Businesses collecting and processing personal information are at extreme risk. The month of July 2021, was particularly concerning as Amazon was fined a record $886.6 million for allegedly violating the European Union’s General Data Protection Regulation (“GDPR”), while TikTok was fined 750,000 euros ($885,000 US) for failing to post its privacy statement in Dutch. The reality is, data protection authorities are becoming more active in the enforcement of data protection regulations and they are not going to slow down.
Advisori is in the business of privacy risk management and our clients seek guidance on how to effectively manage their privacy risks using their available resources. One of the most frequent questions we get is whether or not the business is required to appoint a data protection officer (“DPO”). The legal answer to that question is relatively straightforward as outlined by Article 37 of the GDPR; if a business collects data of European citizens and any one of the following apply, the appointment of a DPO is a regulatory requirement:
For organizations that are not legally required to appoint a DPO, we suggest that they should still consider doing so where the business handles personal information, especially that of European citizens. For instance, Article 37 dictates that the DPO should be a subject matter expert in the realm of data protection law and practices. A DPO is also responsible for staying abreast of the corporate privacy policies and procedures to fully comprehend how data is being collected, used, shared, and retained by the business. Moreover, as Article 39 lays out, the DPO serves as the liaison between the business and regulatory authorities. Finally, and maybe most importantly, a DPO interacts with data subjects by both servicing their data subject access rights requests and answering customer questions related to how the business collects, processes, and protects personal information.
An experienced DPO serves a critical risk mitigation function. As international and state privacy laws become more prevalent and as privacy regulators take a more aggressive position on enforcement, businesses must navigate a complex and ever-changing regulatory landscape (consider the adoption of the GDPR and the ever-expanding list of jurisdictions that are adopting the same or similar data privacy protections). A DPO can significantly reduce privacy risk by advising the business on data protection best practices, managing critical operational data protection activities like data security assessments and audits, as well as providing employees with data protection education, training, and strategies.
However, the DPO is not just an “insurance policy.” Having a DPO sends a strong message to the marketplace that the business takes data privacy and protection seriously. In a tightening competitive landscape, that difference could be critical for any business because customers are demanding that businesses respect and ensure their privacy.
In sum, a DPO serves as the face of a business's data protection program by ensuring critical regulatory compliance and by demonstrating, to data protection authorities and to the public, that the business is serious about data protection and customer privacy.
California citizens continue to demand privacy. On November 3, 2020, a majority of California voters approved Proposition 24, (“the California Privacy Rights Act of 2020”) or (the “CPRA”), further expanding California’s existing California Consumer Privacy Act (“CCPA”). California’s new enforcement body, the California Privacy Protection Agency (“CPPA”) will begin the process of adopting revisions of the CPRA starting July 1, 2021, and concluding on July 1, 2022. The CPPA operates as an independent overseer of the CPRA and is tasked with both enforcement of the CPRA as well as information and outreach to ensure that both businesses and consumers are informed of both their rights and obligations. While the original enforcement arm of the CCPA was the California Attorney General, the CPPA augments that core function with the addition of an educational outreach program. (see “What is the California Privacy Protection Agency” at IAPP.org).
Additionally, each iteration of the CPRA will follow the normal agency process and will be subject to a comment period prior to adoption. The final CPRA version becomes enforceable on July 1, 2023. This two-year enforcement delay will provide affected businesses with valuable time to prepare for the new requirements imposed by the final CPRA. It is expected that the specifics of key provisions, to include, amongst others: opt-outs; the timing and frequency of consumer correction requests; and determining whether the look-back window extends beyond 12 months; will all be handled during the 2021 and 2022 timeframe under standard agency rulemaking procedures.
While businesses prepare for the CPRA enforcement date, it is important that those in charge of compliance keep in mind that CCPA will continue to govern California residents’ privacy rights in the interim. Accordingly, those affected businesses that are not yet compliant with the CCPA should begin their privacy compliance journey there as CCPA enforcement will likely ramp up. For instance, the California Attorney General’s office has been sending out CCPR “Notices to Cure” since mid-2020; any entity receiving such a notice has a 30-day window to remedy any claimed violation.
For those businesses that have CCPA privacy programs in place, their efforts have not been in vain since the CPRA is a revision and expansion of the existing CCPA framework. In sum, the CPRA is less revolutionary and instead, more evolutionary.
For businesses operating in California, no matter their current privacy posture, they should consider the following questions:
Obviously, the first step a business should take is to determine whether it subject to either the CCPA, CPRA, or both. If a company “does business in the State of California and a) has annual gross revenues of more than $25 million or b) alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, or c) derives 50% or more of its annual revenues from selling consumers’ personal information (“PI”), than the business is governed by the CCPA.
