What can the California Privacy Agency learn from Europe? | Fox Rothschild LLP
What can the California Privacy Agency learn from the EU’s experience as it prepares to draft DPIA regulations? Here is a recap of my remarks during the CPRA Regulatory Stakeholder Session:
1) Don’t reinvent the wheel: rely on the specificity of the VA and CO laws to start with, and the detailed work that has been done in the EU.
- It’s faster to get started and ahead of businesses looking to comply.
- It also provides greater legal certainty and is useful for multinationals who can benefit from the EU work they have done.
2) Provide clear guidelines for when a DPIA is needed.
- Provide a decision tree if possible.
- Don’t be too specific. (For example: the European Data Protection Board rejected a blacklist of member states that required a DPIA only for the processing of sensitive information or cross-border transfer
- Also consider providing a “whitelist” where a DPIA would not be required.
- Provide advice on when to review the DPIA (eg, advances in technology, changes in processing, post-merger and acquisition acquisition).
- Define the contribution that service providers can provide to help the business. (Consider issuing guidelines encouraging/expecting help from big vendors – especially for transparency.)
- Provide guidance on how to incorporate other risk assessments.
3) Provide clear, but not overly complicated, guidelines on how to carry out a DPIA.
- Take advantage of EU templates: ICO, CNIL (with taxonomies), NL, ES, DE and/or ISO 29134 (updated).
- Leverage the ISMS and build the Privacy MS on top of it.
- Land somewhere between the UK and Germany.
- ICO – Very easy to read model, but there may be issues with poor implementation (proportionality/necessity assessment component is open).
- Germany – Very complex and detailed model that maps TOMs according to risk. It is useful, but there should also be a model adapted to SMEs.
- Provide guidance on risks to consider: Leverage existing risk and harm taxonomies.
- Provide guidance on how to complete the process: for example, a 3D model that requires you to break down processing into phases (like: storage, use, modification, sharing) and assets (software, hardware, employees, recipients) . And for each phase/asset, assess the likelihood and severity of a breach of the relevant data protection principles.
- Provide advice on the process itself and relevant stakeholders within the company and externally (eg involving those affected).
- Provide options/guidance to SMEs.
- Provide/source recommended DPIAs (e.g. in difficult areas like algorithm impact analysis as discussed by EU AI law), which will allow companies to verify whether a DPIA was carried out in a similar case (The Commission Nationale de l’Informatique et des Libertés (CNIL) has a number of sample scans. The Data Protection Commission Ireland has also recommended a few such as “l ‘gold standard’.