Edition #3 | The Privacist's Playbook

Welcome to The Privacist's Playbook!

This is Edition #3 of The Privacist's Playbook.

Let's get into Edition #3...

We really appreciate your ongoing support after the release of Edition #2. Apologies for the delay in publishing this Edition.

Your feedback, sharing it with your network, and spreading the word has been invaluable. Thank you again!

Let's Dive In

News Snippets

Dive into the FTC Epic Games Settlement – IAPP’s Key Takeaways

The US Federal Trade Commission (FTC) has taken action against Epic Games over alleged privacy violations and deceptive billing practices, resulting in a USD$275m administrative penalty and USD$245m in consumer refunds. The IAPP has summarised their key takeaways surrounding the significance of the settlement (as it is the first time the FTC has addressed the particular vulnerabilities of teenagers in its enforcement work).

The circumstances centre around Epic Games' popular cross-platform multiplayer video game, Fortnite, and allegations that it did not comply with the US Children's Online Privacy Protection Act (COPPA) and had unfair default privacy settings for both teenagers and children. The settlement serves as a reminder for privacy professionals to think about COPPA compliance and the unique risks faced by teenagers in their online activities.

Legal & Policy Updates

The Nitty Gritty of the Settlement – Details from the FTC on Allegations of Privacy Violations and Dark Patterns by Epic Games

Looking to the text of the settlement, check out the original publication from the Federal Trade Commission. The FTC in the US has obtained agreements requiring Epic Games to pay a total of USD$520m over allegations that the company violated the COPPA and deployed “dark patterns” to encourage players to make unintentional purchases. The settlements are the largest ever for violating an FTC rule and for an administrative order, respectively. As part of a federal court order, Epic will pay a USD$275m penalty for COPPA violations, and a further USD$245m will be refunded to consumers for the dark patterns and their billing practices.

European Commission Adequacy Decision on the EU-Us Data Privacy Framework & Answering Your Questions

The European Commission has launched the process for adopting an adequacy decision for the EU-US Data Privacy Framework, which will allow for the transfer of data between the EU and US and address concerns raised by the Court of Justice of the European Union in its Schrems II decision in 2020.

The draft adequacy decision concluded that the US provides an adequate level of protection for personal data transferred from the EU. The decision is based on an assessment of the Data Privacy Framework and its obligations for companies, as well as the limitations and safeguards on access by US public authorities to data transferred to the US, particularly for criminal law enforcement and national security purposes.

The adequacy decision will allow European entities to transfer personal data to participating US companies without additional data protection safeguards and will require US companies to comply with a set of privacy obligations in order to participate in the framework. Check out the European Commission's rundown of the draft adequacy decision, and where it's going from here.

On Court Enforcement of Data Privacy Protections in California

A recent state appeals court decision in California may make it difficult for individuals to sue companies that violate data privacy laws. In a recent article by Adam Schwartz and Corynne McSherry for the EFF dive into the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC) filing of an amicus letter with the California Supreme Court urging it to review the decision and keep the courthouse doors open to victims of corporate data privacy violations.

Industry Matters

Balancing Privacy, Self-Care, and Fitness – Canadian Opc Bolsters by CSA Group Research on Privacy and Power Dynamics in Wearable Tech

Recent research by Tania Donovska (CSA Group), backed by The Privacy Commissioner of Canada, Commissaire à la protection de la vie privée du Canada was published discussing  the privacy risks associated with wellness wearables, which are devices that directly connect to the body to generate health-related data. The article points out that these devices are not subject to medical regulations or health privacy laws and are not fully protected by consumer privacy laws, creating a regulatory grey area. The article also examines the specific privacy risks involved in the use of wearables in the workplace and insurance contexts. 

The research posits that policymakers must address these issues and implement effective interventions to protect privacy as the use of these devices increases and they establish deeper connections to the body. The report intends to increase understanding of the privacy challenges and considerations associated with wearables and contribute to policy development in this area.

Apple Adopts End-to-End Encryption into iCloud Backups and More

Apple has announced that it is introducing three new data security measures, iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud, to protect consumer data and deter threat actors.