The CPRA, on the other hand, is more favorable to small business in that it amends section b) above by increasing the threshold for “consumers” or “households” to 100,000 and omits the “devices” category. The key point here is that small businesses currently governed by the CCPA may be freed from privacy compliance obligations when the CPRA goes into effect on July 1, 2023.
The CPRA imposes an affirmative duty on a covered business to inform consumers “at or before the point of collection” of 1) the categories of personal data being collected on them; 2) the purpose for which the company will use this personal information; and 3) whether such personal information will be sold or shared. Also critical, should your business change or modify the use of any collected personal information, it must give notice to the affected individuals of this change.
The issue of “consent” is somewhat ambiguous; the CPRA uses a GDPR definition of consent – “…freely given, specific, informed, and unambiguous indication of the consumer’s wishes…” The CPRA goes even further by expressly prohibiting the use of “broad terms” when requesting consent or assuming consent where a consumer simply hovers over a website consent button or merely closes a consent pop-up. Essentially, the consent requirements in the CPRA are largely analogous to those under Article 4 of the GDPR; however, regulations which outline how the CPRA will interpret “consent” is still fluid as the CPRA undergoes the rulemaking process throughout 2021.
Considering how the GDPR definitions have been historically interpreted, however, businesses can expect that “freely given” consent means the consumer must be given an actual choice. In other words, cookie walls or take-it-or-leave-it clickthroughs will likely not be sufficient. Furthermore, businesses must make the option of revoking previously given consent as simple as it was for the consumer to provide it. “Specific and Informed” means that entities must advise consumers of what data is being collected on them and how the business intends to use this data at a granular level. Finally, “unambiguous” consent requires an affirmative action by the consumer and cannot merely be some default or pre-selected items on a form. For now, it appears that the consumer must take an affirmative act to properly indicate her consent.
The CPRA expands California’s governance of PI to the sharing of personal information, not just selling it. The CPRA defines sharing as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Under the CCPA, businesses sharing information in exchange for either money or other “valuable” consideration must only provide consumers with an opt-out notice. The CPRA goes further; business “sharing” PI must provide consumers with the means to opt-out of the share of their PI, whether the business derives financial benefits from the sharing of PI or not.
However, it is important to note that “sharing” does not include either service providers or contractors (many online advertisers, cookie providers, etc., fall within this category) and are not covered under this.
The CCPA currently requires businesses to provide consumers with “two or more designated methods for submitting requests for information” about the data collected on them including a toll-free number. The CPRA expands consumer privacy requests to PI deletion and correction. If the business has a website, it must allow consumers the ability to submit information access request through its website. As further addressed below, the CPRA will expand the consumers right to control her data using company websites.
The CPRA has an entirely new data classification: sensitive personal information, which includes passport numbers, driver’s license numbers, social security numbers; credit card numbers accompanied by secondary access codes (e.g., pins, or CSC); precise geolocation data; demographic information (such as religion, race, ethnicity, biometric, sexual orientation); and content data (mail, e-mail, SMS messages) where the business is not the intended recipient. Where a business does collect such sensitive personal information, it must post a “Limit the Use of My Sensitive Personal Information” link on its website giving consumers the right to limit the use of this data to the extent needed to perform the core services or goods purchased.
As indicated above, the CPRA is both a revision and expansion of the CCPA. While affected businesses have a two-year window to prepare for CPRA enforcement, they cannot forget the obligations and penalties associated with CCPA. For more information, please contact us at email@example.com.
Since the United Kingdom’s departure from the EU, ADVISORI has received multiple inquiries from UK based organizations regarding Brexit’s impact on the application of Article 27 of the General Data Protection Regulation. We offer this guidance to assist those organizations with Article 27 compliance.
Setting aside Brexit, we have found that Article 27 is often overlooked or misunderstood due to Article 37’s data protection officer requirement. While complimentary, the roles and responsibilities identified in these two articles are quite different. For instance, a data protection officer must operate within the highest levels of the company to educate the organization on data privacy and protection regulations; identify existing privacy risks; develop, implement, and maintain affective risk mitigation strategies, achieve overall compliance with data privacy requirements, and work with both data subjects and data protection authorities to ensure that private and sensitive data is properly collected, processed, and destroyed when necessary.
In contrast, the Article 27 data protection representative serves primarily as the front-line contact for the organization and “…should perform its task according to the mandate received from the controller or processor, including cooperation with the competent supervisory authorities with regard to any action taken to ensure compliance with [the GDPR].” (See Recital 80 of the GDPR).
In sum, the DPO should be proactive in organizational data protection activities while the representative is more reactive to data subject and data protection authority inquiries and requests.
