What Can the California Privacy Protection Agency Learn From Europe?

Fox Rothschild LLP
Contact

Fox Rothschild LLP

What can the California Privacy Protection Agency learn from the EU experience as it gets ready to draft regulations regarding DPIAs? Here is a recap of my remarks from the CPRA Regulations Stakeholder Session:

1) Don’t reinvent the wheel: Lean on the specificity in the VA and CO laws as a start, and on the detailed work that has been done in the EU.

  • This is faster to get off the ground and in front of companies looking to comply.
  • It also provides more legal certainty, and is helpful to multinationals who can leverage EU work they have done.

2) Provide clear guidelines for when a DPIA is needed.

  • Provide a decision tree if possible.
  • Don’t be too specific. (For example: The European Data Protection Board rejected a member state blacklist that required a DPIA just for processing sensitive information or cross border transfer
  • Consider also providing a “white list” where a DPIA would not be needed.
  • Provide guidance on when to revisit the DPIA (eg. technological advances, changes in processing, post M&A acquisition).
  • Define the input that service providers can provide to assist the business. (Consider issuing guidance encouraging/expecting assistance from the large providers – especially for transparency.)
  • Provide guidance on how to integrate with other risk assessments.

3) Provide clear, but not too complicated, guidelines for how to carry out a DPIA.

  • Leverage the EU Models: ICO, CNIL (with the taxonomies), NL, ES, DE, and/or ISO 29134 (updated).
  • Leverage ISMS and built the Privacy MS on top.
  • Land somewhere between UK and Germany.
  1. ICO – Very easy to read the model, but there may be issues with wrong implementation (proportionality/necessity assessment component is open ended).
  2. Germany – Very complex and detailed model which maps the TOMs to the risks. This is helpful, but there should also be an SME friendly model.
  • Provide guidance re: risks to consider: Leverage existing harms and risk taxonomies.
  • Provide guidance on how to carry out the process: For example, a 3D model that requires you to break the processing down into phases (like: storage, use, modification, sharing) and assets (software, hardware, employees, recipients). And for each phase/asset, assess the likelihood and severity of an infringement of the relevant data protection principles.
  • Provide guidance on the process itself and the relevant stakeholders within the company and outside (e.g involving the individuals impacted).
  • Provide options/guidance for SMEs.
  • Provide/source recommended DPIAs (e.g. in difficult areas like Algorithm impact assessment as discussed by the EU AI Act), which will allow companies to check whether a DPIA was performed in a similar case (The Commission Nationale de l’Informatique et des Libertés (CNIL) has a number of sample analyses. Data Protection Commission Ireland also has recommended a few as “gold standard.”

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Fox Rothschild LLP

Written by:

Fox Rothschild LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide