https://www.nist.gov/itl/ai-risk-management-framework
2nd draft
https://www.nist.gov/system/files/documents/2022/08/18/AI_RMF_2nd_draft.pdf
with good control descriptions in teh tables
CCPA settlement – Sephora 1.2 m USD
Announcement:
https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement
Link to complaint:
https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf
Link to settlement:
https://oag.ca.gov/system/files/attachments/press-docs/Proposed%20Final%20Judgment.pdf
CH, Zuerich: Material for Data Protection Impact Assessments (in German)
(This seems to be quite different from EDPB wp248 – then again, CH is not EU/EEA)
From the Datenschutzbeauftragte des Kanton Zuerich:
“Die Datenschutzbeauftragte erstellte ein Formular und ein Merkblatt, das die datenbearbeitenden Stellen bei der Datenschutz-Folgenabschätzung unterstützt. Es hilft, alle wesentlichen Angaben zu sammeln und auszuwerten.
Die DSFA dient auch dazu, die Pflicht zur Vorabkontrolle abzuklären. Wenn besondere Risiken erkennbar sind, muss das Projekt der Datenschutzbeauftragten zur Vorabkontrolle unterbreitet werden.”
https://www.datenschutz.ch/datenschutz-in-oeffentlichen-organen/datenschutz-folgenabschaetzung
Germany, SDM: Discussion of three levels in processing activities (from D2.1)
from https://www.datenschutz-mv.de/static/DS/Dateien/Datenschutzmodell/SDM-Methode_V20b_EN.pdf Emphasis incl reformatting for emphasis by me.
D2.1 Levels of a Processing or Processing Activity
In order to fully cover personal data processing, it has proved useful to distinguish at least three different levels of representation of material parameters or elements when designing or auditing processing activities. It is essential to understand that a ‘processing activity’, for example, is not congruent with the use of a certain technology or a certain technical program.
Level 1 is the processing of personal data in the sense of data protection law.
- This processing takes place, for example, within the framework of a company operating under private or an authority subject to public law, for whose activities the controller is responsible. This level corresponds to what is often understood as a ‘specialised procedure’ and ‘business process’ with a certain functional sequence of the processing activity. At this level of the understanding of a processing operation, the personal data necessary for a processing operation as well as the legal requirements are determined. The controller defines corresponding roles and authorisations for the personal data and determines the IT systems and processes to be used. The determination of the purpose or purposes of the processing activity is essential for the adequate functioning of this level in terms of data protection.
The practical implementation of the processing and the purpose is located at level 2.
- On the one hand, this usually includes the role of the clerking as well as the IT application(s), which can also be described more precisely as the ‘specialised application of a specialist procedure’. The processing and the specialist application must completely fulfil the functional and (data protection) legal requirements to which the processing is subject. The specialised application must ensure the purpose limitation. The application must exclude the processing of additional data or additional forms of processing, even if they may befunctionally particularly convenient. The aim is to minimise the risk of undermining the purpose limitation or overstretching the purpose.
Level 3 houses the IT infrastructure that provides functions that are used by a level 2 application.
- This level of ‘technical services’ includes operating systems, virtual systems, databases, authentication and authorisation systems, routers and firewalls, storage systemssuch as SAN or NAS, CPU clusters, and the communications infrastructure of an organizationsuch as the telephone, LAN, or Internet access. These systems must be designed and used within a processing activity in such a way that the purpose limitation is retained. Typically, technical and organisational measures must be taken to ensure that the purpose limitation or segregation of purposes can be enforced at this level.
—
and from D2.3:
“The concrete functional design takes place at level 1, at which the need for protection is to be determined or specified by the controller on the basis of the data. This need for protection is inherited by all data, systems and processes used in concrete processing at the various levels. The catalogue of reference measures can be used to check whether technical and organisational measures taken or planned are appropriate to the need for protection “
Paper: A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI (2018)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3248829
A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI
Columbia Business Law Review, 2019(2)
130 Pages Posted: 5 Oct 2018 Last revised: 25 Jun 2019
Sandra Wachter
University of Oxford – Oxford Internet Institute
Brent Mittelstadt
University of Oxford – Oxford Internet Institute
Date Written: October 5, 2018
Bitkom Maturity Model for TOMs for processors (beta version for review, in German)
Datenschutz-Reifegradmodell – Reifegradmodell zur Abbildung von technisch-organisatorischen Maßnahmen
bei der Auftragsverarbeitung
Betaversion zum Review
Press release: https://www.bitkom.org/Bitkom/Publikationen/Datenschutz-Reifegradmodell-technisch-organisatorische-Massnahmen-Auftragsverarbeitung
TeleTrusT (with ENISA): State of the art paper (2021)
CJEU C‑184/20: personal data that are liable indirectly to reveal sensitive information concerning a natural person [still fall under Art 9]
“Finally, the Court states that the processing of personal data that are liable indirectly to reveal sensitive information concerning a natural person is not excluded from the strengthened protection regime, (5) since such exclusion might well compromise the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure. Thus, the publication on the Chief Ethics Commission’s website of personal data that are liable to disclose indirectly the data subjects’ sexual orientation constitutes processing of sensitive data.”
—-
In German: Commentary from Switzerland – https://datenrecht.ch/eugh-c-184-20-verarbeitung-besonderer-kategorien-personenbezogener-daten-auch-bei-moeglichen-schluessen-auf-sensible-informationen/