Article 27 requires organizations based outside the European Economic Area (EEA) processing personally identifiable information belonging to EEA residents on a “large scale” or those processing “special categories of data” or both, to appoint a data protection representative as described above.
Prior to Brexit, these organizations could appoint a single representative as the UK was a member of the EEA. Post-Brexit, organizations based outside either the UK or the EU may have an obligation to have multiple representatives. For instance, if a non-UK/EEA organization collects or processes data belonging to UK residents, it will be required to have a UK representative. If this same organization also collects or processes data belonging to a resident of the new EEA alignment, it may also be required to appoint additional representatives in one or more of the EEA member-states.
Adding to the complexity, the Irish Data Protection Commission (DPC) has suggested that using a single person serving as both data protection officer and data protection representative could give rise to a conflict of interest. Best practices dictate that the roles should be separated.
Despite the complications identified above, any organization dealing with either UK or EU data must act. As of the date of this publication, May 12, 2021, the Dutch DPA imposed a €525,000 fine on an organization operating in the EU for failure to appoint a data protection representative.
For assistance with determining your organizational needs relating to Article 27, please contact us at firstname.lastname@example.org.
Earlier this month, the International Association of Privacy Professionals (IAPP) released a chart outlining the necessity of a data protection officer (DPO), or that of a similar role, on a per-country basis, for organizations processing personal identifiable information (PII). There are several important take-aways: (1) the chart specifically identifies countries that require a DPO (although best-practices makes it prudent to consider appointing a DPO even where it is only "recommended," and not necessarily "required;)" (2) privacy regulations are rapidly-evolving and growing around the world and the trend is towards increasing privacy safeguards for consumers; and (3) global organizations are under increasing privacy pressures and should consider company-wide adherence to the "most-restrictive" regional DPO requirement imposed on them to best ensure overall privacy regulatory compliance.
As evidenced in the IAPP’s DPO Chart, the necessity for and responsibilities of DPOs vary greatly from country to country. For instance, in the European Union, (27 Member-States): the DPO must be either a contractor or employee of the business, should possess expert-level knowledge of data protection law and practices, and must report to the "highest management level." While in the United States, DPOs must be competent in certain federal laws containing privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and growing state privacy laws and regulations (e.g., California and Nevada’s more stringent privacy protection laws). Finally, in China, a business is legally required to appoint a DPO who is required to have both management and data protection expertise and is further required to report directly to the principal of the organization.
In sum, the IAPP’s DPO Chart underscores that a DPO is far more than just a checkmark for an organization to demonstrate compliance. Certainly, failure to appoint an adequately experienced DPO can result in significant monetary penalties. However, an experienced DPO with a solid understanding of the business’s data collection and use processes can provide the business with a competitive advantage as more and more customers are growing increasingly concerned about how their personal information is gathered, processed, transferred, and stored.
For more information about how ADVISORI can help, please see our previous blog post at: https://advisori.com/blog/the-outsourced-data-protection-office/.
To view IAPP’s DPO Chart, please go to:
This past November, the Federal Trade Commission (“FTC”), often referred to as “America’s top cop on the privacy beat,” entered into a settlement agreement with Wall Street darling Zoom Video Communications, Inc. The FTC set its sights on Zoom earlier this year complaining that Zoom engaged in “Deceptive and Unfair Privacy and Security Practices.” More specifically, the FTC alleged:
The FTC challenged Zoom’s above assertion, alleging that Zoom falsely claimed to use 256-bit end-to-end encryption on its Zoom meetings platform when, in fact, Zoom only applied this heightened level of encryption to meetings hosted within Zoom’s “Connecter” product. All other meetings were encrypted with a lower and much less secured (128-bit) encryption. Some recorded meetings were even stored unencrypted on Zoom servers for up to 60 days. According to the FTC, Zoom had access to the cryptographic keys of some of its servers, even some sited in China, which would allow Zoom to access the content of its customers’ recorded Zoom meetings. Zoom’s failure to implement end-to-end protection left meeting data accessible to platform providers like Zoom in addition to the senders and intended recipients of such data.
The FTC further alleged that Zoom failed to consistently safeguard against data security issues on its platform, conduct routine checks of software applications for security vulnerabilities and abnormal activity, and to implement streamlined incident response procedures. Finally, the FTC deemed Zoom’s undisclosed installation of the ZoomOpener software on Apple computers, an installation which circumvented Apple’s malware protection safeguard in Safari browsers, a deceptive and unethical practice due to lack of customer disclosure.
In accepting a settlement, Zoom agreed to comply with a number of FTC demands. Provision I of the settlement prohibits Zoom from “misrepresent[ing] in any manner, expressly or by implication” its data collection activities, security features, user controls, and the extent to which Zoom maintains the confidentiality of secure information.
