What a Week. Lots to Unpack.
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: August 24, 2021
The big news this week is that China has passed a baseline privacy laws that applies to both the private and public sectors. The headlines call it one of the strictest privacy laws in the world and compare it to the GDPR.
But what struck me as I read the highlights is, "The law would impose some of the world's strictest controls on private sector handling of information about individuals but appears not to affect the ruling party's pervasive surveillance or access to those corporate data."
The law responds to both privacy and antitrust concerns in the country. As the AP report states, it "follows complaints that companies misused or sold customers' data without their knowledge or permission, leading to fraud or unfair practices such as charging higher prices to some users."
The law's passage reflects China's ongoing work to reign in the tech industry's appetite for consumer data. But, as an admittedly somewhat nervous person, I'm so much more concerned about the government's appetite for data than any single company.
After all, the "ruling party has been accused of using data gathered about Uyghurs and other members of predominantly Muslim ethnic groups in the northwestern region of Xinjiang to carry out a widespread campaign of repression," AP reports.
I'm not in a position to tell you if that's true. Frankly, I have no idea. But what I certainly know is history has shown us that mass government surveillance can be so dangerous if the wrong government takes office.
Do you have the same visceral memories of learning about Nazi occupation during World War II? I can still see the yellowed images projected onto our classroom chalkboard: Identity cards, issued by the German government, marked "J" with Jew. Or we can look to the Internment camps during World War II, for which the U.S. Census Bureau provided the Secret Service with census data on who was of Japanese ancestry.
Throughout history, there are plenty of examples to feel very nervous about governments having unfettered access to data, especially data that belongs to the private sector. I may grant my Uber app the ability to know my location to make catching a cab easier. But I certainly don't want my government watching my every move. What need would there be for that?
Excessive data collection can be dangerous for any organization. You'll see that reflected in plenty of data privacy or cybersecurity laws' provisions on data minimization. The data you don't collect is data that can't be breached or misused. Why shouldn't the same kinds of rules apply to massive government bodies with tentacles that reach far beyond a single organization.
It's not just a Chinese problem. There's so much concern about U.S. government overreach that the EU is having trouble finding a data-transfer agreement that it can sleep with at night. But at least we can blame that on the fact that Congress can't get it together enough to pass a baseline privacy law. In addition, the allegations that the Chinese government is already targeting ethnic minorities should be a red flag.
So, while there hasn't been a ton of discourse yet on the fact that this "GDPR-like" law doesn't change Beijing's broad access, I think we have to start talking about it.
Do you?
We're going to talk about this and more on our next Twitter Spaces chat on Thursday, Sept. 2, at 4 p.m. Eastern, 1 p.m. Pacific. I hope you can join us! Click here to set an in-Twitter reminder.
Enjoy reading, and I'll see you next week!
China passes strict data protection law with rules on consent
China has passed a comprehensive data privacy law aimed at protecting users, The Verge reports. It comes into effect quickly. Organizations in both the private and public sectors have until Nov. 1 to come into compliance. The Personal Protection Information Law requires companies to obtain a user's consent before collecting their data and mandates companies to protect information for transfers out of China.
Read Story
Marketers beware: Apple's mail update to change the game on metrics
Every dollar an organization invests in email marketing yields $36 in return, reports TechCrunch. That's why Apple's new Mail Privacy Protection rollout has marketers worried. It "attempts to eliminate metrics and data associated with email," often an organization's lifeblood. The feature is part of Apple's iOS 15 update and allows Apple Mail users to hide their IP addresses and additional data from senders.
Read Story
Hacker selling stolen AT&T data for $1M, T-Mobile investigating breach
There's a lot of breach news this week. First, AT&T has denied that it suffered a data breach after a well-known anonymous hacker said they were selling 70 million customers' personal information. The going price for the allegedly stolen database is $1 million. Second, T-Mobile has confirmed that more than 40 million former or prospective customers' records were stolen. In addition, the hack exposed more than 850,000 pre-paid customers' data. And Pearson, an education software company, will pay $1 million to settle charges that it "misled investors about a 2018 data breach" affecting millions of student records.
Read Story
UK data privacy authority wants your input on future of data transfers
The U.K. Information Commissioner's Office is launching a consultation on protecting personal data in cross-border transfers. The ICO is developing a U.K.-version of standard contractual clauses (SCCs), the data transfer tool widely used to transfer data out of the EU and to another legal jurisdiction. Brexit required the U.K. to develop its own rules under the U.K.'s data protection law. The ICO wants to know what you think the rules should look like, and you have until October 7 to submit feedback. Access the tools you need to submit feedback here.
Read Story
Senators want answers from TikTok CEO on biometric data collection
Earlier this year, TikTok expanded the information it collects from more than 100 million U.S. users to include faceprints and voiceprints. Now, two U.S. Senators are asking TikTok to explain what that means, NPR reports. Sens. Amy Klobuchar, D-Minn., and John Thune, R-SD, wrote to TikTok's CEO to say they were "alarmed" by recent changes to its privacy policy allowing for biometric data collection. They've asked TikTok to respond by defining "faceprint" and "voiceprint" and explaining if the data is shared with third parties.
Read Story
Why are companies failing at data protection?
It's evident now that breaches have severe consequences for organizations' bottom lines and reputations. So why are so many companies failing at data protection? There are several reasons. One is that to evaluate the risk/reward of storing sensitive data versus its utility, "there needs to be a sufficient data discovery process." An organization can only truly understand what data must be secured once it has mapped all the data to the associated risks, Security Magazine reports. (Editor's note: For more on how to do data discovery, see our guide.)
Read Story
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.