November 19, 2019

Growing pressure for comprehensive data privacy protection, and of course GDPR, are spurring global discussions and more new regulations.

Last week Columbia University in the US held a conference for CISOs, lawmakers, academics, and businesses to discuss data privacy. GDPR was on the agenda, but so too was the California Consumer Privacy Act (CCPA), and the prospect of data privacy regulation for the state of New York.

Elsewhere China’s national internet finance association has asked internet businesses to improve data privacy in response to consumer concerns.

And, Microsoft is updating its commercial cloud contracts after it has been found it may be in breach of GDPR.

Data Protection World Forum’s PrivSec Conference

The PrivSec Conference was held for the first time in the US last week. The first such conference was in response to reactions to the proposed introduction of GDPR. CEO of the Data Protection World Forum, Nick James, says:

“As a result of GDPR, so many other countries have bolstered their own data protection and privacy regulations. But the GDPR made it so that people understood that privacy and security are two sides of the same coin.”

The latest conference allowed attendees to cover questions and concerns relating to CCPA which will be implemented in the US in January.

New York State Senator Kevin Thomas, as per TechRepublic, says his team are trying to get a data privacy bill passed for New York and that:

“Whatever is on the books now federally is outdated and not suitable for the current tech landscape that we live in. The EU passed the GDPR and California has their own, so New Yorkers deserve better.”

A law for New York, he says, would provide:

“Transparency about how your data is used and sold; Control to let you determine whether your personal data is sold; and the creation of data fiduciaries to force companies to be accountable for the sensitive data they control.”

The conference also covered the differences between US data privacy law and GDPR as well as laws in other countries, like Brazil, and the implications. Anju Khurana, BNY Mellon’s head of data privacy and protection for the Americas says:

“Currently, there are over 100 countries privacy laws so we are dealing with a very fast changing regulatory environment. The laws are coming at us faster and more furious, so you have to take a look at your regulatory environment and see what’s the risk associated there.”

James adds that businesses need not only to understand their own applicable data privacy laws but also how different laws relate to others.

The PrivSec Conference was held at Columbia University as its one of only a handful globally creating data privacy and security courses.

Here at The Defence Works we offer comprehensive and cost-effective security awareness and GDPR training online.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

China’s internet companies need to improve data privacy

There are concerns within China that some internet businesses are “violating consumer privacy,” as per SCMP. This may include stealing, trading, or revealing personal information disguised as “big data research.”

China’s national internet finance association has responded saying that without consent its members should not collect, use, or provide personal consumer information to third parties.” It has asked that member institutions “take personal responsibility” for protecting personal information as well as strengthening consumer risk warnings and correcting and informing of any problems.

The China Consumers Association (CCA) also asked for better data privacy earlier this year saying smartphone applications in China were collecting too much personal data.

Microsoft may be in breach of GDPR for Office 365 data collection

The European Data Protection Supervisor (EDPS) has, as per Forbes reporting, expressed “serious concerns” as to whether Microsoft’s commercial cloud contracts are in breach of GDPR. And, it has questioned Microsoft’s role as “data processor” or “data controller” for EU customers.

Issues have been raised as to whether Office 365’s collection of “functional and diagnostics data” breaches GDPR. Some data is collected from email subject lines and text that has been spell checked.  Microsoft’s chief privacy officer, Julie Brill, explained Microsoft will be updating its terms and has responded as follows:

“In the [Online Services Terms] OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune.”

The new terms for Microsoft’s commercial customers will be put into place at the start of 2020. Brill has reportedly said Microsoft is the only major cloud provider to offer such terms in Europe.

Where Data Protection World Forum CEO Nick James as said data privacy and data security are “two sides of the same coin,” recently Vigilant Software looked at the differences between the two and how combined they can help with GDPR compliance.

Need to get your hands on security awareness trying your employees will love? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: