US state laws are beefing up, the EU AI Act is official, and the APRA is ready for the Congressional floor
View in browser

Data Privacy Happenings ๐Ÿ“ฐ

Hello from MineOS's monthly newsletter, The Privacy Mindset! ๐Ÿ‘‹

 

Virtually every privacy professional you speak to, from the enterprise-iest of enterprises to forward-thinking SMBs, will bemoan the lack of resources and prioritization the department receives. 

 

Data privacy and security have long taken a backseat to more pressing organizational matters, lingering as a collective public problem that everyone acknowledges but few raise a finger to fix.

 

Well, the month of May has been a windfall for the industry, as not only is the quantity of privacy regulations at full stream, but the quality is finally catching up as well.

 

First, after a lengthy reviewal process, the EU has issued the final checkmark to the AI Act, officially setting the clock on AI governance and compliance in a way that many will need to begin adjusting to (looking at you in particular, OpenAI & Microsoft!) for user benefit.

 

Secondly, the U.S. Congress is moving forward with the American Privacy Rights Act, as a revised version will be the highlight of today's (5/23) debate in the U.S. House Committee on Energy and Commerce subcommittee. 

 

How the bill fares in this subcommittee is likely the largest test it has in eventually reaching the floor for a vote, a step the ADPPA never managed. Even if the APRA does not pass, the fact that these conversations are progressing on a national level in the U.S. is a sign of progress in and of itself.

 

Lastly? The states continue to expand the comprehensive privacy law patchwork in the U.S., with Maryland, Vermont, and Minnesota all passing laws over the past 6 weeks. 

 

Even better? These laws are not straw men diluted by lobbying efforts. 

 

Maryland's and Vermont's bills both ban the sale of sensitive data. 

 

Maryland puts strict data minimization requirements in place, as well as buffing the language around children's data (and covering those up to 18 as children).

 

Vermont becomes just the second state after California to include a private right of action, meaning individuals will have the ability to sue companies that violate the state's privacy law. This is huge, and while it could delay the passage of the law as the Governor has expressed reservations about including it in the bill, the state legislature has broken rank and set a strong precedent for future states. 

 

Minnesota joins the party with a timely new data right to question the result of profiling activities (those wretched algorithms, am I right?) and the brand new business requirement to maintain a data inventory (more on this below).

 

None of these laws will carry the impact or heft of the GDPR or CCPA, but the sum of them is starting to give real weight to data privacy in America, even if the patchwork is messier than ever.

 

Big things are happening in the privacy world, and we all may yet have our day in the sun. 

Product Spotlight ๐Ÿ”ฆ

In pursuit of making the platform as flexible and accommodating as possible, one of the major updates to MineOS over the last month is the addition of more customization to data systems. 

 

The bedrock of a privacy program is its data visibility and inventory, to know what is where and how it is being used, so each data system should reflect that importance by standing out in the data stack.

 

To help achieve this, users can now edit and customize data sources in their data inventory, including uploading custom icons for each system, adding data categories for better grouping, wider naming and description abilities, and other qualifiers to simplify data inventory management. 

 

Regulation Focus ๐Ÿ”ฌ

Minnesota Data Privacy Act Sec 8 Subd 2 C

"A controller shall establish, implement, and maintain reasonable administrative,
technical, and physical data security practices to protect the confidentiality, integrity, and
accessibility of personal data, including the maintenance of an inventory of the data that
must be managed to exercise these responsibilities. Such data security practices shall be
appropriate to the volume and nature of the personal data at issue."

 

As noted above, the last batch of comprehensive state privacy laws to pass--Maryland, Vermont, and Minnesota--have the real ability to shake up the entire sphere in the U.S., as all three progressive states have pushed the envelope further than virtually any state besides California.

 

For Minnesota's law, while some aspects follow the traditional Washington/Virginia model, such as applicability thresholds and DSR handling timelines, the state has gone out of its way to be the first to implement a few unique regulatory aspects.

 

The most impactful one? The requirement that data controllers must maintain a data inventory.

 

No other law, even the amended CCPA, explicitly states this is required to do, often leading to the post-processing requirement to conduct data protection impact assessments (with the exception of New Jersey, which requires DPIAs be done before processing begins) doing heavy lifting for compliance. 

 

By pairing that DPIA requirement with the need to maintain a data inventory, hopefully companies will take a more active stance on privacy and invest more heavily in fully understanding the scope and usage of their full data stack.

Founder's Corner ๐ŸŽ™๏ธ

CEO & co-founder Gal Ringel

 

Q: What are your thoughts on some AI features being released at the moment, such as Microsoft's newly announced "Recall" feature?

 

A: AI will have a key place in innovating and growing the economy, but creating AI for the sake of saying you have AI features is not the way to go about it. 

 

AI needs to address and solve specific problems, and much of what we're seeing from new LLM releases and companies like Microsoft do not do that. The Recall feature, which if you don't know what it is, is basically enabling your computer to take screenshots of your screen whenever your computer is on, does not solve a problem, and in fact, creates one.

 

It is an unconscionable invasion of user privacy and a glaring security risk that almost everyone in the cybersecurity industry has pointed out. If AI development is not going to follow best practices for data privacy and security, we will not get any of the best developments from the technology.

Webinars & Events ๐Ÿ“…

MineOS's CEO Gal Ringel and CPO Kobi Nissan participated in panels as part of PrivSec Global's virtual extravaganza this week.

 

โœ๏ธRegister here to catch replays of all the sessions: https://www.grcworldforums.com/privsec/privsec-global/register

 

What's next?

 

Gal & Kobi will be at The L Suite 2024 AI Conference in San Francisco on June 20th and 21st. Going? Drop us a line to catch up there! 

 

Talk with us

How did you like this month's issue?

Let us know
footer

SayMine Technologies Ltd., 94 Igal Alon st., Alon 1, Tel Aviv, Israel, 6789155

Unsubscribe Manage preferences