The “Colorado Effect?” Status Check on Colorado’s Privacy Rulemaking

Colorado is set to formally enter a rulemaking process which may establish de facto interpretations for privacy protections across the United States. With the passage of the Colorado Privacy Act (CPA) in 2021, Colorado, along with Virginia, Utah, and Connecticut, became part of an emerging group of states adopting privacy laws that share a similar framework and many core definitions with a legislative model developed (though never enacted) in Washington State. However, while the general model of legislation seen in the CPA is similar to recently enacted state privacy laws, the CPA stands alone in providing authority to the state Attorney General to issue regulations. 

Because no other similar state law has provided for this type of interpretative authority, regulations issued by the Colorado Attorney General could have far-reaching implications for how both businesses and regulators in other jurisdictions come to interpret key state privacy rights and protections. Colorado’s pre-rulemaking process recently concluded, revealing a range of possible directions that formal rulemaking could take. Below, we assess key priorities and areas of significant divergence that have been brought into focus both through public comments from stakeholders and questions posed by the Attorney General.

The Rulemaking Process

The CPA grants broad discretionary rulemaking authority to the Colorado Attorney General to issue regulations to help implement the Act. In April 2022, Colorado Attorney General Phil Weiser released a set of pre-rulemaking considerations containing a series of questions for public comment. This document offered the first hints as to the specific topics that the Colorado Department of Law (“the Department”) is considering addressing beyond opt-out mechanisms. It includes targeted questions on the CPA’s consent requirements, restrictions on so-called “dark patterns”, standards for data protection assessments, and consumers’ right to opt-out of certain automated profiling decisions. The Department’s questionnaire received 44 comments from a range of stakeholders including business groups, non-profits, civil society organizations, and think tanks (including the Future of Privacy Forum). We provide a non-comprehensive summary of significant issues addressed across these public comments below.

1. Universal Opt-Out Mechanisms

Colorado holds the distinction of being the first state to clearly require that businesses allow consumers to exercise certain privacy rights on an automated basis through technological signals (such as browser settings or plug-ins). Notably, opt-out mechanisms are the only topic on which the CPA requires rulemaking, directing the Attorney General to establish “technical specifications” for signal mechanisms that will: (1) prohibit signal providers from unfairly disadvantaging other businesses, (2) ensure that signals represent a consumer’s freely given choice to opt out, and (3) permit covered entities to authenticate that a signal is sent by a resident of the state and represents a legitimate request to opt out. The Department’s questionnaire addressed these issues and sought additional input on how signal mechanisms should apply to data collected offline.

Default Signal Settings: The CPA prohibits opt-out mechanisms that are a “default setting” and instead requires signals to represent a consumer’s “affirmative, freely given, and unambiguous” choice to opt out. The Department’s questionnaire sought feedback as to whether a consumer’s selection of a tool marketed for its privacy features without taking additional action would satisfy the requirement for user intent (an approach that regulators in California appear to have endorsed). This inquiry generated a broad range of responses. For example, a Wesleyan University professor asserted that the selection of “privacy-preserving products” including FireFox, Brave, and DuckDuckGo Privacy Essentials can unambiguously reflect an intent to opt out of targeted advertising and other forms of data monetization without requiring a user to take additional steps. Industry groups such as the Colorado Chamber of Commerce typically rejected this view, arguing that “any mechanism involving a default or pre-selected opt-out choice in effect would be an opt-in, rather than the opt-out required by the statute.” The Future of Privacy Forum called for a context-specific approach, arguing that while the installation of a single-purpose plug-in may reflect unambiguous consumer choice to opt out, the use of a multi-feature product such as a web browser would be unlikely to satisfy the CPA’s statutory requirements.

Opt-Out Signal Authentication: Under the CPA, opt-out mechanisms are required to allow recipient organizations to authenticate a signal’s user as a Colorado resident and to determine that the signal represents a legitimate opt out request. Numerous commenters expressed concern that establishing strict authentication procedures could have the effect of frustrating consumer intent in exercising their privacy rights and suggested regulatory workarounds. For example, the Colorado Privacy Policy Commission suggested a standard that opt-out signal authentication must require no more than three steps to complete. Separately, several organizations including Consumer Reports and the Network Advertising Initiative (NAI) suggested that regulations could permit authenticating residency with a user’s IP address. However, the State Privacy and Security Coalition (SPSC) and TechNet raised concerns about VPNs and other technologies that can make determining location by IP addresses unreliable, and further posited that the CPA may raise Constitutional concerns if enforcement of opt-out mechanisms extends beyond authenticated Colorado residents.

Signal Scope: A significant technical and policy challenge for the use of opt-out mechanisms is whether a signal can and should apply to data collected outside of the signal’s medium. For example, can a browser-based signal be used to exercise consumer rights over information that was previously collected at a brick-and-mortar retail store? Consumer Reports argued that while regulations should not require the collection of additional information in order to process opt out signals, a signal should apply beyond its present interaction “if the user is authenticated to the service by an identifier that applies in other contexts.” In contrast, business groups highlighted technical limitations with opt-out signals as they presently exist, for example, the Computer and Communications Industry Association (CCIA) posited that “if only browser extensions can serve as [opt out signals], the requirement to honor [opt out signals] should only extend to browsers.”

2. Consent

The CPA requires covered entities to obtain individual consent in certain circumstances, including for the processing of sensitive personal data and for incompatible secondary uses of information. The Act requires that consent be “freely given, specific, informed, and unambiguous,” closely matching the definition in other state laws and modeled on European privacy law. The Department sought information about each of these elements of consent as well as existing consent mechanisms.

Revoking Consent: Multiple organizations pointed to the lack of an explicit right to “revoke” consent as a potential gap in the statute to cover through rulemaking. The Electronic Privacy Information Center (EPIC) and The Samuelson-Glushko Technology Law & Policy Clinic at Colorado Law (TLPC) explained that while the CPA requires that it be just as easy to withdraw consent as it is to provide it in the case of overriding a universal opt out, there is no explicit right to revoke consent for other instances of data processing in the Act. Future of Privacy Forum pointed to broader rights of revocation in the GDPR and Connecticut Data Privacy Act as potential models to follow, recommending that “forthcoming regulations follow an approach similar as Connecticut by providing that consumers may, at any time, withdraw previously provided consent.” Law firm Husch Blackwell also highlighted model rights of revocation in other privacy regimes, further noting that “although it could be argued that the right to revoke consent is implicit in the CPA, it is not clear that Colorado law supports this position based on analogizing from existing court decisions.”

Implied Consent: Industry and advocacy groups alike also weighed in on when, if at all, implied consent could meet the statutory requirements of the CPA. CCIA contended that an “affirmative act” where a consumer purposefully provides personal data should not require additional consent procedures: “For instance, a consumer who intentionally submits sensitive demographic data (such as citizenship status or religious affiliation) while completing an online form should be deemed to have consented to the collection and processing of that demographic data.” On the other hand, EPIC and Consumer Reports sought stricter standards for obtaining consent. Consumer Reports proposed mandating that any request for consent include a “dedicated prompt” that “clearly and prominently describes the processing for which the company seeks to obtain consent,” while EPIC argued that consent should not be implied when a consumer exits a pop-up window that asks for consent.

3. Dark Patterns

The Colorado Privacy Act states that a consumer’s consent is not valid if obtained through the use of “dark patterns” which are defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” This language originated in the proposed DETOUR Act introduced by U.S. Senators Warner (D-VA) and Fischer (R-NE) in 2019. In the context of the CPA, the concept of dark patterns is a subset of the Act’s approach to individual consent. Nevertheless, the Department posed several specific questions on dark patterns, including whether the rules should outline specific types of dark patterns and what standards or principles could best guide design choices to avoid dark patterns.

Dark Patterns Definition and Scope: Several business groups raised concerns with the CPA’s definition of “dark patterns”, such as CTIA, which argued that the term is “vague” and leaves the door open to confusion on the part of both consumers and businesses. Numerous industry commenters encouraged the Department to avoid a prescriptive approach to the term and to instead focus on practices that amount to consumer deception or fraud, pointing to a long line of Federal Trade Commission enforcement actions in this realm. In contrast, some advocacy groups called for an expansive interpretation and application of the term “dark patterns” in order to protect consumers beyond the context of CPA’s “consent” requirements. For example, Common Sense Media recommended “prohibiting asymmetric platform design practices that limit users’ ability to change user settings, delete personal data, or delete their account.” Colorado Public Interest Research Group (CoPIRG) went a step further, recommending the development of rules that “prohibit platforms from using dark patterns in any consumer interaction.” However, it is unclear whether the Attorney General would have the statutory authority to issue expansive new restrictions on user interface designs along these lines.

4. Data Protection Assessments

Data Protection Assessments (“Assessments”) are an increasingly common requirement in privacy and data protection regimes around the globe. The CPA is no exception and requires an assessment for processing that “presents a heightened risk of harm to a consumer.” Assessments must weigh the risks and benefits of the processing activity and must be made available to the Attorney General upon request, though they are exempt from disclosure under the Colorado Open Records Act. The Department’s questions on this topic sought to clarify what circumstances should allow them to request an assessment and what requirements should exist for the form and content of the assessment.

Parameters for Requesting Assessments: TLPC recommended treating assessments as an ongoing process, with consistent feedback and input from affected consumers, controllers, and the Department of Law. In contrast, industry groups, including NAI, CCIA, CTIA, SPSC, and the Denver Metro Chamber of Commerce, asked that the Department establish specific parameters for when they may ask for an assessment to be conducted or disclosed. For example, the Alliance for Automotive Innovation (AAI) discouraged a regular cadence for iterating upon assessments, instead proposing that controllers be required to “update them only when there is a material change in processing activities that is likely to have an impact on consumer privacy.”

