Africa news
South Africa - Information Regulator provides update on investigations and assessments
The Information Regulator has shared the outcomes of its investigations into complaints submitted (and assessments of compliance) under the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA). It reported receiving 982 POPIA-related complaints in 2023/24 (of which 682 were resolved), and assessing fourteen organisations, with ten of these assessments now being ready for determination via an enforcement notice.
The three examples provided in the regulator’s update relate to security failures and will help organisations in South Africa seeking to review their own technical and organisational security measures.
Americas news
USA - new Californian guidance on data minimisation
On 2 April 2024, the California Privacy Protection Agency (CPPA) published its first ever enforcement advisory, on the issue of data minimisation in consumer requests. Such advisories aim to educate the public and encourage businesses to comply with the California Consumer Privacy Act (CCPA). This one sets out specific legislative provisions along with two detailed practical scenarios.
Read the CPPA’s enforcement advisory
USA - Federal Trade Commission publishes 2023 Privacy and Data Security Report
On 28 March 2024, the Federal Trade Commission (FTC) published a report covering its key privacy and data security work from 2021 to 2023. The report highlights the broad range of enforcement actions pursued by the FTC and examines cases in several areas, including artificial intelligence, health privacy and children’s privacy. It provides a detailed summary of each enforcement case listed, along with an overview of the key topic areas on which the FTC’s enforcement powers have most recently focused.
USA - House of Representatives passes Protecting Americans’ Data from Foreign Adversaries Act
On 21 March 2024, the United States House of Representatives unanimously passed an act aiming to prohibit certain data brokers from transferring sensitive personal information to any entity controlled by or from a ‘country of concern’. The official summary lists prohibited transfers as those to North Korea, China, Russia, and Iran, including entities controlled by those countries.
‘Sensitive data’ is defined as:
- government-issued identifiers (e.g. social security numbers)
- financial account numbers
- biometric information
- genetic information
- precise geolocation information
- private communications (e.g. texts or emails)
A ‘data broker’ is defined as any entity that sells or otherwise provides data of individuals that the entity did not collect directly from those individuals.
Asia news
Singapore - PDPC publishes guidelines on use of children’s data online
The Singapore data protection authority (PDPC) has published advisory guidelines on how data protection provisions in the Personal Data Protection Act (PDPA) apply to children’s personal data in the digital environment.
The guidelines apply to organisations providing online products or services likely to be accessed by children, such as certain social media services; technology aided learning (‘EdTech’); online games; and smart toys and devices.
They cover:
- Notification
- Consent
- Reasonable purposes
- Protection of children’s personal data
- Data breach notification
- Accountability
Philippines - NPC issues circulars on security and certification
The National Privacy Commission (NPC) has issued two legally binding circulars which apply to organisations processing personal data within the scope of the Philippines Data Privacy Act and its Implementing Rules and Regulations.
Read the security circular
Read the certification circular
China - new regulations and updated guidelines on cross-border data flows
The Cyberspace Administration of China (CAC) has issued its ‘Provisions on Promoting and Regulating Cross-border Data Flows’. The provisions, which came into force on 22 March 2024, provide clarification on several key issues, including certain requirements and exemptions. They also contains measures relating to the creation of negative list systems by Pilot Free Trade Zones.
Australasia news
New Zealand - consultation on biometrics
The Office of the Privacy Commissioner in New Zealand has published a consultation on biometrics. The consultation invites views - until 8 May 2024 - on the use of biometrics in existing and emerging technologies. The commissioner proposes to develop specific provisions in a proposed Code of Practice under the Privacy Act 2020.
Europe news
EU Member States - EDPB publishes strategy for 2024-2027
The European Data Protection Board (EDPB) has adopted its strategy for the next three years. The strategy sets out the EDPB’s priorities, along with key actions it will take to achieve its objectives, and is based on four pillars:
- Enhancing harmonisation and promoting compliance
- Reinforcing a common enforcement culture and effective cooperation
- Safeguarding data protection in the developing digital and cross-regulatory landscape
- Contributing to global dialogue on data protection
EU Member States - EDPB issues opinion on ‘consent or pay’ models
The EDPB has adopted its eagerly anticipated Opinion 08/2024 on Consent or Pay Models Implemented by Large Online Platforms. The opinion examines the ‘consent or pay’ model against the legal requirements of the GDPR and sets out that consent collected by large online platforms in the context of such models can only be considered valid where those platforms demonstrate that all GDPR requirements for valid consent are met. The EDPB plans to develop similar guidelines (but with a broader scope of application) in due course.
Italy - Garante launches telemarketing code of conduct
The Garante has launched a code of conduct to regulate telesales and telemarketing activities. The code imposes obligations on parties, including controllers, list providers, contact centres and agencies. The Garante’s announcement follows its accreditation of the monitoring body for the code.
Read the Garante’s Code of Conduct (in Italian)
France - consultation on multifactor authentication
In late March 2024, the CNIL launched a public consultation on draft guidance regarding multifactor authentication (MFA). The draft guidance covers:
• The interplay between MFA and data protection
• Legal bases for MFA data processing
• Biometrics in MFA
• Data minimisation
• Data retention
• Data security generally
• A list of dos and don'ts
The consultation is open until 31 May 2024.
Read the CNIL’s press release (in French)
Norway - Datatilsynet publishes strategy on working with AI
In March 2024, the Norwegian data protection authority, Datatilsynet, published its strategy on working with artificial intelligence. Datatilsynet states in the strategy that it must use its tools in a way that facilitates the innovative use of AI and which, at the same time, safeguards privacy with the overall objective of contributing to the responsible development and use of AI.
Read Datatilsynet’s strategy (in Norwegian)
United Kingdom - ICO action on cookies
In November 2023, the Information Commissioner's Office (ICO) contacted a number of (unnamed) organisations operating some of the UK’s most visited websites and warned that they would face enforcement action if they did not make changes to comply with data protection law regarding cookies.
In January 2024, the ICO followed up with a press release indicating there had been a positive response from those contacted and warning other organisations to be proactive.
In March 2024, the ICO provided an update to say that almost 80% of the organisations it had written to in 2023 had made positive changes.
Middle East news
Saudi Arabia - SDAIA publishes guide to generative AI
In January 2024, The Saudi Data and Artificial Intelligence Authority (SDAIA) published a guide to generative AI. The short guide aims to raise awareness of the importance of generative AI and promote the responsible adoption of the technology. It covers use cases of the technology, development benefits and challenges, potential future developments in the field and a summary of the SDAIA's initiatives in the area.
Sanctions. We're keeping count.
184. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 205 million US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