Zoom must further “establish and implement a comprehensive Information Security Program” within 60 days of the settlement. Such a program, pursuant to Provision II, must implement and document important safeguards for data security, including a comprehensive security review by Zoom personnel, a vulnerability management program (which must include quarterly vulnerability scans), secure login enhancements, and clear incident response protocol. Furthermore, Zoom is ordered to conduct routine testing of its security safeguards.
In Provision III, the FTC orders Zoom to obtain initial and biennial third-party assessments of its Information Security Program to determine Zoom’s adherence to the requirements enumerated in Provision II. Such assessments must “identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program” and denote the specific evidence used in reaching these conclusions.
Other key provisions (IV and V respectively) order Zoom to cooperate with third party assessors and annual certification from Zoom’s senior corporate management. Provision VI of the settlement further requires Zoom to report covered incidents in a timely manner (within 30 days of the incident) and fully disclose all relevant details.
Notably, FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented to the settlement, arguing it did not provide consumers harmed by Zoom’s data security issues with a sufficient remedy. Both dissenting Commissioners called for the FTC to restore its credibility as a law enforcement agency and to strengthen measures that will discourage companies handling sensitive customer data from engaging in deceptive practices. Commissioner Slaughter notably pointed out that Zoom violated consumer privacy in addition to broader data security requirements and that the company should be held accountable as such.
The Zoom settlement provides an important learning opportunity for companies across the globe. First, companies must give priority to developing a robust data privacy program and training employees to fully understand the importance of complying with such programs. Second, companies must deploy resources capable of adequately responding to security breaches such as breach detection technologies and related incident response procedures that can detect, eradicate, and remediate data security incidents in a timely and effective manner. Third, companies should consider working with third party security experts to conduct routine data security checks to search for and detect security vulnerabilities before malicious or negligent actors can cause significant harm to company data.
Despite the arguably light consequences of Zoom’s FTC settlement, the dissenting Commissioners’ arguments, and popular sentiment surrounding the importance of consumer data privacy indicate that future data security violations may face harsher sanctions. Thus, it is more important than ever for companies to protect their users’ data in order to maintain a secure network, thereby building consumer trust and achieving regulatory compliance.
The first step to building an effective data protection and privacy program is accurate and comprehensive Data Intelligence. This means locating, identifying, and cataloging organizational data. Even the largest and most profitable companies often struggle with understanding what type of data they hold and where that data sits.
For instance, personally identifiable information (“PII”), electronic personal health information, and sensitive data often sit in and flow through hundreds, if not thousands, of both structured and unstructured data stores. Moreover, original data is often duplicated many times over and stored in different data bases. Determining data linage is almost impossible without the benefit of the proper technology.
To effectively protect what data an enterprise has, it must first know what data it holds.
The second critical step is accurately categorizing organizational data. For instance, under the General Data Protection Regulation (“GDPR”), “sensitive” data must be treated differently than even PII.
The third crucial step is risk identification and reduction strategy. Depending on the type and location, certain data privacy and protection laws should dictate the enterprise risk strategy. The company’s Information Security and Privacy Program should be premised upon all governing rules, regulations, and laws to ensure not only data protection, but also legal compliance.
Our data protection and privacy experts can assist any enterprise, no matter its industry or location, with building and maintaining an effective and sustainable data protection and privacy program. We begin with a tailored and structured assessment process. The format of the assessment is dependent on the security and privacy laws and regulations relevant to our client. Our team, using our state-of-the-art assessment platform will handle the entire process from identifying relevant stakeholders, disseminating our electronic assessments, conducting interviews, gathering all necessary documentation and artifacts, and assessing responses. From there, we provide our client with an actionable plan and timeline for program build. We also have the people, processes, and technology to build, operate, and maintain data protection and privacy programs freeing our clients to focus on their core business.
Please visit us at www.advisori.com to learn more and to speak with our data protection and privacy experts.
The COVID-19 pandemic has undoubtedly wreaked economic havoc on the travel and tourism industry. Hospitality has been hit especially hard, resulting in catastrophic revenue loss, unparalleled hotel shutdowns, and employee furloughs and layoffs. Remarkably, China appears to be the industry’s proverbial light at the end of the tunnel. For instance, hotelier behemoth Marriott International Inc.’s third quarter profits have been buoyed by quickly recovering occupancy levels in China. Marriott’s third-quarter 2020 results released on November 9, 2020, indicate that Marriott’s Greater China region operations reached 61% room occupancy, just a 10-percentage point decline from a year ago. The all-important metric of Revenue Per Available Room rebounded to $63.05, down just 26% from last year.