Form and Content of Assessments: In general, privacy advocates sought to establish more detailed parameters for the form and content for assessments, while industry representatives such as NAI, AAI, and various Chambers of Commerce sought more flexibility. For instance, while EPIC provided a list of preferred mandatory requirements, the Colorado Chamber of Commerce suggested that the Department “publish a set of voluntary factors that the controller could consider as they undertake a data protection assessment.”

5. Profiling

The CPA creates a new right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. Once again, this right is common to many emerging state privacy laws and is based on language that originated in the European Union. The Department raised numerous topics concerning profiling, including the disclosures about automated processing necessary for consumers to make informed opt out decisions, whether the rules should address specific legal or civil rights concerns or specific applications of profiling, whether there could be negative impacts of immediately implementing a request to opt out of profiling, and how the statute should apply to “partial” automated decisions.

Transparency: The application of the CPA’s transparency requirements to automated decision making systems was a significant focus for commenters. Industry comments typically sought limitations on disclosures, with the Denver Metro Chamber of Commerce arguing that “requiring granular visibility into each rapidly changing processing activity could cripple business.” CCIA further called for “explicit protections for intellectual property, trade secrets, and other legal rights of the business in question.” In contrast, EPIC called for broader disclosures about profiling activities such as “the sources and life cycle of the data processed by the system, including any brokers or other third-party sources involved in the data life cycle; and how the system has been evaluated for accuracy and fairness, including links to any audits, validation studies, or impact assessments.”

Opt Out Rights: Commenters also engaged on the range of profiling activities that should be subject to the consumer opt out right. Industry groups highlighted beneficial processing operations that could be disrupted by a broad reading of the language, including processing necessary for vehicle safety systems, fraud prevention, maintaining system integrity and security, and ad measurement and reporting. Many of these groups also called for regulations to limit the opt out right to “solely” automated decisions (that lack any human oversight), as Connecticut lawmakers have done. On this point, the Future of Privacy Forum recommended that consumer opt out rights still apply in situations where the human review of a profiling decision amounts to little more than a “rubber stamp.”

6. Miscellaneous Topics

Given the Attorney General’s broad rulemaking authority, any CPA topic is theoretically on the table for rulemaking, even if not specifically addressed in the questionnaire. Commenters sought regulatory tweaks and clarifications on many additional topics including:

• Biometric Data: While, the Colorado Privacy Act designates “biometric” data as inherently “sensitive,” subject to consent requirements, it does not provide a definition of the term. As there is no general consensus on the precise scope of what “biometric” data entails, several organizations requested clarification through rules. Commenters recommend following either the definitions used by Connecticut (broader) or Virginia/Utah (narrower).
• Publicly Available Information (PAI): Unlike other privacy laws, the CPA does not explicitly exempt “widely distributed media” as a category of publicly available information that is exempt from coverage under the Act. Multiple organizations including RELX and the Software and Information Industry Association (SIIA) responded by encouraging the Department to broaden the scope of the Act’s definition of PAI to match existing privacy regimes. Journalistic organizations including Denver TV station KMGH and various Colorado public radio stations also weighed in to express concern with the lack of carve outs for news-gathering activities and highlight potential First Amendment concerns with this omission.
• Deletion Requests: RELX and TechNet raised operational challenges for B2B companies in complying with deletion requests, suggesting instead that these companies achieve compliance through processing deletion requests as opt out requests. The Virginia legislature passed an amendment to their privacy law to this effect earlier this year. The People Search Services Coalition also explained that for companies that routinely pull data from public sources, constant updating of data inherently renders any compliance with a deletion request illusory and temporary.
• Non-Profit Organizations: Of the five comprehensive state privacy laws, the Colorado Privacy Act is alone in applying to non-profit organizations. In response, numerous non-profits involved in activities ranging from fraud detection to higher education filed comments, seeking either special regulatory consideration or entity-level carve outs from the CPA’s obligations.
• Non-Retaliation Right: The CPA specifies that controllers may not “increase the cost of, or decrease the availability of” a product or service “based solely on the exercise of” a privacy right. NAI urged the Department “to clarify that it is within a business’ duty, particularly for web and app publishers, to charge a reasonable fee for services, related to the value of a consumer’s data, if consumers choose not to share their data.” Consumer Reports’ comments aimed to prohibit the possibility of “differential treatment or pricing based on a consumer’s choosing to exercise a privacy choice.”

Next Steps

The Attorney General has announced a goal of issuing draft regulations in the fall of 2022 (note: AG Weiser is on the ballot for Colorado’s General Election in November, the outcome of which may influence this timeline). Pursuant to the Colorado Administrative Procedure Act, publishing draft regulations will begin a formal notice-and-comment phase, which will also include at least one formal hearing. Given the importance of Colorado’s rulemaking process to the U.S. privacy landscape and the range of directions that the Attorney General could take on rulemaking (in both scope and substance), it can be expected that stakeholders will remain actively engaged in this process.

FPF Participates in FTC Event on “Commercial Surveillance and Data Security” Proposed Rulemaking

Yesterday, FPF Senior Director for U.S. Policy Stacey Gray participated in a panel discussion hosted by the Federal Trade Commission (“FTC”) regarding its Advance Notice of Proposed Rulemaking (“ANPR”) on “Commercial Surveillance and Data Security” (comments start at 1:39:00). Feedback from the public forum is intended to help inform the Commission’s decision whether to proceed in rulemaking and what form a new market-wide rule governing consumer privacy could take.

As a panelist, Stacey Gray urged the Commission to move forward with its rulemaking proposal, noting that exponential increases in the benefits and harms of data collection in our daily lives make it the right time to establish national rules on what constitutes unlawful behavior with respect to the collection and use of personal data. Highlighting potential regulatory solutions, Gray urged the Commission to codify existing case settlements requiring accurate disclosures and reasonable data security practices and to apply the Commission’s “unfairness authority” to reform business practices that result in data-driven discrimination and harmful secondary uses of personal information.

The public forum included two expert panels, one on industry perspectives and one on consumer advocate perspectives regarding the consumer data issues implicated by the rulemaking. Furthermore, presentations from the Commissioners as well as the questions posed by the panel moderators may offer further insight into how the FTC is approaching rulemaking on consumer harms in the present digital ecosystem.

Panel 1: Industry Perspectives

The first panel was moderated by Olivier Sylvain, senior advisor to FTC Chair Khan. In addition to asking about the restrictions that a new privacy rule should create, Mr. Sylvain’s questions covered existing industry best practices (including for the retention of sensitive data), ways the Commission can incentivize best practices short of rulemaking, and current market incentives to collect data. 

While the ANPR broadly defines “commercial surveillance” to include “collection, aggregation, analysis, retention, transfer, or monetization of consumer data,” industry panelists stressed that there are a wide range of uses of personal data that create different risks, depending on context. For example, Digital Context Next’s Jason Kint argued that while first-party use of data to tailor experiences is expected by consumers, secondary uses (including targeted advertising) tend to violate these expectations. National Retail Foundation’s Paul Martino agreed that there are greater risks inherent to data collection and processing by third-party businesses, which may lack incentives to develop long term customer relationships.

In the context of best practices, panelists paid particular attention to the topic of data security. Mozilla’s Marshall Erwin described a “universally accepted” (though not universally adopted) consensus set of data security practices that includes the encryption of personal information in transit, employee access controls, and password standards. Mr. Martino further pointed to controls like multi-factor authentication, malware and antivirus software, and patching, though he stressed that there is no “one size fits all” approach to cybersecurity standards.

The Partnership on AI’s Rebecca Finlay encouraged the Commission to review data governance models emerging in jurisdictions outside the U.S. to evaluate the merits of different regulatory approaches. She specifically highlighted the privacy interests of children and the United Kingdom’s recent Age Appropriate Design Code, which includes transparency and data minimization standards. Mr. Erwin also highlighted the need to protect childrens’ privacy, while cautioning that some approaches can result in “privacy theater” with minimal tangible benefit.  

Panel 2: Consumer Perspectives Panel

The second panel was moderated by Attorney Advisor to the FTC, Rashida Richardson. Ms. Richardson’s questions underscored the Commission’s focus on civil rights and on children and teenager’s privacy, as well as its interest in ensuring that requirements placed on industry are in fact privacy and security-protective. She asked for insights from the panel on the unique impacts of online tracking and data collection on members of protected classes and on children and teenagers and the extent to which data minimization and transparency requirements are effective tools to combat the harms associated with widespread collection of personal data. Finally, she asked about the limitations of the traditional notice and consent model for protecting consumer privacy. 

Members of the panel signaled strong support for the FTC’s efforts to establish national, clear standards regarding what constitutes unfair or deceptive data collection, storage, and use. EPIC’s Caitriona Fitzgerald spoke to the inability of many individuals to understand or protect themselves from harmful data collection online in the absence of regulatory intervention. Upturn’s Harlan Yu and the Joint Center for Political and Economic Studies’ Spencer Overton, focused on marketplace harms borne by the members of historically-marginalized and protected groups in critical areas, such as housing, education, and voting. Citing examples of housing and employment discrimination enabled by widespread data collection, they urged the Commission to place limits on the ability of data brokers and other parties to collect and aggregate certain sensitive types of data. The German Marshall Fund of the U.S.’s Karen Kornbluh added that online data collection and aggregation, when it is deployed to interfere with elections or track members of the armed services, poses national security as well as privacy risks. 

FPF’s Stacey Gray noted that, when applying the unfairness standard, the Commission should be mindful of the fact that fairness determinations “inherently involve balancing, context, and policy tradeoffs,” emphasizing that, “many secondary uses of data can and should enable academic research, support for public health, fraud detection, and perhaps, to a reasonable extent, advertising-supported content.” Mr. Overton returned to this theme, noting that data-enabled targeted messaging can be positive when it provides individuals with information that is particularly relevant to them, such as messaging about sickle cell disease aimed at African-American audiences.

Commissioners Weigh In

In opening the public forum, Chair Khan noted that digital tools can deliver “huge conveniences” but also contribute to the tracking and surveillance of individuals in entirely new ways. She further emphasized the legal tests that the Commission must satisfy if it is to proceed in rulemaking. Commissioner Slaughter spoke favorably of efforts to enact comprehensive federal privacy legislation, but emphasized that until there’s a law on the books, the Commission must make use of all its enforcement tools to investigate and address unlawful behavior. Her comments highlighted harms to adolescents who are not covered by existing children’s privacy laws as well as harms resulting from AI and advanced algorithms.

Commissioner Bedoya spoke following the panel presentations, stressing the importance for the Commission to receive a broad array of first-hand consumer accounts of unfair and deceptive practices. Picking up on points raised by FPF’s Stacey Gray on the history of “unfairness” in U.S. privacy law, Bedoya also noted that the ANPR’s broad scope reflects the sum total of historical privacy frameworks in the United States, such as the Brandeis-Warren ‘Right to Privacy’ and the Fair Information Practice Principles (FIPPS), that go beyond mere ‘notice and consent’ protections. Commissioners Wilson and Phillips, who both voted against the FTC’s ANPR, did not participate in the event.

Next Steps:

In addition to the public forum, the Commission will consider written responses to the ANPR in determining whether to proceed in a new privacy and data security rulemaking; the deadline for public comment is October 21, 2022.

The Commission’s 95-question ANPR covers a broad range of topics, seeking information on the prevalence and harms of particular industry practices (including in advanced algorithms, children’s data, and targeted advertising), potential regulatory interventions (such as data minimization, consent, and transparency), and remedies (such as first-time fining authority and “algorithmic disgorgement”).

Due to its expansive nature, the ANPR has been heralded for attempting to rein in invasive and unfair business practice, while critics have alleged the proposal exceeds the Commission’s statutory authority. The Commission could pursue a range of possible directions in crafting new privacy and security rules for U.S. businesses, and stakeholders will be closely watching for additional indications from the Commission on what will come next.

View a video and transcript of the public forum here.

New Report on Limits of “Consent” in Japan’s Data Protection Law

Introduction

Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the fourteenth and final report in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Japan, including:

• notice and consent requirements for processing personal data;
• the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Japan’s Data Protection Landscape

The primary legislation in Japan governing the collection, use, and disclosure of personal information by private entities is the Act on Protection of Personal Information (APPI), which took effect in 2003 and applies to any handling of the personal information of data subjects (termed “principals” in the APPI) in Japan by businesses which supply goods and services to persons in Japan, termed “personal information handling business operators” (PIHBOs).

A core principle of the APPI is that personal information may only be processed for a specific purpose (termed the “utilization purpose”), which must be specified as clearly as possible. Before handling personal information, a PIHBO must notify the data subject or the public at large of the utilization purpose for handling the information (unless an exception applies). A PIHBO may also handle personal information in a manner that is consistent with that purpose without having to obtain the data subject’s consent.

The APPI was substantially amended in 2015, 2020, and 2021. These amendments did not significantly impact the APPI’s notice and consent framework.

• The 2015 amendments, which took effect in 2017, among others, introduced a set of enforceable rights and established an independent supervisory authority to oversee and enforce the APPI, the Personal Information Protection Commission (PPC).
• The 2020 amendments, which took effect in 2022, clarified the extraterritorial application of the APPI and disclosure and due diligence requirements for cross-border data transfers. These introduced a mandatory data breach notification scheme and new categories of “pseudonymously processed personal information” and “personally referrable personal information.”
• The 2021 amendments, among others, established a unified data protection system for both public and private entities and expanded the scope of an exemption to the APPI for use of personal information in academic studies.

Following the 2015 amendments to the APPI, the PPC has been empowered to enforce the APPI and issue guidelines to aid compliance.

Regarding guidance, the PPC to date has issued comprehensive guidelines (in Japanese) on interpretation of the APPI as well as more targeted guidance on specific topics, in a question-and-answer format. The PPC’s guidance is complemented by other guidelines (In Japanese) on personal data protection in specific sectors (including finance, credit reporting, debt collection, medical care, insurance, and genomics) issued by sectoral regulators.

Regarding enforcement, the PPC is empowered to conduct investigations into PIHBOs’ personal data protection practices and issue non-binding recommendations to cease certain conduct or rectify non-compliance with certain of the APPI’s requirements. If a PIHBO fails to implement the recommendation without a legitimate excuse, or in cases where urgent action is required, the PPC is further empowered to issue a binding order for the PIHBO to take appropriate action. Failure to comply with a binding order from the PPC is a criminal offense punishable with imprisonment or a fine.

Role and Status of Consent as a Basis for Processing Personal Data in Japan

Consent is not required for all handling of personal information under the APPI. As discussed above, a PIHBO may collect and use personal information for a utilization purpose without obtaining the data subject’s consent. However, the PIHBO must still ensure that the handling is lawful and fair and in most cases, notify the data subject of how his/her personal information will be handled.

That said, consent plays a number of secondary roles and may be required for certain activities concerning personal information. By default, a PIHBO must obtain data subject’s consent before:

• changing the utilization purpose or handling the data subject’s personal information beyond the scope necessary to achieve the utilization purpose;
• disclosing the data subject’s personal information to a third party under certain circumstances; or
• handling “personal information requiring special care” (a class of sensitive personal information comprising personal information about a person’s race, creed, social status, medical history, criminal record, having been a victim of a crime, disabilities, or health condition).

Consent also functions as one of several legal bases under the APPI for transferring personal information out of Japan. In this context, consent is only valid if the PIHBO first provides the data subject with certain information, including the jurisdiction to which the personal information will be transferred, details on the personal information protection system of that jurisdiction, and details of any action that the recipient will take to protect the personal information.

Though the APPI provides a number of exceptions to consent requirements, these exceptions are generally only available where provided by another law or regulation, or where there is a need to:

• protect a person’s life, health, or property or public health, and it is difficult to obtain the data subject’s consent;
• cooperate with a public authority, and seeking consent would interfere with the operations of that authority.

Additionally, the APPI also exempts certain activities, including academic research, journalism, and activities of political or religious organizations, from its requirements, including consent requirements, subject to certain obligations to secure and appropriately handle personal information.

The APPI does not define consent or specify the forms of consent that would be considered valid under the APPI. However, the PPC has issued guidelines which suggest that consent must minimally be specific and voluntary and provide examples of valid measures for obtaining consent in practice.

While express consent would qualify as valid under the APPI, there is ambiguity as to whether implied consent would qualify as valid for this purpose. Guidance from the PPC suggests that opt-in implied consent could be considered valid in appropriate cases but does not provide examples of any such cases.

However, certain sectoral guidelines, including for the medical care and debt collection sectors, do specify a number of situations in which consent can be inferred or would not be strictly required.

Read the previous reports in the series here.

FPF Welcomes Senior Fellows Covering Data Protection in Latin America and Japan

FPF welcomes two new Senior Fellows to the Global team that will provide ad-hoc insight into the state of play of data protection and privacy law developments in their regions: Pablo Palazzi for Latin America, with a focus on Argentina, and Takeshige Sugimoto for Japan.

Pablo Palazzi

The challenges for Latin America are finding a proper and adequate model to regulate data privacy, considering the region’s particularities. Latin America is a region that includes 33 countries and 660 million people.

Currently, first-generation laws are 20 years old, and only a handful of laws are based on GDPR, such as in Brazil and Ecuador. The remaining laws that were correct 20 years ago are not up to date to face the challenges that modern society requires. There is much room to enhance cooperation between DPAs in the region and to work on harmonizing the legal frameworks.

Palazzi participated actively as an external consultant in the European Commission’s adequacy assessments of Uruguay and Argentina, where he was also actively involved in drafting a data protection bill based on the GDPR in the years 2017-2018. He was a consultant for the “Red Iberoamericana de Protección de Datos” , drafting SCCs for Latin America. He is doing similar work for SCCs under the Council of Europe modernized Convention 108.

He was involved in drafting the Regulations of the national data protection act and the data protection law for the city of Buenos Aires (Law 1,845), and the drafting of the Computer Crimes Act in the year 2008. He was a member of the Advisory Committee of the Cybercrime Program of the Ministry of Justice of Argentina, helping to internalize the Budapest Convention. 

Palazzi has written several books on data protection matters in Spanish, including: “International transfer of personal data to Latin America” (Ad Hoc, 2003, LL.M thesis with prologue by Prof. Joel Reidenberg), “Credit Reporting Law” (Astrea, 2007), “Computer Crimes” (Abeledo, 2014), and “Delitos contra la intimidad informática” (CDYT, 2019). He also edited a two-volume book with several authors to celebrate the 20^th anniversary of the data protection law of Argentina (“Protección de Datos: Doctrina y Jurisprudencia,” CDYT, 2021). In Europe, Palazzi coordinated the book “Challenges of privacy and data protection law – Perspectives of European U.S. law” (Larcier, 2008), edited with Prof. Yves Poullet and María Verónica Pérez Asinari.

