At a glance.
- Privacy legislation revisions in Australia and India.
- Recent actions in data handling regulation in the EU.
- US HHS issues healthcare cybersecurity guidance.
Privacy legislation revisions in Australia and India.
Australia’s Attorney General Mark Dreyfus on Monday announced that the country’s Privacy Act will be undergoing significant updating. The Attorney General’s Department recently conducted a review of the legislation, and the report indicates that the Privacy Act is out of date and not in keeping with recent digital innovations. Dreyfus says Australians can expect a raft of European-style privacy updates, including the addition of measures regarding the right to be forgotten and the right to sue for privacy breaches. “I’ve already brought in … substantial increases to penalties which I hope has sent a message to corporate Australia that they have to take more care about the privacy of Australians … about the data of Australians that they have in their custody,” Dreyfus told the Guardian. “Those changes should have been implemented years ago.” When discussing the right to be forgotten, he referenced the EU’s General Data Protection Regulation (GDPR) as a prototype. Dreyfus stated, “There’s a range of reforms [that] have already occurred in a number of developed countries particularly in the EU and obviously the reforms that were created by the general data protection regulation … are among the matters that will need to be considered.
Meanwhile in India, lawmakers are working on their own privacy legislation called the Digital Personal Data Protection Bill. A draft of the new bill was submitted last year, and in December the Observer Research Foundation (ORF), an independent global think tank based in Delhi, gathered representatives from tech companies, civil society, consultancies, and academia to discuss the bill’s contents. As the ORF outlines, the main three themes discussed were data collected by third parties for use by the government, the categorization of sensitive personal data (which was removed in the latest draft), and localization and cross-border data flows. Based on these roundtable discussions, ORF has submitted recommendations to the Ministry of Electronics and Information Technology.
Recent actions in data handling regulation in the EU.
JD Supra reports that Ireland’s Data Protection Commission (DPC) has issued Meta Ireland with two fines for breaches of the GDPR linked to advertising on Facebook and Instagram. The complainant argued that by giving users a binary choice between accepting Facebook’s new Terms of Service or deleting their accounts, Meta was using forced consent in order to gain permission to access user data. Facebook has been fined €210 million and Instagram €180 million, and Meta has been given three months to amend its policies in order to comply with the GDPR. The decision could serve as a warning to other tech giants to reevaluate their data handling practices.
The New York Times offers an in-depth look at how the Dutch Data Protection Authority (DPA) is cracking down on violations of the GDPR by Big Tech. In 2021, privacy consultants found that Google’s education apps, used by over 170 million students and educators worldwide, lacked a number of required privacy features to protect student and teacher personal data. When Google failed to fully comply, the Dutch DPA drew a line in the sand by stating Dutch schools would stop using the tech giant’s tools if the company failed to make the necessary changes. Google developed measures to address the Dutch DPA’s concerns, and has plans to launch them later this year, demonstrating how the Netherland’s strict approach to data handling regulation could be a driver for change.
GamesIndustry.biz reports that the European Parliament will be adopting a recent report calling for the European Commission to address privacy issues in the games industry. Led by MEP Adriana Maldonado López, the report listed more than a dozen recommendations for privacy regulation reform in the games sector, including coordinated rules across the EU to clarify game content, and features to help parents better oversee how much time and money their children spend on games. In particular, the report highlighted the Pan European Game Information (PEGI) age rating system, which is currently legally required in only a portion of EU markets.
Chris Denbigh-White, Security Strategist at data protection firm Next DLP, offered some thoughts on the regulatory issues involved, and their implications for organizations.
"Some companies' focus in implementing controls in support of GDPR have appeared to place a greater emphasis on the justification of the collection of personal data and less on the retention and protection of it. As long as they were able to 'legally' have the data then they were very happy indeed. The recent high-profile fines handed out for GDPR non-compliance are a stark reminder that GDPR regulations apply not only to data collection but also the entire lifecycle of data, including retention, processing and security. Interestingly the introduction of GDPR does not appear to have slowed the capture and monetisation of personal data. As the amount of personal data being collected and stored by companies continues to grow, the risk of that data being misused or mishandled also increases. This has led regulators to take a more proactive approach in enforcing GDPR in order to better protect the personal data of individuals and prevent future breaches.
"Regulators in charge of data security are shifting from a passive to a more active stance in enforcing GDPR compliance. In the past, companies were able to claim compliance by simply stating that they had 'controls' in place. This represented in a lot of ways a sort of 'honesty bar' of compliance. With the rise of data breaches and cybercrime, regulators have come under pressure to hold companies accountable for their failures in protecting personal data. They are beginning to demand to see concrete evidence of the effectiveness of their data security controls. This shift has enabled an increase in regulatory staffing and resources, which allows regulators to take a more thorough and critical look at companies' data security practices. As a result, companies will need to not only demonstrate their controls but also prove the robustness of those controls to pass the regulator's scrutiny. The 'straw-man controls' of yesterday simply do not work and under the increasingly staffed and empowered glance of regulators they show themselves to be what we may have suspected all along. They are wholly unacceptable and not fit for purpose.
"Companies who truly wish to act as guardians of personal data need to embrace that with great volumes of data comes great responsibility (and with it greater potential liability!)."
US HHS issues healthcare cybersecurity guidance.
Lexology reports that last month the US Department of Health and Human Services (HHS) published “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), a four-volume cybersecurity guide for healthcare organizations. The product of a government-industry collaboration mandated by the Cybersecurity Act of 2015, the HICP covers enterprise-level information security from a comprehensive viewpoint, unlike other guidance focused mostly on personally identifiable health data. HHS says the document consists of “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes.” While the recommendations it contains are just that – recommendations – and not mandates, the goal is to provide a reference point for the health sector, which has increasingly become a target for cybercriminals.