Notably, the hospitality industry anticipated China’s economic value well before the pandemic and invested heavily in the market. For instance, in 2017, Hilton Worldwide embarked on an ambitious plan to increase their presence to 1,000 operating hotels in China by 2025. Since the U.S. continues to struggle with containing the virus, China’s economic promise is even more critical to the hospitality industry’s survival.
However, with opportunity comes risk. China, like the rest of the globe, is increasingly focused on the security and privacy of its citizens’ personal information. This is evidenced by the Chinese government’s rapidly evolving cyber security and data privacy legislation. For instance, in November 2016, the National People’s Congress passed China’s Cyber Security Law (CSL). Ostensibly, the CSL was designed to enhance network security requiring “critical information infrastructure operators” to store their data within mainland China and to allow for government agencies to conduct security checks.
This past summer, the Chinese government issued its Draft Data Security Law (DSL), which further emphasizes the importance of safeguarding data security. More specifically, the DSL requires entities collecting personal information on Chinese citizens to have sufficient technical and legal security measures in place to protect personal information from unauthorized access.
Most recently, China released its Draft Personal Data Protection Law (PDPL). The PDPL largely echoes the EU’s General Data Protection Regulation. Like the GDPR, the PDPL emphasizes core data protection principles like individual rights, data classifications such as “sensitive personal information,” and data minimization. The individual rights granted to Chinese citizens by the PDPL are almost identical to those of the GDPR, including the right to know, access, copy, correct, and delete one’s personal information. Also similar, personal information handlers are required to appoint data overseers responsible for safeguarding personal information.
The PDPL does, however, vary from the GDPR in both minor and significant ways. For instance, the PDPL uses “handlers” to refer to data controllers or processors and “data handling” instead of data processing. Similar to the GDPR, handlers must notify individuals and provide the handler’s identity and contact method, the purpose of handling, categories of personal information, the retention period, and the methods available for individuals to exercise their individual rights.
Another variance between the PDPL and the GDPR is that the former does not differentiate between a data “controller” and a data “processor.” Instead, “where two or more personal information handlers jointly decide on a personal information handling purpose and handling method, they shall agree on the rights and obligations of each” and all bear joint liability for the compromise of such personal information.
Notably absent from the PDPL is the GDPR’s Article 45 concept of third country “adequacy.” Instead, under the PDPL a data handler must meet one of the four following requirements before conducting a lawful cross-border data transfer: (1) pass a security assessment, (2) undergo a PI certification, (3) conclude an agreement with the foreign receiving party on the rights and obligations provided by the PDPL, or (4) meet some other condition required by law. Furthermore, prior to any transfer of personal data outside mainland China’s borders, the data handler must notify affected individuals of such transfer and obtain their specific consent before doing so.
While the PDPL and DSL still require finalization to become law, global companies operating within China’s borders and collecting personal information on its citizens must be cognizant of the above. Those hoteliers with mature GDPR compliance programs are already well ahead of their competition. However, even those that do have a high-functioning privacy program are likely under extreme pressure due to the financial impact of the COVID crisis on the industry.
Our experts have hands-on experience building and maintaining data protection programs in China. We have the people, processes, and technology to assist our clients with building a robust and cost-effective compliance and data governance program. We also have a tried and true playbook.
Foundational to any data protection office is the knowledge of where organizational data resides and the categories of such data.
To achieve this fundamental goal, we use SECURITI.ai’s advanced technology to scan our clients’ networks for personally identifiable information in both and unstructured data sources contained in either on-premises or cloud environments.
We then can categorize our clients’ data as required by the PDPL.
This allows us to precisely catalog our clients’ data thereby creating a data “library.”
From here, we can perform critical data mapping necessary to assess the legality of cross-border data transfers.
Just as critical, we can trace each and every data element back to a specific data subject to ensure that our clients are able to fulfil all data subject access requests quickly, efficiently and thoroughly.
Please visit us at www.advisori.com to learn more.
 See Article 37 of China's Cybersecurity Law
 See Article 12 of the Data Security Law of the People’s Republic of China (Draft)
 See Articles 51 and 52 of the Personal Data Protection Law (Draft)
 See Article 3 of the Personal Data Protection Law (Draft)
 See Article 18 of the Personal Data Protection Law (Draft)
 See Article 21 of the Personal Data Protection Law (Draft)
 See Article 38 of the Personal Data Protection Law (Draft)
 See Article 39 of the Personal Data Protection Law (Draft)
Today’s post-pandemic world has turned businesses upside down. The hospitality industry has been particularly hard hit, purportedly losing over $46 billion in room revenue since February1. These financial losses have taken a real and substantial toll on front line and corporate workers, the Bureau of Labor Statistics reports job losses of 4.8M in hospitality and leisure.