He is a member of the editorial board of International Data Privacy Law (Oxford University), a founding member of the Latin American Data Protection Law Review (annual law review on data protection, 2012-2018), and a member of the International Association of Privacy Professionals (IAPP) where he was the KnowledgeNet chair for the Buenos Aires chapter. Palazzi also collaborated in drafting the Model Data Processing agreement at IAPP´s Privacy Bar Section. In 2022, Palazzi was awarded the Vanguard Award by IAPP for his work in the region of Latin America. He has been a frequent speaker at the CPDP conferences in Brussels and Latam, at PLI seminars in New York, the IAPP summit in Washington, DC, and the Privacy Laws & Business conference at Cambridge University.

Palazzi obtained his law degree at the School of Law of Universidad Católica. In May 2000, he received an LL.M. from Fordham Law School, where he also worked as a research assistant for Prof. Joel Reidenberg. Pablo wrote his LL.M. thesis on international transfers of personal data and the adequacy of Latin American countries. 

Takeshige Sugimoto

spacer here

Japan’s Act on the Protection of Personal Information (APPI) is as vigorous as the GDPR in protecting individuals’ rights to person data. The APPI has established two sets of rules: one for the private sector, which stipulates obligations and penalties for the person information handling business operators, and another for the public sector, which stipulates obligations and penalties for administrative organizations and incorporated administrative agencies.

Starting in April 2023, local governments’ personal information protection systems will also enforce commons rules. This will position the APPI as the single comprehensive data protection law applicable to private and public sectors, including local governments.

It will be interesting to see how Japan can continue to play an important role in discussing the emerging risks surrounding personal data protection, such as data localization and unlimited government access.

Sugimoto’s data protection practice includes establishing and reviewing clients’ global data protection compliance systems, representation, and defense in disputes involving global data protection law issues, including but not limited to negotiations with European, UK, US, Chinese, and Japanese data protection supervisory authorities. As a Japanese lawyer, he regularly advises various clients on the APPI, taking into account his paralleled ongoing practical experiences with the EU General Data Protection Regulation (GDPR), UK GDPR, US California Consumer Privacy Act (CCPA) / Consumer Privacy Rights Act (CPRA), and China’s Personal Information Protection Law (PIPL).

As a former Brussels resident between 2013 and 2020, he has practiced European data protection laws, including both EU member states’ data protection laws under the EU Data Protection Directive of 1995 and EU GDPR as a member of major law firms’ Brussels offices. He has successfully represented numerous clients over the years in obtaining European data protection supervisory authorities’ approvals of EU Binding Corporate Rules (BCRs) for Controllers and Processors under the EU GDPR, following each of the European Data Protection Board (EDPB)’s opinions on the respective authorities’ draft approval decisions for those BCRs. Furthermore, he represents clients in their applications for approval of UK BCRs under the UK GDPR to the UK Information Commissioner’s Office (ICO). He has also assisted clients in preparing for the UK’s International Data Transfer Agreement, a new data transfer mechanism. 

Since adopting the CCPA in 2018, followed by the CCPA Regulation issued by the California Attorney General, Sugimoto has advised several major companies on their CCPA compliance projects. He has also assisted clients in updating their CCPA compliance mechanism in line with the CPRA. In addition, he has been closely following legislative activities of US federal privacy bills, including COPRA (Consumer Online Privacy Rights Act), SAFE Data Act, and ADPPA (American Data Protection and Privacy Act), as well as US Federal Trade Commission (FTC)’s rulemaking efforts on privacy and data security. 

Sugimoto has assisted several clients in complying with China’s data-related laws, including the PIPL, Data Security Law, and Cybersecurity Law. His ongoing work includes helping clients carry out personal information protection impact assessment under the PIPL, preparing PIPL-compliant consent forms, personal information entrustment addendums, data transfer agreements (SCCs), guidance on data protection management systems, internal security rules, privacy policies, data subject rights request manuals, personal information breach response manuals, and handling large data mapping projects in bilingual languages in collaboration with major Chinese law firms.

Outside of direct dealings with clients, Sugimoto has also been invited as a speaker at various data protection-related events organized by data protection supervisory authorities. In October 2021, he was invited to speak at the “Global Privacy Assembly 2021 Mexico,” where he participated as a panelist in “Panel IV: The Challenge of Compliance: The Perspective of Data Protection Officers.”

Sugimoto received an LL.B. degree from Keio University, Faculty of Law in 2004; an LL.M. degree from the University of Chicago Law School in 2012; and an MJur degree from the University of Oxford, Faculty of Law (Pembroke College) in 2013.

Subscribe to receive the FPF Monthly Briefing and follow FPF on Twitter and LinkedIn to get the latest global data protection updates.

Age-Appropriate Design Code Passes California Legislature

Update: On Sep 15, 2022, California Governor Gavin Newsom signed AB 2273, the California Age-Appropriate Design Code Act. The law will apply to businesses that provide online services, products, or features likely to be accessed by children and broadly requires businesses to implement their strongest privacy settings by default for young users up to the age of 18. AB 2273 will become enforceable on July 1, 2024.

This week, the California legislature passed AB 2273, the California Age-Appropriate Design Code Act (ADCA). The California ADCA is modeled after the UK’s Age Appropriate Design Code, and would apply to businesses that provide “an online service, product, or feature likely to be accessed by a child.” If enacted by Governor Gavin Newsom, the child-centered design law would be the first of its kind in the United States. 

The California ADCA would introduce significant new compliance obligations for US businesses that go beyond the requirements codified in COPPA – the longstanding federal children’s privacy law. Unlike COPPA, which defines “child” as an individual under 13 years old and applies to child-directed services, the California bill defines “child” as  an individual under 18 and applies to any online service that is “likely to be accessed by a child.” For covered entities, the bill would require the implementation of new protective measures for young users, such as configuring default privacy settings to those with the highest level of privacy, and places new limits on profiling, processing geolocation data, and the use of “dark patterns” to influence behavior.

• Age verification: The bill would require that any online service, product, or feature that is “likely to be accessed by a child” estimate the age of young users with a “reasonable level of certainty” or alternatively, apply child-appropriate protections for all consumers. The bill states that the collection of data for age estimation should be balanced appropriately to the risks.
• Data Protection Impact Assessments: Covered entities would be required to complete a Data Protection Impact Assessment (DPIA) on or before July 1, 2024, for any online service, product, or feature likely to be accessed by children offered to the public before that date. After July 1, 2024, the bill would require entities to complete DPIAs for any new online service, product, or feature before offering them to the public. The Act would require DPIAs to account for risks and design features beyond the scope of traditional data protection issues, including elements such as the likelihood of exposure to harmful content, whether algorithms could harm children, and how design features extend use of the online product. Additionally, entities would be required to provide the California Attorney General with a list of all DPIAs the business has completed within three days following the receipt of a written request.
• Enforcement: This bill would authorize the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. Civil penalties would be capped at $2,500 per affected child for each negligent violation or $7,500 per affected child for each intentional violation. The bill was recently amended to provide for a 90-day cure period before penalties may be pursued.

What’s Next?

The California Age-Appropriate Design Code would become enforceable July 1, 2024 if enacted by Governor Newsom. The bill leaves many important questions unanswered. Covered entities may seek clarity and guidance from the California Children’s Data Protection Working Group, a new entity created by this bill. The working group would be required to submit a report to the legislature by January 1, 2024 regarding recommendations and best practices for compliance. The passing of the California ADCA reflects a growing focus on protecting children’s privacy online and many expect to see other legislatures follow California’s lead next year. 

With contributions from FPF’s Keir Lamont and Bailey Sanchez.

New Report on Limits of “Consent” in Singapore’s Data Protection Law

Introduction

Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the thirteenth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Singapore, including:

• notice and consent requirements for processing personal data;
• the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Singapore’s Data Protection Landscape

Singapore’s Personal Data Protection Act 2012 (PDPA), which was passed in November 2012 and significantly reviewed in 2020, with the stated purpose of governing the collection, use, and disclosure of personal data by organizations in a manner that recognizes not only individuals’ right to protection of their personal data but also organizations’ needs to collect, use, and disclose personal data.

The PDPA sets the baseline standard of protection for personal data in Singapore, though organizations which are subject to sector-specific laws and regulations (including in the financial services and medical sectors) must also comply with sector-specific requirements.

The PDPA also establishes a data protection authority, the Personal Data Protection Commission (PDPC) to advance the PDPA’s stated purpose, balancing protection of personal data with use of personal data for legitimate purposes. To that end, the PDPC implements policies relating to personal data protection and issues advisory documents to help organizations to understand and comply with their obligations under the PDPA.

The PDPC is also empowered to enforce the PDPA by, for example, issuing binding directions or requiring payment of a financial penalty. The PDPC is active in enforcement and regularly publishes decisions, which effectively function as a body of case law on personal data protection matters, on its website.

Role and Status of Consent as a Basis for Processing Personal Data in Singapore

Consent has played a key role in the architecture of the PDPA since the PDPA was first enacted in 2012.  The PDPA’s default requirement is an organization may only collect, use, or disclose personal data about an individual (i.e., data subject) only if:

• the organization has obtained the individual’s actual consent (which may be express or implied) for the collection, use, or disclosure of his/her personal data; or
• the individual’s consent can be deemed by law.

However, this default requirement has always been subject to exceptions.

Between 2012 and 2021, the PDPA provided several long lists of exceptions to the consent requirement for collection, use, and disclosure of personal data in the Second, Third, and Fourth Schedules to the PDPA, respectively.

However, major recent amendments to the PDPA, which were passed in 2020 and took effect in 2021, replaced these various exceptions with a consolidated set of provisions allowing for collection, use, and disclosure of personal data without consent.

These provisions are set out in the First Schedule to the PDPA, under the following headings:

• “Vital Interests of Individuals.”
• “Matters affecting the Public.”
• “Legitimate Interests.”
• “Business Asset Transactions.”
• “Business Improvement Purposes.”

Additionally, the amended Second Schedule to the PDPA also provides further exceptions to consent for public interest and research purposes.

The new First and Second Schedules retain many of the old exceptions to consent. However,  a notable introduction was the “legitimate interests” section, which – though borrowing a term from European data protection law – was unique when compared with other major data protection laws internationally. The amended PDPA distinguishes between two categories of legitimate interests:

• The first category is a general, open-ended provision, which is available where collection, use, or disclosure of personal data is in the “legitimate interests” of the organization or another person, and such legitimate interests outweigh any adverse effect on the individual. To rely on this provision, organizations must undertake a risk assessment identifying, and implementing measures to eliminate, reduce the likelihood of, and/or mitigate any adverse effect on the individual that is likely to result from the proposed collection, use, or disclosure of the individual’s personal data.
• The second category is a closed list of exceptions for specific situations in which the PDPA recognizes the existence of a legitimate interest. If the collection, use, or disclosure of personal data falls within any of these situations, then the organization is exempted from the need to obtain consent without having to satisfy any further compliance requirements.

Another notable introduction is the “business improvement purposes” section. This provision allows an organization to share data with a related organization for the following purposes, subject to fulfillment of certain conditions, including, among others, necessity, reasonableness of purpose, and commitment to implement appropriate safeguards:

• improving, enhancing, or developing goods and services or methods and processes;
• learning about and understanding individuals’ behavior and preferences in relation to goods and services; or
• identifying goods or services that may be suitable for individuals or personalizing or customizing any such goods or services for individuals.

The 2020 amendments also expanded the situations in which an individual would be deemed by law to have consented to collection, use, or disclosure of his/her personal data. The amendments added new provisions for deemed consent by contractual necessity and deemed consent by notification. The new provision on deemed consent by notification relies on a similar risk assessment to the legitimate interests provision. Specifically, to rely on this provision, an organization must:

• take reasonable steps to inform the individual of:
  • the organization’s intention to collect, use, or disclose the personal data;
  • the purpose for which the personal data will be collected, used, or disclosed; 
• provide a reasonable period during which the individual may opt-out the proposed collection, use, or disclosure, and a reasonable means to do so; and
• conduct an impact assessment to determine that the proposed collection, use, or disclosure of the personal data is not likely to have an adverse effect on the individual.

Independently of the requirement to obtain consent, the PDPA also restricts collection use, and disclosure of personal data to purposes that a reasonable person would consider appropriate in the circumstances. An organization that wishes to collect, use, or disclose personal data must also notify the individual of this purpose, unless an exception applies.

Finally, regulations to PDPA also establish informed consent as a legal basis for transferring personal data out of Singapore.

By default, the PDPA requires that organizations which seek to transfer personal data out of Singapore must either provide the data with, or apply to the data, a standard of protection that is comparable to that under the PDPA. However, organizations are taken to have satisfied this requirement if they obtain the individual’s consent for the transfer of the individual’s personal data out of Singapore after giving the individual a “reasonable summary in writing of the extent to which the transferred personal data will be protected to a comparable standard.”

Read the previous reports in the series here.

Blog Cover Image by Aditya Chinchure on Unsplash

Looking Back to Forge Ahead: Challenges of Developing an “African Conception” of Privacy

In this post for the FPF Blog, Mercy King’ori explores the cultural and societal underpinnings of “privacy” in Africa, looking throughout history, from pre-colonial times, and beyond the modern external influences on the legislative processes resulting in general data protection laws across the continent. The first essential point to start off from is understanding that Africa is not a monolith, it is multi-cultural and context differs across communities. Thus any generalizations in this blog post should be read in this light. 

Introduction

Few things depend on context, like privacy, which strongly hinges on how people within various communities and other social organizations perceive it. While the need for privacy may be universal, the particularities of its social acceptance and articulation differ depending on cultural norms that vary among communities. Whitman succinctly captured the cultural cause of the diverse forms of privacy when he posited that “culture informs greatly the different intuitive sensibilities that cause people to feel that a practice is privacy invasive while others do not feel that way”. ¹

For example, in delineating the root cause of the differences in privacy expectations among Americans and Europeans, Whitman traces the emergence of the need for privacy among Europeans to the need for dignity, while for Americans, such a need emerged from the desire to express their freedom. By contrast, cultural practices in communities in other parts of the world may take a different view of privacy, such as the Japanese, who historically regarded privacy as a symbol of self-centeredness².

In Africa, the formal understanding of privacy is still evolving. Given the influential nature of European and American cultures and institutions to the current world order, their conceptions of privacy have been greatly relied on to characterize the need for privacy in Africa. 

This has not been without consequences for the recipient societies. In Africa, where the recognition of privacy did not emerge from the need to achieve dignity and liberty (two values that are elusive in most of Africa’s history), scholars³ who use the European or American concept of the term as an implicit frame of reference have concluded that the need for privacy was largely absent on the continent, especially when contrasted with communal concepts such as Ubuntu of South Africa which place the community before the individual. However, as privacy discussions continue to grow in prominence in Africa, the question of whether an African conception of privacy that takes into account the cultural nuances such as strong kinship bonds continue to emerge.

This blog seeks to explore the cultural underpinnings and evolution of privacy in Africa both by examining the historical and modern challenges to fully developing a notion of privacy that takes into account the distinctiveness of the communities in the continent and whether such a conception can exist. 

To do so, it begins with a discussion and critique of the dominant notion that was strongly held regarding the existence of privacy in Africa as well as the societal and historical context under which such a notion may have emerged. This is followed by an account of the events (historical and current) that have influenced the development (or lack thereof) of an African conception of privacy. Such an examination provides two key insights:

• There is anecdotal evidence that privacy historically existed in Africa, albeit in a subtle form. However, its full emergence may have been encumbered by external and internal influences that the continent was and continues to be subjected to.

• As a result, this context allowed for the dominant position (that privacy was largely absent in Africa) to take root. This, in turn, provided a vacuum that made adopting Western conceptions of privacy possible until now.

To conclude, the blog discusses whether a conception of privacy from an African perspective is even possible at this point and whether such a conception is needed given the previous hindered attempts at developing an African conception of privacy.

Dominant Discourse on Privacy in Africa

For a long time, it was claimed that privacy was not valued in Africa. This dominant position can be attributed to the misperception that the communal and collectivist nature of most traditional African communities that marked the pre-colonial era meant that there was no privacy. This stance implied that an individual could not order their lives without the consent of the community.⁴ In most traditional African societies, the idea of personhood based on individualism was seen as conflicting with accepted social norms, especially those that involved a shared sense of interdependence. For most communities, a person’s identity depended on the community identity. From this lens, the close kinship in most African societies appears from the most mundane aspects of life to the most complex issues such as communal land ownership. 

This understanding of communal life (and the secondary place of individualism) in Africa has influenced how privacy is understood in Africa. Indeed, when individualism forms the basis of the conceptualization of privacy, it is clear why many who adopt such a framework accept as true that privacy did not meaningfully exist in Africa. Privacy in a communal way of life was still not imagined and played a negligible role in how the early discourse around privacy and data protection evolved, which solidified the dominant discourse about Africa that still shapes some perceptions today. 

However, the idea that African societies lacked individualism (as one of the determinants of the need for privacy) and therefore did not meaningfully articulate a concept of privacy needs to be challenged. While it is still unclear on the extensive role individualism played in structuring social relations in these societies, there is evidence that it did exist in some form in pre-colonial Africa. For example, when communities grew and different interests emerged, the individual began to isolate against the collective. Family members would leave their communal ways of living in pursuit of self-reliance and personal initiatives. _{^{5 6}}  

Furthermore, the absence of information on the definitive nature of privacy in this era may also follow from how communities primarily passed down knowledge. In pre-colonial Africa, oral traditions held a major place⁷ as a means of disseminating information and communal customs. Traditionally, messages were passed down orally from one generation to another, often in the form of proverbs, songs, folktales and other narrations. Such messages helped people make sense of the world and were used to teach children and adults about important aspects of their culture, including privacy. For instance, the Agikuyu, an ethnic community in East Africa, have a proverb that speaks to the need to preserve privacy for matters of the home (“Cia mucii itiumaga ndira” – Home affairs must not go into the open).

However, weaknesses in record-keeping due to the dominance of oral traditions⁸ may have limited the availability of anecdotal evidence of privacy in traditional African communities and hampered efforts to formalize it into a more nuanced account of its evolution in the continent. Notably, such limitations in written evidence have also affected many other aspects of African society beyond privacy. One effect of this may be that certain cultural values were elevated beyond others, with the former being translated into laws. This could explain the absence of the right to privacy in the African Charter on Human and People’s Rights, while collective rights form a unique aspect of the Charter.⁹ Because of this, while African social order manifested features of individuality, communal living became more discernible than individualism to outside observers and consequently led to perceptions that privacy played little role in pre-colonial Africa. The arrival of colonialism reinforced these views, albeit in a different way, and greatly altered the indigenous development of privacy on the continent. 

Colonialism, Post-Colonialism, Independence, and Privacy

The colonial era was and remains an impactful period of time for most African communities in many ways, including privacy. The events of this period adversely affected any efforts to recognize privacy as a fundamental societal value. Colonialism began with the partition of Africa that gave rise to the formal geographical boundaries that currently exist. This gave new shape, meaning, and direction to the inherent kinship bonds within communities, which began to disintegrate as a result of colonial strategies such as divide and rule.

