Privacy Insider newsletter - Dec. 29

Welcome to the latest edition of the Privacy Insider newsletter. Each week, we send you the latest and smartest news in the world of data privacy.

One of the greatest mistakes we see companies making is assuming that as long as their own privacy program is compliant with the governing laws, they're safe. But in fact, under various privacy laws, companies are also responsible for the choices their vendors are making with the data shared with them. 

A story in the Privacy Insider this week illustrates the importance of understanding this and the risks companies face if they don't take vendor-risk management seriously. 

Recently, the US Federal Trade Commission settled with a financial institution over allegations they violated the Gramm-Leach Bliley Rule, which regulates such institutions. The FTC alleged the organization shared data with a third-party vendor that "performed text recognition scanning on mortgage documents" that it stored on the cloud in plain text without proper protections. 

It may seem unfair to get dinged by the U.S. privacy regulator over something you yourself didn't do, but that's not only the rule for financial institutions under Gramm-Leach-Bliley. Responsibly managing your third-party vendors is required broadly under laws that continue to proliferate, as well as under California's Consumer Privacy Act and the EU General Data Protection Regulation. 

It's a reminder to thoroughly vet your third-party vendors before entering into relationships with them. Not only that, it's important to continue to monitor your vendor's privacy practices over time to ensure that you don't find yourself under the FTC's watchful eye. 

Stay safe and warm over the new year, and we hope you enjoy this week's edition. See you in 2021!

Here are the top stories you might have missed:

1. FTC settles with financial institution who didn’t properly manage its vendor 

   The U.S. Federal Trade Commission announced a settlement Dec. 15 with a financial institution that the agency said “claimed to oversee the data security practices of one of its service providers as required under the Gramm-Leach Bliley Act’s Safeguards Rule. “Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”
   Read Story 

   2. Health experts say COVID vaccination data collection is risky 

   Plans in California to collect personal information in the name of thwarting COVID-19’s spread are raising privacy concerns. While experts say collecting names, addresses and birth dates is essential to tracking the efficacy of nearly created vaccines, some health experts say that kind of data collection could prevent vulnerable populations, such as illegal workers in the U.S., from seeking vaccination, the Los Angeles Times reports.
   Read Story

   3. Is 2021 the year the US will pass a privacy law? 

   Business Insider predicts that U.S. Congress will pass a federal privacy law in 2021. The impetus just might be the proliferation of state and global data protection and privacy laws in recent years, including California’s Consumer Privacy Act (soon to be replaced by the California Privacy Rights Act) and the EU’s General Data Protection Regulation. “The 116th Congress has put forth at least 20 proposed privacy bills or drafts,” but it remains to be seen which will get enough bipartisan consensus to pass.

   4. EU-UK agreement is good news for data flows

   National Law Review reports on the “EU-UK Trade and Cooperation Agreement,” signed Dec. 24, and its effects on post-Brexit data flows. The agreement provides “transitionary provisions stating that transfers of personal data from the EU to the U.K will not be considered transfers of personal data to a third country during the Specified Period, and, as such, will not be prohibited by the GDPR.” That’s good news for the U.K., which has worried about being deemed an “adequate” third country for the sake of data transfers from the EU to the U.K.
   Read Story

   5. EU regulators starting to align on GDPR

   BankInfoSecurity reports that there’s starting to be some consensus among EU data protection regulators over violations of the General Data Protection Regulation. “But in some respects, it's like a meal,” says attorney Jonathan Armstrong in the report. “It is easier to say when you've had a bad meal rather than what are the essential ingredients for a good one. … So proving that you had good technical and organizational measures in place will always be a high bar, because something has happened despite the measures you had to stop it."
   Read Story

   6. China’s privacy law will set the stage for facial recognition

   China’s new data privacy law will determine the future of facial recognition surveillance in the country, OODA Loop reports. The Personal Information Protection law, a draft of which was released in mid-October, will “clarify when facial biometrics can be used,” according to the report.
   Read Story

   7. Remote schooling’s impact on student privacy

   The onslaught of changes that COVID-19 brought didn’t spare schools. In a story for Marketplace Tech, the Future of Privacy Forum’s Amelia Vance discusses the state of student privacy in the U.S. While there are plenty of laws regulating what can and can’t be done with student data, not everyone knows about them. Said Vance, “There was a great survey that Common Sense Media did a couple of years ago, that said only 25% of teachers had been trained on student privacy, and many of the laws that have passed aren’t necessarily passed down tot he school districts who are supposed to enforce them.” 
   Read Story

   8. Using vehicle data to solve crimes isn’t without risks 

   NBC News reports on law enforcement’s increasing use of vehicle data to solve crimes. “"It helps convict people, and it can help prove they are innocent," Berla founder Ben LeMere said. "Children's bodies have been found. Families have had closure." But privacy advocates say collecting vehicle information has privacy implications, partly because the data collected to solve crimes “can also be used to commit them,” the report states.
   Read Story