Sin categoría

Axel Voss, a member of the European Parliament who helped to create the GDPR, has stated that after just three years in force, the regulation is out of date and needs to be heavily revised to stay abreast of the post-pandemic world. He explained that the legislation needs updating to reflect the global shift to home working that has resulted from the COVID-19 pandemic, as well as to cater for the multitude of new technologies that have been developed since the GDPR entered into force. Most notably, the use of Artificial Intelligence has grown exponentially over the last several years. It remains to be seen whether any significant revision is likely anytime soon, as other European Parliament members, such as Sophie Veld, claim that the GDPR is still fit for purpose.

I have noticed that when I call on companies for information, I am frequently told that “I can’t give you that, because of Data Protection”. As a specialist trainer of compliance for companies on Data Protection, I am fully aware that I am not asking for data that is of a protected by Data Protection laws. 

The Irish Data Protection Commission (DPC) noted similar developments, warning that increasingly people are attempting to use data protection laws to resolve non-data protection disputes, stating that it must be protected from becoming the “law of absolutely everything”. 

She noted that the DPC has been receiving increasing numbers of complaints from individuals that are completely unrelated to data protection. Problems at work, with medical treatment, and neighbours’ parking were just a few examples she gave that support her observations. She suggested that this trend “reflects a desire on the part of many individuals to have access to an independent and easily-accessible, no-cost dispute resolution service”, further noting that this was NOT the function of the DPC.

Victoria Anzola

TikTok has agreed to pay $92 million to settle a class action lawsuit. The class action related to allegations of significant privacy violations, with claims that TikTok had collected sensitive personal data and used it to track its users and show targeted ads to them. An allegation was also made that the app had analysed the faces of its users to determine their ethnicity, gender and age. 

Whilst TikTok denies all allegations, it has agreed to settle the case out of court. A spokesperson explained that “Whilst we disagree with the assertions, rather than going through lengthy litigation, we’d like to focus our efforts on building a safe and joyful experience for the TikTok community.”

What is Privacy by Design?

Privacy by design means applying the necessary data protection guarantees from the initial planning phase for any technological development, such as an application or program, an app, an e-commerce development, the internet of things (IoT), etc. provided that personal data is going to be processed by the new development.

This obligation is a precaution that will also protect Management, since it is easier to plan from the beginning based on an adequate legal framework. The alternative may be having to redesign the product or service from scratch for not complying, with the consequent extra cost.

This privacy by design can also help us when choosing standard software on the market since currently many of them do not comply with the legal requirements regarding data protection.

Privacy by design is a proactive measure (prevents, not remedies) and seeks protection throughout the entire life cycle of the product or service. 

What is Privacy by Default? 

Privacy by default consists of offering the maximum guarantees of privacy in those apps, programs or applications or services that are going to process personal data. That is, if there are several privacy settings, those that offer greater guarantees of privacy to the interested party should be marked by default.

The default privacy implies:

• The minimization of data, that is, the minimum possible data will be collected so that the product or service can fulfil its purpose.
• Access control: Only the personnel who really need to access the data for the development of their work will have access to said data.
• The data will not be transferred to third parties if this transfer is not necessary, not mandatory or not explicitly informed and consented to by the third party. For this, pseudo-anonymization techniques can be applied.
• The data retention periods must be informed and will be limited.
• Transparency. The data owners will be given clear, concise and understandable information about the processing of their personal data.

An example of Non-Privacy by Default:A practical example of how not to do it can be found in some game apps where, for example, the game requests access to phone contacts, camera images, SMS and phone calls … all of them not necessary to play the game.

The 2015 Reform provides companies with an exemption from criminal liability if they have effectively implemented a compliance program that meets the requirements of the new Code. 

The Code is broadly focused on crimes of very diverse nature—not focusing exclusively on bribery and/or corporate fraud. The Spanish criminal code contemplates this model as a preventive tool (and an affirmative defence instrument) in a number of ‘typical’ crimes of a “corporate” nature, such as:

Fraud, influence peddling; swindling, money laundering, punishable insolvency, IP and IT damages, personal data misuse, property planning corruption, drug trafficking, terrorist financing, forgery, credit card theft, trafficking in human organs, slavery, crimes against tax and Social Security regulations…

Requirements of the law 

In the first case, the new Code allows to exempt companies from criminal liability under the following requirements: 

• The board of directors has, prior to the perpetration of the crime, adopted and implemented an organizational, management, and control Model (the “Model”) suitable to prevent offenses of the type committed. 
• The Code accepts that in small and medium-size companies (SMEs), the board of directors may accomplish the role of a supervisory body with independent powers of initiative and control.t. 
• The individual authors of the crime committed the offense while intentionally and fraudulently eluding the Model. 
• The supervisory body has not neglected its duties of supervision and control. 

If the crime is committed by a subordinated individual, the company will have to prove that it had effectively implemented an organizational and management Model suitable to prevent offenses of the same type as the one committed, prior to the commission of the offense. 

Companies should carefully identify the risks they may be exposed to where the crimes listed by the Code could be committed and adopt a compliance program (Model) tailored to prevent the same. 

It is clear that staff training is key to the effectiveness of any such Model that the company generates.

(Adapted from “Corporate Compliance Programs”, Maria Hernandez, Eversheds International Law)

The most common perception of compliance is compliance with regulations: the laws, rules and other norms of a government that detail how an organization should behave. For example,

• All registered companies must file tax returns.
• No company can bribe government officials to win business.
• Companies must protect the personal data of citizens.
• Companies should not get involved in money laundering and terrorist financing.

Governments don’t care how a company complies with the law, as long as it does.

So companies design their compliance programs to develop the “how” part. Employees must comply with internal policies and procedures.

For example, bribing government officials is illegal. Therefore, companies develop internal policies for employees that prohibit paying for luxury travel or giving gifts to government officials. Companies develop internal procedures for submitting expense reports to identify any suspicious payments that employees may attempt to make.

In other words, the laws define what must be complied with; companies establish internal procedures to achieve this compliance.

How Corporate Compliance Impacts Businesses

• Compliance can keep a company on the correct side of the law. Even when a company violates the rules (which will surely happen eventually), the existence of a compliance program will demonstrate to regulators and prosecutors that the company is trying to do the right thing. That can lead to smaller penalties (or none and only a warning).
• A compliance program can preserve the reputation of a company. Businesses can suffer serious consequences for misconduct: bad headlines, consumer boycotts, business partners cancelling contracts, and more.
• Above all, effective compliance programs make your company a more attractive partner for other companies and clients, thus creating a competitive advantage. The more effective and transparent our ethics and compliance, the lower the business risks and the risks of others when hiring us.

As challenging as compliance can be, when done right, it becomes a huge strategic advantage.