Data Privacy Happenings 📰

Hello from MineOS's monthly newsletter, The Privacy Mindset! 👋

In a landmark decision a few weeks ago, the European Court of Justice (CJEU) declared that a purely commercial business can be considered a legitimate interest as a legal basis for data processing under the GDPR.

It's is a decision that has shaken the industry, not because the majority necessarily disagree with it, but because it creates such a confounding status quo going forward. In fact, this was one of the very first arguments Meta made as it was relentlessly fined for GDPR violations in the past few years. 

The decision also comes at the end of a year where GDPR enforcement failed to surpass the previous year's total for fines, as 2023 saw new records in both the amount of fines and the quantity of announced enforcement actions. 

The EU has had its focus squarely on AI for 2024, which means data privacy has not gotten the attention it needs (as we are still quite early in the grander matter of things, as GDPR is only 8 years old). But with a CJEU decision declaring that businesses in some cases need to collect data in order to operate and provide service possibly punctuating the year, what does that mean for GDPR itself?

GDPR will only ever be as useful as its enforcement is, and if attention continues to shift to AI and the EU AI Act in the coming years, that does not inspire confidence that data privacy will continue to evolve as its own field instead of a subset of concerns related to AI.

Even with the full nuance of the CJEU decision clarifying elements like data minimization and necessity, corporations will now have a new defense to point to when (if?) they need to come before the court. Given there have already been questions if GDPR has really made data protection better over its lifespan thus far, we leave 2024 wondering if the law as is makes sense in an age of AI. 

Product Spotlight 🔦

The average organization now connects to dozens, if not hundreds, of data sources, which has spawned an endless race for privacy platforms to feature ever-larger libraries of pre-built integrations. MineOS is determined to do things smarter, which is why we have released our DSR 2.0 module with the Infinite Integration Builder.

The capability of the no-code Infinite Integration Builder will allow organizations to easily create integrations with a level of specificity unique to their data stack and organizational needs.

Our new Integration Builder is a self-service integration platform (iPaaS) that turns any API into a flexible building block that is saved for future use all without needing help from development teams, leading to a truly customizable environment for DSR handling.

Curious to see how it works? Check out our detailed blog release, including a look into the product, here.

Regulation Focus 🔬

California AB 1824 (1)1798.120(2)

"A business to which another business transfers the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the transferee assumes control of all of, or part of, the transferor shall comply with a consumer’s direction to the transferor made pursuant to this subdivision."

As usual, California was the busiest state in the US on the matter of data privacy and protection, culminating in a rush of bills that were signed to end the legislative year. While several of those bills were vetoed by the Governor, five were signed into law.

One that was signed into law and set to take effect next year is Assembly Bill 1824, which on first glance might not seem meaningful, but is quite practical in nature.

AB 1824 makes it such that when companies merge or one company acquires another, consumer opt-out preferences are retained by the newly merged company. 

For example, if you have opted-out of data processing and collective for Company A, when Company B buys that company, they still must respect your data rights and opt-out.

Given that mergers and acquisitions are becoming increasingly common over time, this is a law that is paying attention to the details. Another win? The companies acquiring other organizations are usually quite large, which puts another layer of data protections in place against Big Tech.

This is a common sense win for California and the kind of data legislation more consumers can easily get behind.

Founder's Corner 🎙️

CPO & Co-Founder Kobi Nissan

Q: What do you think is the most important part about how GRC software develops in the coming years?

A: The technology has already come a tremendous way, as being able to discover nearly 100% of an organization's data systems in real-time was just a dream a decade ago, but the one area where more focus needs to be put is customization.

Each organization has its own. unique needs and software is developed enough to take that fact into consideration and reflect it in the end product. We could have tried to continue the race to build more DSR integrations than competitors, but that isn't what benefits customers. Customization alone is a great reason for releasing the Infinite Integration Builder.

Webinars & Events 📅

MineOS has a busy November planned, with both a big, expansive event and a focused, more personable one to come this month!

If you're looking for great GRC conversation in a quieter, more intimate setting, we'll be heading to ☀️ Miami for the Consero General Counsel Forum on November 10-12 for roundtable talks and 1-on-1 demos of how MineOS delivers for privacy programs.

Love the hustle and bustle of a big conference? Come say hello to us in 🚲 Brussels on November 20-21 for IAPP Data Protection Congress 2024! 

How did you like this month's issue?