The Advanced Data Protection feature expands the number of categories that have end-to-end encryption by default from 14 to 23 and includes E2E encryption for iCloud Backup, Notes and Photos. However, iCloud Mail, Contacts and Calendar will not be covered to allow them to continue to interoperate with other non-Apple systems.

The International Association of Privacy Professionals Holds Its Europe Data Protection Congress for 2022 ft. FPF

The IAPP hosted the Europe Data Protection Congress 2022, which featured three panels moderated and spoken in by members of the Future of Privacy Forum (FPF). The first panel discussed global trends in data protection and privacy regulation in various regions, the second panel focused on automated decision-making and profiling under the GDPR, and the third panel looked at data protection developments in the US.

The Women@Privacy awards ceremony and the Brussels Privacy Symposium also took place, discussing the issue of vulnerable people and marginalisation in relation to data protection. The panels highlighted the increasing number of data protection laws being implemented globally, the complexity of the GDPR for countries building their first data protection regimes, and the challenges and opportunities presented by the California Consumer Privacy Act.

Digital Privacy Tips

Are You a Privacy Engineer or Looking to Grow Your Privacy Engineering Expertise? GitHub Publishes 8 Tips to Mitigate Privacy Risk

Designing systems with privacy in mind from the start is crucial to avoid costly and potentially harmful re-engineering efforts later on. This is known as privacy engineering, a field that has emerged in recent years to address and mitigate privacy risks in software and systems. Privacy engineering involves distinguishing privacy risks from information security risks, understanding that not all data is personal information, and being aware that some data is especially private and requires additional protection.

It is important to consider the potential uses of data and whether they align with the expectations of the people it concerns, as well as to implement appropriate safeguards and controls. Involving privacy experts early in the design process can help ensure that privacy considerations are properly integrated. It is also important to continuously monitor and assess privacy risks as systems evolve. To get on top of all of these tasks, Ayden Férdeline writes for GitHub's The ReadeME Project, providing 8 tips for privacy engineers and their teams to mitigate privacy risk.

The Shifting Privacy Landscape in Australia – Helping Australian Businesses Get a Move On with Their Data Inventory

The IAPP ANZ Summit 2022 in Sydney highlighted the increasing importance of privacy and data protection to the Australian community. The main takeaway from the event was that Australian organisations are expected to "clean up" their data holdings and only retain personal information if there is a "bloody good reason".

The Australian government has recently increased fines for Privacy Act breaches to AUD$50m, which may lead to more organisations taking action to protect personal data. However, fines alone will not change corporate behavior in the long term, and privacy programs should focus on training and awareness, minimising human error and helping front-line staff understand the impact of data breaches on individuals.

A key first step for organisations is to create a data inventory, which can be a daunting task due to the number of active and legacy systems and the lack of funding for records management and data destruction.

Sharing Sensitive Data in the Course of Your Research? Be Sure to Take Care When Sharing Data

Data sharing for research purposes can be complicated due to legal, financial, and reputational risks for both the researcher and the organisation holding the data. These risks can include inadequate privacy and cybersecurity protections, restrictions on data sharing, and potential misuse of data by researchers. To mitigate these risks, technical and legal measures such as data sharing agreements, institutional review boards, and access controls can be employed.

For organisations, this involves increasing awareness of data sharing, implementing best practices, and streamlining data usage. For research institutions, it involves building open lines of communication, establishing a process for reviewing and approving data sharing proposals, and ensuring appropriate personnel, privacy, and cybersecurity controls are in place. For researchers, it involves evaluating their internal policies and resources, communicating and collaborating with legal, privacy, and cybersecurity personnel, and considering adopting a zero-trust approach to data access and use. If you'd prefer to take in the report in infographic form, check it out here.

That's a Wrap!

This concludes Edition #3 of The Privacist's Playbook. I hope you enjoyed it.

If you have any feedback on the content, format, style, or anything else — I'd love to hear it. Get in touch on LinkedIn, Twitter, or Email.

- Jacques.