The California Consumer Privacy Act: Another GDPR?

The California Consumer Privacy Act incorporates several aspects of the GDPR into its legislation. It has a broader definition of personal data, and it emphasizes transparency with respect to the processing of data. Additionally, the law promotes subject access requests, the right to be forgotten, and data portability. It will enable data subjects to request the categories, sources, and business purposes of personal data collected by a company, and the data subjects can request what categories of personal data are being sold to different classifications of third parties.

Furthermore, a company must disclose information as to what specific personal data is collected, how it is collected, its purpose, and to whom it is shared and sold within 45 days of a data subject’s request. The company must have a way of verifying the identity of the individual making the request. Also, the business must publish its privacy policy online and include a conspicuous link saying “Do not sell my personal information” if it sells personal data.

Despite the obvious regulatory hurdles, the positive side for many tech companies is that much of what they have already undertaken to comply with the GDPR will serve them well once the California Consumer Privacy Act becomes Law.  Companies still not prepared for GDPR regulation, on the other hand, may now be under twice the pressure – and possibly suffer twice the scrutiny.

Data Privacy in California: Who is Affected?

The law protects any data subject who is a “natural person who is a California resident,” and it creates regulations for companies that conduct business in the state of California and collect consumers’ personal information for profit. Also, it must meet at least one of the following criteria: it has a gross revenue of more than $25 million annually, “alone or in combination, annually buys, receives for the business’[s] commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices,” or 50% or more of annual revenue comes from selling consumers’ personal data.

Just as companies outside of Europe who are handling the personal data of Europeans must comply with GDPR mandates, companies not within California’s borders are similarly compelled to comply with the state’s new data privacy requirements.  With the state set to surpass 40 million residents by the time the law comes into effect, it’s also fair to say that nearly all companies who handle the personal data of American consumers will be affected by this legislation to some degree.

A Different Approach from the GDPR

The penalties of the California Consumer Privacy Act reflect an American style compared to GDPR penalties. First off, the law allows consumers to sue the business for a violation. It is also possible for a company to be prosecuted by the California Attorney General if the violation is not corrected within 30 days. An organization could also be required to pay damages of up to $750 per consumer after a data breach, and if a company intentionally violates the law, they may be fined up to $7,500 according to each violation. Under the GDPR, a company faces a fine of €20 million or 4% of annual global turnover. Comparing penalties, the GDPR places much harsher penalties on companies, but the California legislation still indicates a significant shift in the U.S. perception of data privacy and consumer rights.

Under the GDPR, data processing requires a legal basis for the processing of personal data. If there is not a legal basis, consent is required from the data subject; without this consent, their personal data cannot be lawfully processed. However, a data subject’s consent to the processing of their personal data under the California Consumer Privacy Act appears to be assumed. The data subject can decide to opt-out of the sale of their personal data, rather than what would be seen as “opting-in” under the GDPR. Although consumers would be protected from a business discriminating against them for this reason, the businesses are still allowed to offer a financial incentive for allowing the sale or collection of personal data. Additionally, the right to opt-out will be honored for a minimum of one year before a company asks again. Nevertheless, assumed consent of data subjects in California highlights that although this is a progressive law in the United States, it still lacks much of the privacy rights gravitas established by the GDPR.

Consumer Privacy: 2020

The California Consumer Privacy Act will go into effect on  January 1, 2020, allowing businesses less than 18 months to prepare for the new regulations. While the Act is the first key example of data privacy legislation in the United States, it will not be the last. California’s significant influence over the technology sphere will quickly establish the importance of data protection—one that is likely to have an impact at both the the state and national level.  Even under current legislation, it’s unlikely that all consumers will remain happy with a company providing one set of superior privacy services to California residents and another set of services to everyone else.  Additionally, once a company has the capability, why not enable the same privacy process for all of their users and customers? Whether the incentives are political or for profit, the requirements for companies to provide advanced privacy options for consumers are becoming increasingly unavoidable.