There was resistance to the colonial practices that set out to tear down the communal structures of the time.¹⁰ As the focus was on protecting the communal way of living, aspects of individualism discussed above seem to have remained intact within many communities.¹¹ From a privacy perspective, this was a conducive condition–as individualism among disrupted communities remained intact. However, the imperialistic circumstances of the time made it unlikely that privacy and its related value of autonomy would be asserted. The power imbalances that existed between the indigenous communities and colonial governments created an unconducive environment for the development of a shared understanding and rights-respecting notion of privacy.

Colonial administrations contributed to many gross violations towards the dignity of community members. For example, in Kenya, the British introduced in 1920 through the Native Registration Amendment Ordinance,  a means of identification, the Kipande system.¹² This involved the use of an identity document that contained the personal details, fingerprints, area of residence, and employment records of the holder–categories of information that modern privacy and data protection law considers personal and sensitive personal data. The identity document was issued to male Africans who worked in settler farms to administer a labor registration system. Holders of a kipande were required to wear it around their necks, clearly identifying their information and status as a farm worker to colonial administrators. 

At the time of its use, this paternalistic system caused an uproar and generated much resentment –both towards the oppressive means it embodied and the larger relationship between the settlers and Africans it represented.¹³ The holders viewed it as a symbol of humiliation and a loss of self-identity¹⁴, and many political associations of the time denounced it as a form of repression and control.¹⁵ Indeed, the Kipande system was a true reflection of the modern understanding of a surveillance system, one that could have generated concerns based on modern-day privacy principles.¹⁶ The fact that its opponents did not articulate their resentment around a conception of privacy reflects a missed opportunity for communities at the time to develop their own expectations of privacy. Intrusive identification systems still pose privacy challenges in many parts of the continent.   

Fast forward to when most African countries gained independence around the 1960s and 1970s. Independence created new legal structures such as Constitutions and Bill of Rights that were not indigenous to African communities. Prior to 1950, colonial administrations in many colonies did not consider Bills of Rights seriously, especially in those under British rule.¹⁷ This was primarily due to the official policy of rejecting a rights-based approach in constitutional ordering.¹⁸ For example, Ghana’s 1957 independence Constitution did not include a Bill of Rights. Nevertheless, there was emerging international consensus regarding human rights which began to create an atmosphere that was conducive to the adoption of Bills of Rights in the colonies post independence.¹⁹ Thus when the British government granted independence to these countries, the Constitutions were created with a Bill of Rights.²⁰ At the time Europe was ratifying conventions such as the European Convention on Human Rights and transposing similar principles to their colonies.²¹ The introduction of human rights to colonial dependencies saw the introduction of the right to privacy making it the initial formal reference to privacy in most African countries.

Privacy Interlude: The fall of Independence Constitutions, rise of authoritarian governments and the revival of constitutional arrangements

Soon after independence, the reins of leadership were handed over to the founding fathers of Africa. Under political pressure, these leaders abrogated the independence Constitutions on grounds that Western forms of government couldn’t flourish in Africa as they are based on alien principles.²² To be sure, the ambitions of those in power and the general geopolitical conditions of the time aggravated the failure of the Constitutions more than any intrinsic flaws in the Constitutions themselves.²³ Regardless, this saw parts of Constitutions, such as those guaranteeing privacy rights, eliminated. 

Later on, in the 1970s and 1980s, when economic crises hit Africa, Structural Adjustment Programs (SAPs) and stabilization policies for the purpose of economic development were introduced. SAPs involved the transfer of funds to different African economies tied to the fulfillment of certain conditions.²⁴ One of the conditions concerned the reinstatement of Bills of Rights, which in turn saw the reintroduction of the right to privacy in many Constitutions.²⁵

An African Conception of Privacy in the face of Globalization?

The period that followed has been crucial for privacy and data protection in Africa. As African societies became more active participants in the globalized world order, legal efforts to shape the perceptions of the need for privacy have increased in frequency and importance, as seen in the growing number of privacy and data protection laws. Privacy in Africa is now not only viewed through the lens of individualism (seen as gaining prominence over collective living). 

There are two main motivating factors for the expanded need for privacy. First, privacy is crucial to protect people from human rights violations resulting from technological advances. Second, privacy has emerged as a key requirement for Africa’s participation in the global digital economy. This desire to participate in global trade facilitated by information technology has influenced many countries to adopt a regulatory system that reduces legal hurdles and uncertainty.²⁶ In order to accomplish this, many African states have been inspired by privacy laws that have grown to represent internationally accepted best practices such as the OECD Guidelines on the Protection of Privacy and Transborder Data Flows, the defunct EU Data Protection Directive of 1995, and its modern version, the EU General Data Protection Regulation (GDPR), or Council of Europe’s Convention 108 and 108+. Bearing in mind the difference between privacy and data protection, information privacy in many countries is now protected under comprehensive data protection laws, while a handful of countries have made the distinction between privacy and data protection directly in their laws. This process has been aided by development partners such as the EU Commission under the HIPSSA-ITU project, which sought to harmonize information and communication laws in Sub-Saharan Africa and saw at least two regional data protection frameworks modeled from the EU Directive of 1995.

This process of transplanting the language and body of foreign privacy and data protection laws has dealt a serious blow to attempts to develop an African conception of privacy, notwithstanding the challenges of implementing such a transplanted structure. On the one hand, the source of the challenges of implementation is not clear. Could it be the introduction of laws that do not reflect our knowledge of and commitment to the underlying values or a mere lack of political will? Arguably, it may be too early to determine this as most laws are still nascent. On the other hand, transplanting can be defended in light of changing perceptions of privacy, as more Africans become aware of the need for privacy protection as a means to protect their dignity and defend their freedoms, especially from the excesses of governments. It is on this basis that many criticize existing privacy and data protection laws as containing illusory and ineffective safeguards.²⁷ 

Nonetheless, the infusion of indigenous aspects into privacy and data protection laws indicates that perhaps all is not lost. The Malabo Convention, the continental treaty on data protection and cybersecurity, contains provisions that mandate the recognition of communal rights in the creation of data protection laws.²⁸ Similarly, indications of class action suits (pointing to recognition of privacy violations affecting groups of people) that permit communities to assert their right to privacy can be found under SADC Model law of Southern Africa²⁹ as well as the ECCAS Model Law/CEMAC Directive of Central Africa³⁰. Such efforts elucidate the types of African cultural aspects that should be considered when implementing a privacy and data protection framework. However, this has not cascaded down into many national frameworks, which mostly rely on legal instruments adopted from Europe. 

Given the evolution of privacy in Africa, whether Africa will ever develop its own foundation of privacy or whether an African conception of privacy is necessary at this point remain open questions. Can the external and internal influences that Africa has experienced help define the socio-political foundations of privacy, like Europe and the U.S., whose values of privacy were founded on ideals with histories reaching back to the revolutionary era of the 18th century? Or has Africa leapfrogged into a conception of privacy that actually suits the stringent privacy requirements of the time? The jury is still out.

---

¹ James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty
https://www.yalelawjournal.org/article/the-two-western-cultures-of-privacy-dignity-versus-liberty

² Hiroshi Miyashita, The evolving concept of data privacy in Japanese law https://academic.oup.com/idpl/article/1/4/229/731520

³ Hanno Olinger, Western Privacy and/or Ubuntu? Some Critical Comments on the Influences in the Forthcoming Data Privacy Bill in South Africa, 2016 https://www.tandfonline.com/doi/abs/10.1080/10572317.2007.10762729 “Ubuntu can be described as a community-based mindset in which the welfare of the group is greater than the welfare of a single individual in the group.”

⁴ Alex B. Makulilo, African Data Privacy Laws https://link.springer.com/book/10.1007/978-3-319-47317-8

⁵ Ibrahim Anoba, A Libertarian Thought on Individualism and African Morality, https://www.africanliberty.org/2017/05/21/a-libertarian-thought-on-individualism-and-african-morality-by-ibrahim-anoba/

⁶ Adeshina Afolayan, Individualism, Communitarianism and African Philosophy: A Review Essay on Exploring the Ethics of Individualism and Communitarianism,   https://news.clas.ufl.edu/individualism-communitarianism-and-african-philosophy-a-review-essay-on-exploring-the-ethics-of-individualism-and-communitarianism/

⁷ Traces of written history can be found in African countries such as the great Timbuktu manuscripts of Mali https://artsandculture.google.com/experiment/the-timbuktu-manuscripts/BQE6pL2U3Qsu2A?hl=en

⁸ Acquinatta N. Zimu-Biyela, Taking Stock of Oral History Archives in a Village in KwaZulu-Natal Province, South Africa: Are Preservation and Publishing Feasible? http://www.scielo.org.za/scielo.php?script=sci_arttext&pid=S0259-94222022000300013&lng=en&nrm=iso

⁹ Article 17 (2), African Charter on Human and People’s Rights (1981). 