The existential risk to the hospitality industry from the pandemic permeates to the very customers the industry serves. Pre-pandemic, and even today, hotels built their marketing strategies on customer loyalty programs. For instance, Tyler Morse, CEO and managing partner at MCR Development, which owns the TWA Hotel, describes loyalty programs as an “arms race.”2 The reason for this is simple according to David Kong, president and CEO of Best Western Hotels & Resorts; hotels must be focused on acquiring new customers, retaining customers, growing the customer base and reactivating past customers. Kong goes on to state the obvious: a customer data base is key to these objectives.
“If you don't have a database that you can actually do analytics on, you don't even know about your customers. So, you can’t even deploy any one of those four strategies. But without a loyalty program to actually give you that database and that promotion platform and the ability to offer the special member rate, how can you compete then?” 3
The “analytics” fueling loyalty programs are, in fact, the “processing” of personally identifiable information gathered by hospitality companies on their customers. These include obvious data points such as customer name, address, phone number, passport numbers, billing information, etc. However, this is just the beginning. In order to maximize profits, hotels must have a robust customer profile to include the individual customer or potential customer’ demographics (age, gender, income etc.), psychographics (personality, preferences, etc.) and their behavior4.
The bottom line is hotels hold treasure troves of personally identifiable information. This critical data flows through property management systems, customer reservation systems, marketing systems, and now the trend is a collection of this data into “data lakes” for the purposes of complex data analytics necessary to target, acquire, and maintain a rich customer base. The goal is to “put heads in beds.”
The unintended consequence of this massive data collection is an increasing targeting of the industry by hackers who see vulnerable and valuable victims. These bad actors look for the richest payload, requiring the least amount of effort to exploit. As history has shown, even the most reputable and profitable hospitality companies have fallen prey to bad actors, time and time again. Traditionally, risk vs. return would prevail and a hacker/group would hit the larger chains which, in theory, would have centralized data stores; however, as tools have been developed along with hacking methodologies it has become almost trivial to replicate attacks irrespective of the size of the actual data store -- once again, dismantling the security-by-obscurity paradigm that some of the smaller market participants may have once enjoyed.
As mentioned above, the hospitality industry has already experienced multiple high-profile breaches. If we examine this from a purely financial perspective, we see that the cost of a data breach can be easily quantified. On average, across industries, businesses estimate the cost of a data breach to be approximately $150/record. Taken at its face, this may seem tenable, however if you extrapolate that and multiply by thousands of potentially breached records, the costs quickly reach astronomical proportions.
Unfortunately, direct financial losses are typically just the beginning of a breach fallout. One other key aspect is the growing media attention. Yet another impact of this pandemic is the lack of non-pandemic related newsworthy events. While a hack or data breach would certainly have garnered attention, now as the number of reportable events declines, it is entirely possible that data privacy breaches will receive even greater media attention. As this industry is painfully aware, the initial cost of the breach is magnified as media coverage descends and proliferates the negative messaging to consumers across the globe.
Therein lies the existential threat to the business – consumer trust. The reality is, customer loyalty programs are based on trust; a consumer’s trust that she is receiving a valuable service for her money and that her data, and thus privacy, is being adequately protected. As the market has contracted considerably and consumers grow more cognizant of how and why their data is collected and analyzed, the actual cost of a data breach in terms of long-term business impact is anything but trivial. Consumer brand loyalty is vitally important to businesses in general, but specifically to the hospitality sector as hotels gather and process intimate private details on their customers in an effort to provide the “personalized room experience.” Few sectors have experienced the impact of COVID-19 as keenly as this sector and for some, consumer trust and loyalty has been a saving grace (for instance, the emergence of the “clean room” and the consumers blind trust in this product). Participants within this sector are going to need to prioritize data privacy practices as a major data breach could prove disastrous as the global economy begins its slow recovery.
There is little doubt that protecting customer data security and privacy is a herculean task in this new economic environment. The traditional hospitality threat attack surfaces such as: data servers sitting around the world, the multitude of applications, and the desperate, and often times, outdated IT systems used to operate hospitality businesses are further exposed by the profound economic pressures facing hospitality. There have been massive furloughs and layoffs of highly skilled security and privacy professionals in the industry leaving already vulnerable data systems ever more exposed to bad actors or even more prone to human error.
Fundamental to an effective data protection program is a full and comprehensive understanding of where customer personally identifiable information is collected, stored, transmitted, archived, and discarded.
First, we help with identifying and labeling all data stores on the network. We initiate this process by distributing automated surveys to all relevant stakeholders, e.g., data store managers, data governance team members, etc.
We then use our automated network scanning tools to confirm our survey results.
Once we have identified all relevant data bases, we scan each to identify and classify the data content.
From here, we are able to assist our clients with risk mitigation strategies. For instance, data classification and storage strategies, data governance methodologies and best practices, privacy by default (deleting data that is no longer necessary) and data security strategies.
