This Week in Privacy: 11 January 2021
January 11, 2021
European Commission publishes report on implementation of specific GDPR provisions
The European Commission published a Report on the Implementation of Specific Provisions of the GDPR. In particular, the report addresses the implementation of conditions applicable to children's consent in relation to information society services, the processing of special categories of personal data, the restrictions to the exercise of data subjects' rights, as well as national derogations for processing for scientific or historical research, statistical, and public interest purposes. According to the report, while some common trends may be identified, the emerging picture of implementation attests not only to the different legal approaches taken by the Member States, but also to the varying degree of specification of the relevant provisions of the GDPR.
Bill for the New York Privacy Act reintroduced in State Assembly
Assembly Bill A680 for the New York Privacy Act has been reintroduced to the New York State Assembly. In particular, the bill would apply to legal entities that conduct business in the State of New York or produce products or services that are intentionally targeted to residents of New York State, and would require the express and documented consent of consumers for their personal information to be used, processed, or transferred to a third party. Moreover, organisations would be required to reasonably secure personal data from unauthorised access, and provide individuals with the right to be informed, the right to correct or delete personal information, as well as the possibility to opt-out of the processing of their personal data.
ACSC releases guidance on identifying and managing cyber supply chain risks
The Australian Cyber Security Centre released its guidance on identifying and managing cybersecurity risks associated with supply chains. The Risk Management Guidance outlines that cyber supply chain risk management can be achieved by identifying the cyber supply chain, understanding supply chain risks, setting expectations, auditing for compliance, monitoring, and improving cyber supply chain security practices. Further to this, the Risk Identification Guidance highlights that organisations should determine the nationality of the businesses involved in their supply chain, noting that businesses based in foreign countries may be subject to powers that grant a foreign government control over that business, or access to its information holdings.