¹⁰ Barabra Potthast-Jutkeit, The history of family and colonialism: Examples from Africa, Latin America, and the Caribbean https://www.tandfonline.com/doi/abs/10.1016/S1081-602X%2897%2990001-4

¹¹ Walter D. Mignolo, How Colonialism Preempted Modernity https://www.tandfonline.com/doi/abs/10.1080/03086534.2011.598039?journalCode=fich20

¹² Jaap van der Straaten, Hundred Years of Servitude. From Kipande to Huduma Namba in Kenya  https://www.readcube.com/articles/10.2139%2Fssrn.3543457

¹³ Kipande Registration System (Kenya) https://api.parliament.uk/historic-hansard/commons/1946/jul/31/kipande-registration-system-kenya

¹⁴ Amos J. Beyan, The Development of Kikuyu Politics During the Depression, 1930-1939 https://www.jstor.org/stable/45193123

¹⁵ Idem

¹⁶ Howard Stein, Structural Adjustment and the African Crisis: A Theoretical Appraisal, https://www.jstor.org/stable/40325948

¹⁷ Charles O. H. Parkinson, Bills of Rights and Decolonization: The Emergence of Domestic Human Rights Instruments in Britain’s Overseas Territories,  https://academic.oup.com/icon/article/7/2/355/758671

¹⁸ Idem

¹⁹ Idem

²⁰ Idem

²¹ Idem

²² Victor T. Levine, The Fall and Rise of Constitutionalism in West Africa https://www.jstor.org/stable/161678

²³ Idem

²⁴ Howard Stein and Machiko Nissanke, Structural Adjustment and the African Crisis: A Theoretical Appraisal https://www.jstor.org/stable/40325948

²⁵ Nicola Gennaioli and Ilia Rainer, The Modern Impact of Precolonial Centralization in Africa https://www.jstor.org/stable/40216120

²⁶ See the HIPPSA-ITU project for Harmonization of ICT Policies in Sub-Saharan Africa

²⁷ Ogheneruemu Oneyibo, A Zimbabwean Data Protection Act to rule them all. Or not https://techpoint.africa/2021/12/17/zimbabwe-data-protection-act/

²⁸ Article 8(2), Malabo Convention

²⁹ Article 40, SADC Model law

³⁰ Article 38 ECCAS Model Law/ CEMAC Directive

FPF Addresses ‘Opt-Out Preference Signals’ in Comments on California Draft Privacy Regulations

Yesterday, the Future of Privacy Forum (FPF) filed comments with the California Privacy Protection Agency regarding the Agency’s initial set of draft regulations to implement the California Privacy Rights Act amendments to the California Consumer Privacy Act.

FPF’s comments are directed towards ensuring that both individuals and businesses have clarity for the implementation and exercise of consumer rights through an emerging class of privacy tools known as ‘opt-out preference signals.’

Specifically, FPF recommended that the Agency’s final regulations governing preference signals and the mechanisms that transmit signals (such as web browsers and plug-ins) include the following clarifications:

1. Resolve questions for the exercise of opt-out signals directed to websites while encouraging innovation in privacy controls for emerging digital and physical contexts.
2. Clarify business disclosures in response to signals to ensure that individuals have access to relevant information about the exercise of their privacy rights.
3. Encourage the development of signal mechanisms that allow consumers to exercise granular control of their privacy rights with respect to specific businesses.
4. Ensure that the use of preference signals objectively represents an individual’s intent to invoke their privacy rights.
5. Establish a multistakeholder process for ongoing Agency approval and review of preference signals and signal mechanisms.

New Report on Limits of “Consent” in Macau’s Data Protection Law

Introduction

Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the twelfth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in the Special Administrative Region of Macau, China (Macau SAR), including:

• notice and consent requirements for processing personal data;
• the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Macau’s Data Protection Landscape

The main data protection legislation in Macau SAR is the Personal Data Protection Act (Law No. 8/2005) (PDPA), which was significantly influenced by European data protection legislation, including Portugal’s Law No. 68/98 on the Protection of Personal Data, which implemented EU Directive 95/46/EC.

As such, the PDPA’s legal bases for processing personal data closely resemble those in the GDPR. These include consent, but also where processing is necessary:

• for the performance of a contract to which the data subject is a party; 
• to take steps at the request of the data subject when negotiating a contract;
• to comply with a legal obligation to which the controller is subject;
• to protect the vital interests of a data subject who is physically or legally incapable of giving consent;
• to carry out a task in the public interest or in the exercise of official authority;
• for pursuing the legitimate interests of the controller or a third party to whom the data is disclosed, subject to a “balancing test” between such interests and the fundamental rights, freedoms, and guarantees of the data subject.

The PDPA also empowers a public authority, the Office of Personal Data Protection (OPDP), to issue guidance on the PDPA, investigate possible breaches of the PDPA, and perform certain administrative duties, such as identifying jurisdictions which provide an adequate standard of data protection for purposes of cross-border data transfer. The OPDP has issued a number of guidelines on interpretation of the PDPA in different contexts, including several concerning the use of biometrics, as well as a large number of case notes from its enforcement actions.

Role and Status of Consent as a Basis for Processing Personal Data in Macau

Under the PDPA, consent of the data subject is one of several legal bases for processing both personal data and sensitive personal data. “Sensitive personal data,” refers to personal data:

• revealing a person’s philosophical or political beliefs, political association or trade-union membership, religion, privacy, and racial or ethnic origin;
• concerning a person’s health or sex life; or
• including a person’s genetic data.

Consent also functions as one of several legal bases for transferring personal data out of Macau SAR and can be used to legitimize transfer to a jurisdiction which does not ensure an adequate level of data protection as determined by the OPDP.

The PDPA defines consent of the data subject as any freely given, specific, and informed indication of the data subject’s wishes by which the data subject signifies agreement to processing of personal data relating to him/her.

For consent to qualify as informed, the data controller must provide certain information to the data subject either at the time that the data subjects’ personal data is collected or, if the personal data is to be disclosed to a third party, no later than the first time that the data is disclosed. This information includes:

• the identity of the data controller or its representative;
• the purpose of processing the personal data;
• any third parties to whom the personal data may be disclosed;
• whether the data subject is required to provide the data, and the consequences if the data subject does not provide the data; and
• the data subjects’ rights under the PDPA and how to exercise them.

Failure to comply with these notice requirements may give rise to an administrative fine under the PDPA.

In addition to these definitional requirements, the PDPA also requires that consent for processing and cross-border transfer of personal data should be “unambiguous” and that consent for processing sensitive personal data should be “explicit.” Failure to comply with requirements to obtain consent before transferring personal data out of Macau SAR may be subject to an administrative fine.

The PDPA imposes criminal sanctions on persons who access personal data without authorization or disclose personal data to third parties in breach of confidentiality obligations. These sanctions increase if certain aggravating factors are present, including where the wrongdoer benefits from such breaches.

Read the previous reports in the series here.

ETSI’s consumer IoT cybersecurity ‘conformance assessments’: parallels with the AI Act

In early September 2021, the European Telecommunications Standards Institute (ETSI) published its European Standard to lay down baseline cybersecurity requirements for Internet of Things (IoT) consumer products (ETSI EN 303 645 V2.1.1). The Standard is a recommendation to manufacturers to develop IoT devices securely from the outset. It also provides an internationally recognized benchmark – informed by several external sources, such as the interactive tool of the European Union Agency for Cybersecurity (ENISA) – to assess whether such devices have a minimum level of cybersecurity. 

ETSI’s Standard takes an outcomes-focused approach, providing manufacturers with the flexibility to implement the most appropriate security solutions for their products instead of being overly-prescriptive in terms of specific security measures. It aims to protect IoT devices against elementary attacks on fundamental design weaknesses, such as the use of easily guessable passwords.

A technical ETSI specification complements the Standard, providing manufacturers, developers, suppliers, and implementers with a methodology to conduct conformance assessments of their IoT products against the baseline requirements (ETSI TS 103 701 V1.1.1). According to the German Federal Office for Information Security (BSI), the specification “ensures that test results are comparable to the security characteristics of IoT devices. In this way, IoT-experienced persons are enabled to make a corresponding security assessment.” Testing according to the specification may serve as a pathway for manufacturers and providers to obtain security labels on their products, such as Germany’s IT Security Label, a process which the BSI opened for applications in December 2021 for two categories of products: broadband routers and email services.

Moreover, the framework published by ETSI may come to serve as the basis for a technical specification that the European Commission has requested ETSI to develop for “internet-connected radio equipment” under the Radio Equipment Directive (RED) and its recent Delegated Act, notably on what concerns the incorporation of network security, privacy, data protection, and fraud prevention features.

In this piece, we first summarize the Standard’s narrow approach to data protection requirements (Section 1). We then describe ETSI’s conformance assessment methodology (Section 2). Lastly, we explore whether we can draw a parallel or find synergies with the “conformity assessment” in the proposed AI Act (Section 3). In answering this question, this blogpost deems to highlight how the ETSI’s overall framework for IoT security conformance assessments compare with the AI systems conformity assessment requirements laid down in the European Commission proposal for an AI regulation. Such analysis is particularly relevant in light of the standardization request that the Commission has made to ETSI to operationalize certain requirements of the AI Act, and the latter’s calls for leaving important parts of the regulation – like the definition of Artificial Intelligence itself and the list of high-risk use cases – to technical standards.

This piece follows a previously published deep dive analysis of the “conformity assessment” in the AI Act and how it compares to the Data Protection Impact Assessment provided by the GDPR.

1. A narrow approach to data protection requirements

The Standard starts by non-exhaustively listing the categories of IoT products to which it applies. It is focused on consumer IoT devices that are connected to network infrastructure (such as the Internet or a home network) and their interactions with associated services, such as connected children’s toys and baby monitors, smart cameras, TVs and speakers, wearable health trackers, connected home automation systems, connected appliances (e.g., washing machines and fridges), and smart home assistants. Products that are primarily intended to be used in manufacturing, healthcare, or other industrial applications are excluded.

We remark that the references to personal data protection in ETSI’s framework are somewhat limited, even if it covers consumer-facing IoT products. The Standard takes a more comprehensive approach to device and information security. Regarding the security, lawfulness, and transparency of personal data processing through consumer IoT devices, the Standard recommends manufacturers to focus on deploying appropriate best practice cryptography to transfers of personal data between the device and associated services (e.g., cloud). On this point, particular emphasis is given to cases where the processed data is sensitive (e.g., video streams of security cameras, payment information, location and content of communications data). Note that the examples given of “sensitive” data in the Standard do not align with the types of data that are considered “special categories” under Article 9 GDPR. For instance, images captured by security cameras, payment, and location data do not inherently fall under said provision, unless they reveal or may reveal particularly sensitive data (e.g., a person’s health conditions, sexual orientation or political leanings). 

Manufacturers are expected to inform users clearly about different data protection aspects. We mention six of them: the external sensing capabilities of the device (e.g., optic or acoustic sensors); what personal data is processed (including telemetry data, which should be restricted to the minimum necessary for service provision); and – for each device and service – how the device or service is being used, by whom (e.g., by third parties, such as advertisers), and for what purposes.

Where consent is necessary for specific processing purposes, there should be a mechanism to seek valid consent from users and to allow them to withdraw such consent (e.g., through the device’s user configurations). Users should also be given an easy way (with clear instructions) to delete their data, including their details, personalized configurations, and access credentials. If users use this functionality, they should receive confirmation that their data has been deleted from services, devices, and apps. The confirmation is particularly important in cases of transfer of ownership, temporary usage, or disposal of the device.

Beyond the limited data protection-focused provisions, the Standard mainly recommends technical and organizational measures for manufacturers to attain an appropriate level of cybersecurity in the consumer IoT devices they design. These measures can include:

• Examining telemetry data (e.g., usage and measurement data) and validating input data to detect security anomalies and prevent potential gaps and weaknesses;
• The use of unique per-device password authentication mechanisms or even multi-factor authentication (MFA);
• Creating suitable policies and procedures for vulnerability reporting, monitoring, and timely response;
• Enabling secure software updates, which should be simple for the user to apply and automatically triggered whenever needed to prevent vulnerabilities;
• Implementing secure storage of sensitive security parameters and secure communications (e.g., through best practice cryptography and authentication); and/or
• Minimizing exposures to attacks, notably by reducing the unauthenticated disclosure of security-relevant information (e.g., software version) and only enabling software services that are used or required for the devices’ intended use.

2. ETSI’s “conformance assessment” methodology

ETSI’s August 2021 specification provides developers, manufacturers, vendors, distributors (i.e., Supplier Organisations, or ‘SOs’) with test scenarios that they can leverage for testing their new IoT products (“DUTs”, which stands for Device Under Test) against the baseline requirements set out in the Standard. 

SOs are required to request Test Laboratories (TL) – entities such as independent testing authorities, user organizations, or an identifiable part of a SO that carries out conformance assessments – to test the relevant product against the Standard. This means that the conformity assessment can either be led by a third-party (testing authority), second-party (user organization) or the SO itself (self assessment). Moreover, SOs should provide TL with all necessary information, including the Implementation Conformance Statement (ICS) and the Implementation eXtra Information for Testing (IXIT). Test Laboratories must operate competently to be able to generate valid results. The requirements for competence of TLs and independence of testing authorities acting as TLs are not developed under the ETSI framework.

Figure 1 contains a visual summary of the assessment procedure according to the specification. For brevity, we refer to the specification for the terminology.

Existing security certifications or third-party evaluations of the IoT device and/or its parts may be used partially as conformity evidence to complement or inform the assessment under the Specification. In this regard, the SO shall provide all necessary information (e.g., certification, certification details, and test reports) to verify the evidence to the TL.

3. Can we draw a parallel with Conformity Assessments under the AI Act?

In Section 3 we explore whether a conformity assessment performed under the proposed AI Act can be used to inform the conformance assessment of a consumer IoT device, or the other way around. For that, we first need to clarify the scope of the two assessments.

• The AI Act conformity assessment refers to high-risk AI systems, which we analyze in more detail in another dedicated blog post). ETSI’s conformance assessment refers to consumer IoT devices which are non-exhaustively listed under the Standard (ETSI EN 303 645 V2.1.1). 
• Under the AI Act proposal, a high-risk AI system is assessed in terms of its conformity to the requirements listed under Chapter 2 of Title III. These relate to the quality of used datasets, technical documentation, record-keeping, transparency, human oversight, robustness, accuracy and cybersecurity. Under ETSI’s conformance assessment, a consumer IoT device is assessed against the Standard (ETSI EN 303 645 V2.1.1), which is mainly cybersecurity-oriented.
• While the conformity assessment under the AI Act for high-risk AI systems will become legally mandatory for the systems’ providers once the final text is passed, ETSI’s conformance assessment is optional for IoT consumer products’ SOs, as it merely serves to attest the security and reliability of such products to consumers and other players on the market, and to obtain security labels on their products.

With regards to the latter distinction, it is worth noting that the requirement to carry out a conformity assessment applies to manufacturers of certain connected products. Manufacturers of “internet-connected radio equipment” under the RED’s Delegated Act are required thereunder to carry out a conformity assessment (Article 17), draw up an EU declaration of conformity, and affix a CE-marking (Article 10). Manufacturers can follow harmonized standards for conformity assessments to the extent these have been published in the Official Journal of the EU (see also, the European Commission’s standardization request). ETSI’s methodology remains optional for manufacturers of internet-connected radio equipment, even if it can be seen as a good guideline for the upcoming standards, and give them an advance start towards compliance with the RED and its Delegated Act. For completeness, we remark that the Delegated Act entered into force in January 2022 and will be enforceable by mid-2024.

A consumer IoT device under the ETSI framework and a high-risk AI system under the AI Act could co-exist if the following conditions are cumulatively met:

1. An IoT device which belongs to one of the devices non-exhaustively listed under the Standard is also covered by the Union harmonization legislation listed in Annex II of the AI Act Proposal (e.g., connected children’s toys);
2. The IoT device embeds an AI system which functions as a safety component of the device; and
3. The device as a whole requires a third-party conformity assessment under the New Legislative Framework legislation listed in Annex II of the proposed AI Act.

We further note that, in theory, high-risk AI systems “intended to be used for the ‘real-time’ and ‘post’ remote biometric identification of natural persons” – covered by the AI Act’s list of high-risk AI systems under Annex III (point 1) – can be integrated into a consumer IoT device (e.g., authentication through iris scan in a smart TV, or through voice recognition in smart home assistants). 

In these cases, the provider of the AI system shall either: (i) carry out a first-party conformity assessment, provided it has applied harmonized standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41 AI Act; or (ii) involve a third-party (notified body) in its conformity assessment. This means that where “the provider has not applied or has applied only in part harmonized standards referred to in Article 40, or where such harmonized standards do not exist and common specifications referred to in Article 41 are not available, the provider shall follow” the third-party conformity assessment route. Thus, until such approved harmonized standards or common specification become available, third-party conformity assessments will remain the rule for ‘real-time’ and ‘post’ remote biometric identification AI systems which are not strictly prohibited under Article 5 of the AI Act Proposal. 

For more details on when a high-risk AI system is subject to a first- or third-party conformity assessment, you can read our earlier blog post here.

If the above conditions are met, the IoT device embeds a high-risk AI system and thus both assessments (under the AI Act and the Standard) are triggered, even if – as previously mentioned – ETSI’s conformance assessment is optional for SOs. Then the question of how the two assessments relate becomes relevant. According to the AI Act, compliance of the high-risk AI system with specific requirements should be assessed as part of the conformity assessment already foreseen for the IoT device (see Recital 63 and Art 43(3) AI Act). Furthermore, according to Article 24 and Recital 55 of the AI Act, it is the manufacturer of the IoT device that needs to ensure that the AI system embedded in the IoT device complies with the requirements of the AI Act. 

It is possible that a device manufacturer may use a high-risk AI system already placed on the market by another supplier. In case the AI system has gone through a conformity assessment, then the IoT device manufacturer could use the existing assessment as a building block to perform the conformance assessment of the IoT device under ETSI’s methodology. This becomes particularly relevant given the fact that the proposed AI Act contains requirements for high-risk AI systems that resemble some of the ones contained in the ETSI European Standard. Most notably, these include requirements relating (1) to the automatic recording of events (‘logs’), (2) the transparency towards users, and (3) ensuring an appropriate level of accuracy, robustness, and cybersecurity. The latter requirement includes ensuring that the AI system is:

• resilient as regards errors, faults, or inconsistencies that may occur within the system or the environment in which the system operates;
• robust, which may be achieved through technical redundancy solutions, including backup or fail-safe plans; and
• tamper-proof, in the sense of protected against attempts by unauthorized third parties to alter their use or performance by exploiting the system vulnerabilities. 

In a different perspective, what is the practical effect on compliance with the AI Act’s requirements if a provider of a high-risk AI system embedded into a consumer IoT product passes the ETSI conformance assessment before it fulfills its conformity assessment obligations under the AI Act Proposal? By using the ETSI Standard, the manufacturer can benefit from the partial presumption of compliance with the Article 15 cybersecurity requirements set by Article 42(2) AI Act, as the Standard’s statement of conformity covers part of those requirements, as we have explained above. 

Moving forward, it will be interesting to see whether more standards bodies will work on technical specifications that may be leveraged when carrying out conformity assessments under the proposed AI Act, as ETSI did for manufacturers of consumer IoT products. It will also be relevant to see whether the ETSI framework’s requirements are transposed into a technical standard for internet-connected radio equipment’s conformity assessments under the RED, and to keep up with the developments in the European Commission’s intention to propose a Cyber Resilience Act for IoT products that fall outside of the RED’ Delegated Act. The latter initiative intends to protect consumers “from insecure products by introducing common cybersecurity rules for manufacturers and vendors of tangible and intangible digital products and ancillary services”. 

Further reading:

• Introduction to the Conformity Assessment under the draft EU AI Act, and how it compares to DPIAs
• Standardisation body calls for AI definition, categorisation to be decided as standards – EURACTIV.com