission concludes that there has been a violation of the Act, the Commission may issue an enforcement notice requiring the controller and/or processor to take appropriate measures to remedy the violation (Section 45). Where the controller or processor fails to comply with the enforcement notice issued by the Commission, the Commission may, based on certain factors, issue a penalty notice and require that the controller or processor pay an administrative fine (Section 46). The elements to be taken into account by the Commission when deciding whether to issue a penalty notice and the fine to be paid are enumerated under Section 46(2). Where the Commission decides to issue a penalty notice, the law sets the maximum fine to 100,000,000 Tanzania Shillings (approximately  42,600 US Dollars) (Section 47).

Once the Commission has made a decision, two actions may follow:

The Commission may order a controller and/or processor to compensate a data subject for harm caused by violations of the Act’s provisions, in addition to other penalties and with regard to Section 37 on the right to compensation.

Offenses, Sanctions, and Compensation: From the Offense of Obstruction to Wide Penalty Bands for  Different Offenses

Civil and Criminal Liability

Beyond the offense of obstructing the Commission during investigations mentioned above, PIPA creates an offense for the disclosure of personal data for any reasons other than the intended purpose, and for selling personal data obtained contrary to the law (Section 60). Individuals may be punished by a fine between 100,000 and 10,000,000 Tanzania Shillings (approximately between 42 and 4,260 US Dollars), imprisonment for up to 10 years, or both. Companies or organizations may be fined between 100,000,000 and 5 billion Tanzania Shillings (approximately between 42,600 and 2,130,000 US Dollars) (Section 60(6)).

The law also prohibits the destruction, deletion, concealment, misrepresentation, or alteration of personal information in violation of the law (Section 61). These offenses attract a fine between 100,000 and 10,000,000 Tanzania Shillings (approximately between 42 and 4,260 US Dollars), imprisonment for up to 5 years, or both. Where an offense is committed by a company, the company and every officer of the company who knowingly and intentionally violates the law shall be held liable (Section 62). The law creates a “general punishment” for offenses not specifically stipulated that still amount to a violation under the Act (Section 63). The penalty for an offense not specified under the law is between 100,000 and 5,000,000 Tanzania shillings (approximately between 42 and 2,130 US Dollars), imprisonment for up to 5 years, or both.

Compensation Under PIPA

Section 37(1) provides that a data subject who suffers harm due to the violation of the Act’s provisions by a controller or processor is entitled to compensation. A data subject shall be entitled to compensation on condition that (Section 37(2)):

Where the Commission is satisfied that a data subject has suffered harm under compensable circumstances and there is risk of further violations, it may order the data controller to modify, block, delete, or destroy personal data. Once the Commission has made an order, it may also make an order requiring the controller and processor to inform any third parties that had received the personal data of the order to correct, block, delete, or destroy that data (Section 37(4)). When making such an order, the Commission will consider the number of people to be notified (Section 37(5)).

Section 50 specifies the relative liability of the data controller and the data processor. The controller is conditionally responsible for the results of the processing. The processor is responsible in two cases: (1) if they have not complied with the duties specifically addressed to them under the Act or (2) if they have acted contrary to the controller’s instructions. The controller and/or the processor may only avoid liability if they can prove that they were not involved in any way in the event that caused harm.

Expected Regulations

Finally, Section 64 stipulates the various regulations required for the implementation of the Act, including but not limited to:

As stated previously, the Minister has already released draft regulations that cover registration of data controllers, cross border data transfers, and the handling of complaints.

Conclusion

Tanzania’s adoption of this legislation is a significant development for data protection in the country. The Act reflects common provisions found in many other regional and global data protection frameworks, and also includes unique provisions, particularly related to the governance of the new data protection authority. Tanzania’s differing approach can also be seen in provisions dealing with cross border data transfers. As the country awaits the commencement of the Act and the publication of regulations, Tanzania remains a jurisdiction to watch for those interested in African data protection.

Editors: Lee Matheson and Isabella Perera

1  The Act uses “data collector” throughout the Act. The definition of a “data collector” provided under the law is similar to that of a “data controller” in many other data protection laws. However, in laws like Uganda, a “data collector” is differentiated from a “data controller”. Thus since, the definition of “data collector” provided under PIPA is similar to that of a controller in many other laws, we use “data controller” throughout the blog.