A step towards a uniform law on the protection of privacy: the uniform law on the protection of personal data | Locke Lord LLP

This summer, after two years of work on a model privacy law, the Uniform Law Commission (ULC) entered the privacy debate by passing the Uniform Law on Privacy. protection of personal data (the “Uniform Law”) by a 52-1 vote, with Maine being the only dissenting vote. The Uniform Law takes a different approach to privacy protection than existing legislation in California, Virginia, and Colorado. For example, although it understands the right of a data subject to obtain a copy of their personal data and to correct inaccurate data contained therein, there is no right to require a company to deletes personal data. Some of the other unique features of the Uniform Act are as follows:

Usage categories

The Uniform Act approach creates three categories of data practice and regulates the use of personal data depending on the type of data practice involved.

  • Compatible data practices: generally, practices that are (i) consistent with consumer expectations based on the particular transaction, or (ii) likely to benefit the consumer. In particular, the use of personal data, or even their disclosure to a third party if they are pseudonymized, for targeted advertising purposes is considered a compatible data practice. A controller is free to use personal data for compatible data practices, without the need to obtain the individual’s consent or provide a right to refuse such use.
  • Incompatible Data Practices: Unplanned practices that neither benefit nor harm the individual. Practices that would otherwise be considered compatible data practices are considered incompatible data practices if they are not adequately disclosed in the applicable privacy policy. Personal data may only be used for incompatible data practices if the practice is adequately disclosed at the time of collection of the personal data. If sensitive data is involved, the entity will also need the individual’s express and signed consent for such inconsistent data practice, while if no sensitive data is involved, an opportunity to opt out of the practice of incompatible data is sufficient. To this end, “sensitive data” is defined as personal data that reveals information that would generally be considered sensitive for an individual, including racial or ethnic origin, religious beliefs, gender, sexual orientation, citizenship or immigration status; sufficient credentials to access an account remotely; financial account number; Social security number or other identification number issued by the government; real-time geolocation; Criminal record; Income; health status information; information on genetic sequencing; and information on a minor under the age of 13. An entity may even require an individual’s consent to an inconsistent data practice as a condition for obtaining a discount or even being able to access goods or services.
  • Prohibited Data Practices: Generally, practices that may cause substantial harm, including financial, physical or reputational harm, embarrassment or harassment, to the individual. This also includes the failure to provide reasonable data security measures, the use of inconsistent data practices without the required consent, and the re-identification of pseudonymized or anonymized data, except in limited circumstances. As the name suggests, prohibited data practices are not permitted under any circumstances.

Scope of the law

Unlike most existing privacy laws, the application of the Uniform Act is not expressly limited to large entities, as it applies, at least in part, to any person (defined in broad sense to include individuals and entities) that maintains personal data and conducts business in the state or provides services on purpose for its residents. To avoid excessive burdens on small businesses, however, the Uniform Law provides thresholds below which a person can avoid most of their restrictions. More specifically, the Uniform Act exempts persons who: (1) do not maintain more than [50,000] files concerning persons of that State; (2) earn more than [50] percentage of gross annual income from retaining personal information as a controller or processor; (3) act as a processor for a controller whose processor knows it meets the thresholds in (1) or (2); or (4) retain personal data, unless it processes the data only using compatible data practices. Note that the record amounts and income thresholds are in brackets, inviting States to adopt their own thresholds. A compatible data practice is defined as processing that meets the ordinary expectations of the data subjects or is likely to substantially benefit the data subjects, taking into account the factors listed to be taken into account. Therefore, even persons exempted from the Uniform Act because they are below the thresholds must limit their data processing activities to compatible business practices, or the entire Uniform Act applies.

Like other privacy laws, the Uniform Act covers a wide range of information as part of the definition of personal data. Any recording (material, electronic or otherwise) that identifies or describes a data subject by a direct identifier, and pseudonymized data, but not anonymized data. Anonymized data is personal data that does not have direct identifiers, providing a reasonable guarantee that the recording cannot be identified to a data subject without personal knowledge or special access to the information of the data subject. There are exemptions for certain data, such as publicly available information and information processed in the course of a job or job application.

Requirements of the Uniform Act

The Uniform Act imposes requirements on controllers and subcontractors. A controller is a person who determines the purposes and means of processing; a processor is a person who processes personal data on behalf of a controller.

Controllers are required to provide rights to copy and correct personal data, as well as disclosures regarding personal data maintenance and processing practices. Consent is required for processing which is an inconsistent data practice, defined as a data practice that is neither compatible nor prohibited, or inconsistent with the individual’s privacy policy, which is required under the Uniform Act. Prohibited data practices, which are prohibited, are defined as processing: (i) likely to cause a data subject specific and significant harm (as elaborated in section 9 (a)); (ii) in violation of another law; (iii) without reasonable security measures; or (iv) without the consent required for an inconsistent data practice. Supervisors also perform privacy and security risk assessments, and (v) provide remedies for inconsistent or prohibited data practices.

The Uniform Act obliges subcontractors to: (i) provide the controller with access to personal data; (ii) correct inaccuracies at the request of the controller; (iii) limit processing to the purpose requested by the controller; (iv) conduct and maintain privacy and security risk assessments; and (iv) provide redress for inconsistent or prohibited data practices.

Deemed compliance

Compliance with specified federal privacy laws including Medicare Portability and Liability Act, Fair Credit Reporting Act, and Gramm-Leach-Bliley Act (among others) may be considered to be in conformity with the uniform law, but only in relation to the treatment which is the object of these statutes. Thus, it does not provide for a general exemption for these regulated entities. For example, a bank that processes information in a way that is not subject to Gramm-Leach-Bliley would still be subject to and should comply with the Uniform Act with respect to that processing.

The Uniform Act also allows, by complying with (i) a comparable privacy law of another jurisdiction (such as CCPA or GDPR) or (ii) a voluntary consensus standard, to ‘be considered sufficient to comply with this Uniform Act. These methods of deemed compliance only apply if the state attorney general has determined that the comparable law is as or more protective than the Uniform Act, or has specifically approved the standard of voluntary consensus.

Enforcement

Enforcement, and in particular whether or not a private right of action was included, was probably the most contested provision in the development of the Uniform Act. The final uniform law attempts to sidestep the problem by providing for the application of the state’s existing consumer protection law. Some states have consumer protection laws that provide for a private cause of action and some do not. The Uniform Act also contains optional language that a state can use to prevent a private cause of action under the Uniform Act even if its consumer protection law provides for one. As a result, the struggle over whether or not to include a private cause of action will now shift to the various state legislatures that are considering enacting the Uniform Law.

The ULC intends that the Uniform Data Protection Act promotes consistency by providing a template that states can use to enact their own privacy laws. The ULC plans to start promoting state adoption from January 2022, when many state legislatures begin the new legislative session. It remains to be seen whether the ULC is successful in getting the 47 states that currently do not have comprehensive privacy legislation in place to adopt the Uniform Law, and to what extent its unique privacy concepts. will influence future privacy legislation.

Source link

About Norman Griggs

Check Also

Remembering Lois Greene, “woman warrior” who fought racial injustice and raised a multiracial family

Lois Greene. Courtesy of the Greene family Lois Amy Chase Greene passed away peacefully on …

Leave a Reply

Your email address will not be published.