Pierson Klein joined TechGDPR’s team as Legal Intern this summer. She is majoring in Law, Jurisprudence, and Social Thought at Amherst College (2020) in the U.S.A.

Follow TechGDPR on Twitter.

The post California Residents Gain Strongest Data Privacy Rights in US appeared first on TechGDPR.

Since the spring, there has been a boom in the number of countries looking to capitalize on the blockchain craze. Around the same time, the European Union issued the General Data Privacy Regulations (GDPR), which would place regulations on blockchain technology. However, GDPR does not perfectly encompass blockchain. Nevertheless, these countries are advocating for blockchain and encouraging blockchain companies to relocate through legislation, and they are emphatically responding.

Malta – Blockchain Island

On June 26, 2018, Silvio Schembri, Malta’s Parliamentary Secretary for Digital Economy, Financial Services, and Innovation announced that Malta’s Parliament unanimously passed three bills regarding the regulation of distributed ledger technology (DLT). Malta is the first country to establish a concrete legal framework for DLT.  

Bill 43, The Innovative Technology Arrangements and Services Act (ITAS), allows for the registration of Technology Service Providers and the certification of Technology arrangements. These innovative technology arrangements could deliver DLT, smart contracts, or any other innovative technology arrangements later approved.

Bill 44, The Virtual Assets Act (VFAA), establishes the parameters for initial coin offerings (ICOs) and cryptocurrency exchanges. In order to define when  DLT assets – like cryptocurrencies – constitute financial instruments, Malta has come up with the Financial Instruments Test. The test classifies cryptocurrencies and tokens as DLT assets and places them into three categories: virtual tokens, financial instruments, and virtual financial assets. A virtual token exists outside of the regulations, as it only contains value within its platform. If the DLT asset is classified as a financial instrument, it will fall under the legislation. Finally, a DLT asset will be regulated under the VFA Act as a virtual financial asset if it is not classed as a financial instrument or virtual token.

Bill 45, The Malta Digital Innovation Authority Act (MDIA), institutes a new authority – the MDIA – to encourage innovative technology in Malta. Stephen McCarthy will head MDIA as its CEO.

These three bills demonstrate Malta’s commitment to staying at the forefront of innovative technology, and it is intended to encourage companies using cryptocurrency or blockchain technology to relocate to the island. In fact, Binance, the world’s largest cryptocurrency exchange company, announced in March that it would be moving to Malta. Binance intends to establish a fiat-crypto exchange and to support fiat deposits/withdrawals. Binance is backing the Malta Stock Exchange’s new program which supports fintech startups. The Prime Minister of Malta, Joseph Muscat, spoke out in strong support of cryptocurrency by stating, “I have no doubt that it will form the base of a new economy in the future.”

Blockchain Microstates

Malta is not the only microstate attempting to appeal to blockchain companies; Bermuda, Gibraltar, Liechtenstein, and San Marino have all made similar efforts. Bermuda’s lower house of parliament passed rules to regulate ICO’s, and they also established an agreement with Binance regarding investments in blockchain companies and education for related jobs for the citizens of Bermuda. Gibraltar launched a novel ICO, Fiat Government Issued ERC20 Token – QRG Coins. The creation of the coin is intended to aid in transactions, reduce the costs of the global transfer of payments, and promote transparency.

In March, Liechtenstein’s Prime Minister, Adrian Hasler, announced the Blockchain Act, which will institute regulations and a legal base for blockchain technology in Liechtenstein. San Marino has entered into a partnership with Polybius, a developer of blockchain technology, and San Marino intends to produce legislation regulating blockchain. While this serves as a testament to the increasing interest in bringing in blockchain companies,  these microstates, however, do not fall under the jurisdiction of the EU. Spain, on the other hand, is an EU member, and Spain has just introduced some extremely interesting legislation.

Spain Proposes to Implement Blockchain

As of June 21, 2018, 133 deputies of Spain’s ruling party, Partido Popular, introduced a bill to integrate blockchain technology into Spain’s Public Administration. The proposal cites the use of blockchain technology within the financial sector to facilitate trade. Already in Spain, a digital platform, Legaliboo aids in for the creation of smart contracts. Additionally, the proposal discusses the integration of blockchain technology into large banks – like Coinbase and BBVA and Utility Settlement Coin with Santander. One of the broader aims of using blockchain is to boost Spain’s economy by integrating blockchain into the industrial sector.

Additionally, Rafael Hernando, the spokesman of el Partido Popular, advocated for blockchain technology as a means of improving the administration’s internal processes and to increase its efficiency and transparency. Hernando also discussed blockchain’s potential to increase synergy between the administration and sectors like tourism and infrastructure. Lastly, the bill calls for the training of individuals in blockchain technology to assist in the integration of blockchain into the government. The incorporation of blockchain into government operations creates some very interesting questions relating to GDPR, especially concerning the data processed. It seems probable that GDPR and blockchain will need to be reconciled before it would be possible to introduce blockchain technology into the Spanish government.

Blockchain Under the GDPR

As members of the European Union, Spain and Malta remain subject to the GDPR, and at present, GDPR struggles to encompass blockchain in some key aspects. GDPR promotes highly regulated, centralized data, whereas blockchain operates using decentralized data. GDPR requires the establishment of roles, such as Data Controller and Data Processor. The Data Controller determines why and the manner in which personal data is processed by the Data Processor. Blockchain technology, however, presents a challenge in establishing who qualifies as a processor or controller as a result of its decentralized nature.

In considering this problem, there does appear a potential solution: Binding Network Rules. These rules would allow controllers to deal with the blockchain network, provided that the network adheres to certain standards. Currently, the GDPR contains guidance for Binding Corporate Rules (BCRs), which multinational corporations use to make the cross-border transfers of personal data compliant with the GDPR. Article 40 of the GDPR allows for the proposal of new codes of conduct, and the creation of Binding Network Rules, as put forth by the Blockchain Bundesverband, for blockchain could function akin to BCRs.

These Binding Network Rules would contain standard contractual clauses in the network. Everyone participating in Spain or Malta’s blockchain network would have to be compliant with GDPR, and anyone processing data outside of the EU must also adhere to GDPR. Most importantly, the roles of Data Controller and Data Processor would be clearly laid out and potentially modified to better account for blockchain’s decentralized nature.

Also, because blockchain operates using an immutable ledger, it could present problems in complying with the data subject’s right to erasure of their personal data (the “right to be forgotten”) granted under the GDPR. This could also be seen as extremely problematic if a government was using blockchain to store special categories of sensitive data. However, the right to erasure remains contingent on the grounds on which it is requested. The personal data must no longer be necessary for the purposes for which it was obtained.

The inherent nature of blockchain is that all data is necessary for the purpose of creating the chain. Therefore, the right to erasure would never be able to be granted. Instead, the users should be informed of this, so they can make an informed decision as to whether or not they are willing to forfeit this right in order to use blockchain.  

The Future for GDPR

With the surge in the number of countries interested in blockchain, the pressure will be on to improve the relationship between GDPR and blockchain. The inability to clearly define the positions of Data Controller and Data Processor and the immutability of blockchain remain two key issues of contention. The potential for changes to the GDPR offers hope for a solution to unite the two into one understanding, which will not only make blockchain fully GDPR compliant, but also a tool to promote compliance. However, as Malta has already passed three bills on innovative technology, it seems likely that it will not be long before Spain and other countries enact their own bills.

Pierson Klein joined TechGDPR’s team as Legal Intern this summer. She is majoring in Law, Jurisprudence, and Social Thought at Amherst College (2020) in the U.S.A.

To stay up to date on how GDPR affects technology, follow TechGDPR on Twitter

The post How Countries are Creating Blockchain Economies appeared first on TechGDPR.