To learn more about how ADVISORI can help, please visit www.advisori.com.
Following the Court of European Justice’s (CJEU) decision to invalidate the Privacy Shield and call on data protection authorities to use their enforcement powers, the Irish Data Protection Commission (DPC) issued a preliminary order directing Facebook to stop transferring data from the EU to the US. The obvious intent is to protect personal data from the far-reaching surveillance laws in the US that govern companies such as Facebook. However, the preliminary order implicates that the standard contractual clauses (SCCs) that Facebook was relying on in the wake of the Privacy Shield decision, are also invalid.
Facebook responded to the preliminary order with a strong rebuke, instilling fearful predictions of economic harm in the EU: “[I]t could have a far reaching effect on businesses that rely on SCCs and on the online services many people and businesses rely on. The effects would reach beyond the business world, and could impact critical public services such as health and education.”
Days later, Facebook appealed the preliminary order and sought a judicial review from the Irish High Court, which was granted. Facebook argued that the three weeks it was given to respond to the order was not enough time, that it was unfair for the DPC to only target Facebook, and that the order was issued prematurely because the European Data Protection Board has not released new privacy guidelines in the wake of the Privacy Shield decision.
Following the Irish High Court’s stay of the DPC’s Order, Max Shrems responded: “It does not come as a surprise that the DPC has again failed to run a proper procedure and was stopped by the Irish courts for now. At the same time it is not clear if Facebook will ultimately succeed with this case.”
While the preliminary order calls into question the validity of relying on SCCs to transfer data from the EU to the US, Facebook is simultaneously relying on the “necessary transfer” derogation listed under Article 49(1)(b) of the GDPR (“the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request”). Facebook believes that the company’s user agreements fall under this “necessary transfer,” however, the derogations under Article 49 are intended to be used
in limited situations. While the current judicial review is focused on the validity of Facebook’s use of SCCs for their EU-US data transfers, the company’s reliance on Article 49 will likely be another legal question for the courts to answer in the near future.
If the DPC’s preliminary order is upheld, the enforcement power to stop data transfers to the US will cause more of a shake-up than the invalidation of the Privacy Shield. First, there are the steep fines for violations: 4% of global revenue. According to the WSJ, this means Facebook could face up to $2.8 billion in penalties if they fail to comply. Additionally, if EU data protection authorities are able to suspend the transfer of data to the US, then the mounting pressure on the US government to pass privacy laws equal to those in the EU will reach an all- time high. For now, companies should continue to tighten their data protection measures and take additional steps to ensure transparency to their users regarding how their data is processed and transferred.
As now widely know, the European Union’s top court, the Court of Justice of the European Union (CJEU), invalidated the EU-US Privacy Shield in a landmark decision handed down on July 16, 2020, and further cast doubt on the continued use of standard data protection clauses for the transfer of personal data between the EU and the US. The Court ruled that the United States does not have adequate legal safeguards to protect the personal data or privacy rights of EU citizens from government surveillance.
The case, Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, referred to as Shrems II, is the latest chapter in a years-long legal battle encompassing the conflict between the European Union’s privacy laws and government surveillance laws in the United States.
The Privacy Shield was a legal framework established in 2016 that allowed for the transfer of personal data from the EU to the US. The agreement was meant to ensure that registered United States companies would comply with the EU’s data privacy laws, even in the absence of any US federal privacy law. It was used by more than 5,300 companies, including Amazon, Google, and Twitter (in addition to Facebook).
The CJEU found that the Privacy Shield did not actually protect the personal data of EU citizens from US surveillance laws, nor did it allow for an effective legal remedy if an EU citizen’s privacy rights were violated. Therefore, the Court concluded that the United States could not ensure an adequate level of protection for personal data transferred under the Privacy Shield because it was incompatible with the General Data Protection Regulation (GDPR) and the European Charter of Fundamental Rights.
While the CJEU upheld the validity of using standard data protection clauses in contracts to ensure that personal data transferred outside the EU remains adequately protected, the Court cast doubt on whether any contractual clause would be sufficient to protect against government interference in countries without privacy protection laws, like the United States. The Court called on Data Protection Authorities (DPAs) of the EU to review standard data protection clauses on a case by case basis. Although a DPA does not have the power to undermine a United States security law, it can prohibit the transfer of personal data to the US if it finds the contractual clause relied on does not, or cannot, meet the EU’s privacy requirements. In practice, no contractual clause could adequately protect personal data transferred from the EU to the US from the far-reaching surveillance powers of the National Security Agency, so it remains to be seen how this ruling will affect the transatlantic transfer of data moving forward.
