– mentions Google Analytics and Meta Pixel by name..
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
This Bulletin provides a general overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. This Bulletin addresses:
- What is a tracking technology?
- How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
- Tracking on user-authenticated webpages
- Tracking on unauthenticated webpages
- Tracking within mobile apps
- HIPAA compliance obligations for regulated entities when using tracking technologies
asking for consent, and a two-click solution
With the help of a so-called two-click solution, it is basically possible for the website operator, as joint controller with the video platform operator, to obtain the consent of the visitors.
- A preview of the external content is first displayed – without transmitting the IP address, browser information or other personal information to third parties.
- Only when visitors actively click on the preview, for example to watch a video, will their data be transmitted.
If website operators embed third-party videos from commercial video platforms or third-party websites without joint responsibility according to Art. 26 GDPR, the two-click solution should be used in the following variant:
- First, there should be a preview with a reference to the following external content is displayed.
- This notice should make the visitor understand that when the embedded video is played, the platform operator, for example, receives information about who has just accessed which website and that a link to existing data is possible.
- Only when visitors actively click on the preview, for example to watch a video, may the video platform operator or third parties receive the IP address, browser information or other personal information.
The German DPAs approved on 24-Nov the new version of their Standard Data Protection Model – which forms the basis of their enforcement.
There is no translated version available yet.
A noteworthy change is the inclusion of the “SDM cube” – and further details on how infrastructure and applications relate to processing activities…
“Um hier mehr Übersichtlichkeit und Rechtssicherheit zu schaffen, hat der LfDI daher die neue nationale Verhaltensregel „Anforderungen an die Auftragsverarbeiter nach Artikel 28 DS-GVO – Trusted Data Processor“ genehmigt. Unternehmen können sich fortan diese Verhaltensregeln zu eigen machen und nutzen damit die Möglichkeit, für sich mehr Rechtssicherheit zu schaffen.”
CNIL will publish recommendations on the subject of mobile applications so that each player has a good understanding of their obligations and to facilitate their compliance.
Practical tools (sheet or practical guide, self-assessment checklist, etc.) intended for users may also be published to make them aware of the real risks and impacts represented by the processing of their data through mobile applications . In particular, issues related to applications aimed at vulnerable audiences or processing sensitive data (medical applications or applications intended for children, pregnant women, etc.) or the collection of data from smartphone sensors will be the subject of work specific.
Depending on the field observations made during the work carried out to clarify the legal framework, the CNIL may decide to implement a large-scale control plan , as had been carried out in the context of actions related to cookies and other tracers. It could in particular focus on processing likely to create significant specific risks for individuals, for example because it targets vulnerable groups or collects data in a particularly intrusive way.
These actions would supplement the controls already regularly carried out on the basis of complaints and aimed at ensuring compliance with the fundamental principles of the GDPR by the publishers of mobile applications.
At the end of these checks, depending on the nature and extent of any breaches observed, the CNIL may take corrective measures, in particular financial penalties .
Privacy Threat Modeling
Thursday, June 23, 2022 – 11:15 am–11:40 am
Cara Bloom, MITRE
This applied research talk will discuss the privacy threat modeling gap, challenges and opportunities of privacy threat modeling in practice, and a new qualitative threat model currently under development. In privacy risk management, there are well-respected methods for modeling vulnerabilities and consequences (or harms), but there is no commonly used model nor lexicon for characterizing privacy threats. We will discuss the gap in privacy risk modeling, how privacy threat-informed defense could better protect systems from privacy harms, and a working definition for a “privacy attack.” Then we will present a draft qualitative threat model – the Privacy Threat Taxonomy – developed to fill this gap in privacy risk modeling. This model was generated iteratively and collaboratively using a dataset of almost 150 non-breach privacy events, which includes directed, accidental, and passive attacks on systems. We will also discuss how practitioners can incorporate a threat model into their privacy risk management program.
Del Alamo, J.M., Guaman, D.S., García, B. et al. A systematic mapping study on automated analysis of privacy policies. Computing 104, 2053–2076 (2022).