What can the California Privacy Agency learn from Europe? | Fox Rothschild LLP

What can the California Privacy Agency learn from the EU’s experience as it prepares to draft DPIA regulations? Here is a recap of my remarks during the CPRA Regulatory Stakeholder Session:

1) Don’t reinvent the wheel: rely on the specificity of the VA and CO laws to start with, and the detailed work that has been done in the EU.

  • It’s faster to get started and ahead of businesses looking to comply.
  • It also provides greater legal certainty and is useful for multinationals who can benefit from the EU work they have done.

2) Provide clear guidelines for when a DPIA is needed.

  • Provide a decision tree if possible.
  • Don’t be too specific. (For example: the European Data Protection Board rejected a blacklist of member states that required a DPIA only for the processing of sensitive information or cross-border transfer
  • Also consider providing a “whitelist” where a DPIA would not be required.
  • Provide advice on when to review the DPIA (eg, advances in technology, changes in processing, post-merger and acquisition acquisition).
  • Define the contribution that service providers can provide to help the business. (Consider issuing guidelines encouraging/expecting help from big vendors – especially for transparency.)
  • Provide guidance on how to incorporate other risk assessments.

3) Provide clear, but not overly complicated, guidelines on how to carry out a DPIA.

  • Take advantage of EU templates: ICO, CNIL (with taxonomies), NL, ES, DE and/or ISO 29134 (updated).
  • Leverage the ISMS and build the Privacy MS on top of it.
  • Land somewhere between the UK and Germany.
  1. ICO – Very easy to read model, but there may be issues with poor implementation (proportionality/necessity assessment component is open).
  2. Germany – Very complex and detailed model that maps TOMs according to risk. It is useful, but there should also be a model adapted to SMEs.
  • Provide guidance on risks to consider: Leverage existing risk and harm taxonomies.
  • Provide guidance on how to complete the process: for example, a 3D model that requires you to break down processing into phases (like: storage, use, modification, sharing) and assets (software, hardware, employees, recipients) . And for each phase/asset, assess the likelihood and severity of a breach of the relevant data protection principles.
  • Provide advice on the process itself and relevant stakeholders within the company and externally (eg involving those affected).
  • Provide options/guidance to SMEs.
  • Provide/source recommended DPIAs (e.g. in difficult areas like algorithm impact analysis as discussed by EU AI law), which will allow companies to verify whether a DPIA was carried out in a similar case (The Commission Nationale de l’Informatique et des Libertés (CNIL) has a number of sample scans. The Data Protection Commission Ireland has also recommended a few such as “l ‘gold standard’.

[View source.]

Mary I. Bruner