The Court’s decision certainly should put both United States companies and lawmakers on high alert, as it made clear that the EU will not bend on the privacy rights afforded to its citizens. Companies will have to figure out a new way to continue receiving personal data from the EU, unless a federal privacy law is passed that alleviates the concerns the CJEU laid out. The Court’s judgment puts pressure on the United States government to limit their surveillance laws targeting non-US citizens and to meet the same standards of privacy rights upheld in the EU. Until that time, companies may have to set-up servers in the EU to process personal data, or stop doing business in the EU. Both options are costly.
Not surprisingly, Secretary of Commerce Wilbur Ross revealed his disappointment in the decision to end the Privacy Shield, citing potential damage to the “$7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.”
In the meantime, companies should review their privacy policies and have a clear understanding of what data they have, where it comes from, and how it is stored. By accurately tracking personal data and solidifying adherence to the GDPR, companies may be able to continue business as usual while waiting to see what this judgment truly means in practice.
Even as companies grapple with the economic impacts of the COVID-19 pandemic, one thing remains clear – data privacy concerns abound and pandemic or not, businesses governed by the EU General Data Protection Regulation (“GDPR” or the “Regulation”) must remain compliant as the Regulation has no less bite than it did in the pre-pandemic era.
As companies struggle with the new economic reality, many are likely to contemplate shifting existing data protection office functions to other departments, such as legal, to save costs. This strategy should be well-thought-out and scrutinized from both a risk and an operational standpoint. The sobering reality is, those companies with the short-sighted view of the DPO as merely a line item on the company balance sheet are exposing their businesses and brands to significant risk.
This above is underscored by the recent decision of the Belgian Data Protection Authority (“DPA”). In April of 2020, the Belgian DPA imposed a €50,000 fine on a company as the DPA determined that the company’s appointment of its Head of Compliance, Risk Management and Audit to also serve as its DPO was tantamount to a conflict of interest. Specifically, the DPA found that Article 38(6) of the GDPR requires the DPO to have independent oversight of company data protection while maintaining confidentiality and secrecy.
More specifically, the Belgian DPA underscored that “independence” is a core requirement of a data protection officer. To satisfy this fundamental requirement, the DPO must be free from the Controller’s influence on the day-to-day duties of the DPO. Moreover, the DPO should, ideally, report directly to the Board of Directors or as high in the leadership chain as possible to demonstrate clearly and unequivocally that the DPO has an unimpeded line to the BOD, which bears the ultimate responsibility for GDPR compliance. The DPA’s ruling demonstrates a very real and direct impact for those organizations failing to establish an independent and autonomous data protection officer.
In addition to the regulatory requirement of DPO independence, such independence will promote confidence in data subjects that their rights are being adequately protected as the independent DPO is not just another cog in the corporate gears. Moreover, as articulated by the GDPR article 29 Working Party (“WP29”), the DPO is “a cornerstone of accountability and...can facilitate compliance and furthermore, become an advantage for businesses.” Thus, sufficient DPO independence and autonomy acts as both shield and sword by ensuring both regulatory compliance and building brand trust with data subjects.
For those companies struggling with the economic “new normal,” Article 37(6) of the GDPR provides a viable option; data protection office outsourcing. Companies looking to streamline their businesses and strengthen their balance sheets do not have to jeopardize DPO independence to do so. Finding the right DPO as-a-service can be the right strategy for companies of every size and industry.
From a purely optical perspective, choosing to leverage an outsourced DPO is a clear and unequivocal demonstration that the DPO is independent and autonomous. Of course, there must be sufficient interfacing and interaction between the outsourced DPO and all relevant business functions and requisite levels of company leadership. If this critical partnership is agreed to and established up-front, an outsourced DPO can offer tremendous benefit to the company.
In addition to achieving the critical need for DPO independence and autonomy, an organization relying on an outsourced DPO does not have to bear the heavy financial and operational costs required to develop and retain in-house expertise and technologies, which can be particularly appealing to smaller sized businesses from a financial viewpoint.
However, even larger businesses with the budget to build and maintain a sophisticated and effective data protection office can benefit from an outsourced DPO model as they are freed up to separate their business operations from their data protection office, thereby increasing operational efficiencies, maintaining DPO independence and autonomy, and minimizing head-count in these difficult economic times. Just as important, by relying on the outsourced DPO model, organizations overtly demonstrate their commitment to a truly independent office focused on protecting data subject rights, thereby enhancing their brands with customers who are increasingly concerned about protecting their privacy.
While the DPO is an easy target to reduce costs in the short term, the DPO role remains vitally important now as we begin to see economic recovery and a return to business operations on a global scale. As data protection regulation increases and budgets decrease, this is an opportune time for companies to explore the economic, operational, and brand benefits of an outsourced DPO model.