Americas news
USA – California – new enforcement advisory on dark patterns
On 4 September 2024, the California Privacy Protection Agency published an Enforcement Advisory on avoiding the use of dark patterns. The Enforcement Advisory sets out factual scenarios, illustrative examples, and sample consent mechanisms, and reminds organisations to carefully review user interfaces to ensure they are compliant. It also sets out key questions a business should ask when faced with choices around consent mechanisms and user interfaces.
Brazil – ANPD issues resolution on international data transfers
The Brazilian data protection authority (ANPD) has approved Resolution No.19 of 23 August 2024 on international transfers of personal data. The publication of the Resolution in the Official Gazette follows a public consultation undertaken by the ANPD last year.
The Resolution provides greater legal certainty on transferring personal data outside Brazil, it:
- includes ANPD approved standard contractual clauses for international transfer
- sets out the process for obtaining ANPD approval for bespoke contractual clauses or binding corporate rules
- establishes the process and criteria for use by the ANPD in assessing third countries and international organisations, for the purposes of issuing an adequacy decision
USA – Pennsylvania – breach notification law amended
Pennsylvania’s data breach notification law (the Breach of Personal Information Notification Act of 2005) has been amended to include broader obligations. The amendments go into full effect on 26 September 2024. The amendments include an expanded definition of “personal information”, updated notification obligations to the Pennsylvania Attorney General and consumer credit agencies, and an obligation to provide access to credit monitoring services in certain circumstances.
USA – New York – AG guidance on website privacy controls
The Attorney General’s Office in New York State has published new business guidance on website privacy controls and disclosures. This guidance follows an investigation which identified that a significant number of popular websites employed malfunctioning (or completely broken) privacy controls. While there is no standalone comprehensive data privacy law in New York State that covers the online tracking of individuals, website privacy practices are still subject to the state’s consumer protection laws (which prohibit deceptive acts and practices).
Asia Pacific news
Australia – Reform of the Privacy Act
On 12 September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024 to the House of Representatives, which contains the first tranche of long-awaited reforms to the Privacy Act 1988 (Cth), including updated enforcement powers, a children’s code, and transparency requirements for automated decision making.
The reforms included in the Bill are more limited than those agreed in principle in the Government’s Response to the Privacy Act Review released in September 2023. The Office of the Australian Information Commissioner (OAIC) welcomed the Bill as an important first step in strengthening Australia’s privacy framework, although it is “eagerly awaiting the second tranche of privacy reforms”.
Australia – consultation on mandatory guardrails for high risk AI
On 4 September 2024, the Australian Government released a proposals paper for introducing mandatory guardrails for AI in ‘high risk’ settings, which is open for consultation until 4 October 2024. The paper includes a proposed definition of high-risk AI; proposed mandatory guardrails for AI systems in high-risk settings; and regulatory options for mandating the guardrails.
The Australian Government has also issued a Voluntary AI Safety Standard, which consists of 10 voluntary guardrails that are aligned closely with the proposed mandatory guardrails.
Malaysia – new Cyber Security Act comes into effect
On 26 August 2024, the Cyber Security Act 2024 came into effect. Under the Act, entities that own or operate National Critical Information Infrastructure (NCII) are subject to standards and processes aimed at managing cyber security threats and incidents and ultimately strengthening Malaysia’s national security framework. The Act sets out the regulatory framework for NCII and includes requirements for risk assessments, audits, incident notification, and licensing. It also sets out the enforcement regime, which may include fines of up to approximately US$115,000 for non-compliance.
Philippines – NPC issues Circular on CCTV
On 12 August 2024, the National Privacy Commission (NPC) published a Circular on the use of CCTV. The Circular sets out specific requirements in relation to key data protection principles. Most of the obligations fall on controllers, but processors are also required to adhere to the principles where relevant. The Circular includes safeguards organisations need to put in place in relation to CCTV, broken down into policies, deployment, and operation. There are also detailed requirements in relation to handling of data subject access requests and third-party access requests.
Thailand – PDPC issues first fine under PDPA
In August 2024, Thailand’s data protection authority (the PDPC) issued its first fine under Thailand’s comprehensive data protection law (the PDPA). A company was sanctioned 7 million baht (approx. $200,000) for failing to appoint a DPO, implementing insufficient security measures, and failing to promptly notify and address a data breach.
Europe news
Switzerland – adequacy decision for Swiss-US Data Privacy Framework
On 14 August 2024, the Swiss Federal Council issued a decision finding that the Swiss-US Data Privacy Framework (Swiss-US DPF) ensures an adequate level of protection for the transfer of personal data from Switzerland to certified companies in the United States. This mirrors the approach in the EU-US Data Privacy Framework. The Federal Council’s decision was based on an assessment drawn up by the Swiss Federal Office of Justice. The decision (which took effect from 15 September 2024) will allow the transfer of personal data from Switzerland to US certified companies without additional safeguards.
Read the Federal Council’s press release
Norway – public consultation seeking feedback on the Personal Data Act
On 4 September 2024, the Norwegian Ministry of Justice opened a call for feedback on the Personal Data Act to consider whether the legislation is still fit for purpose 6 years after coming into force, in line with commitments made at the time that the Act was being prepared. Input from organisations can address experiences with the current law, consequences of the law, proposals for clarifications, changes to rules, or other matters. The deadline for submissions is 1 November 2024.
Read the Norwegian Ministry of Justice’s press release
Finland – publication of Ombudsman's 2023 activity report
On 14 August 2024, The Finnish Supervisory Authority, the Data Protection Ombudsman, published its activity report for 2023. The report notes that 2023 saw an increase in enforcement activity, particularly involving retention periods, implementation of data subject rights, and the adequacy of protective measures. There was also an increase in personal data breach notifications, mainly from regulated sectors including health care, financial services, and telecoms. Looking ahead, the Ombudsman expects an increase in cross border cooperation and work involving artificial intelligence.
Read the Ombudsman’s press release
Denmark – Datatilsynet issues guidance on accidental disclosure
On 10 September 2024, the Danish data protection authority (Datatilsynet) added guidance on preventing accidental disclosure of personal data to its catalogue of security measures. The measures proposed in the guidance include conducting manual reviews, ensuring redactions cannot be removed, and carrying out training and awareness.
Read Datatilsynet’s press release
Middle East news
Saudi Arabia – multiple new rules and items of guidance
In late August, the Saudi Data and Artificial Intelligence Authority (SDAIA) published new rules on the appointment of DPOs. These include conditions that trigger the requirement to appoint a DPO, minimum requirements for a DPO to meet, tasks and responsibilities, and documentation and communication channel requirements.
In early September, the SDAIA published new data transfer regulations, which amend the existing data transfer rules. Under the rules, organisations transferring personal data outside Saudi Arabia will generally need to rely on Standard Contractual Clauses, Binding Common Rules, or a Certificate of Accreditation. At the same time, the SDAIA published Standard Contractual Clauses and guidelines on Binding Common Rules.
The SDAIA has also published various rules and guidance in relation to privacy notices, data minimisation, national registration, destruction, anonymisation and pseudonymisation, disclosure, and records of processing activities.
Israel – Knesset approves comprehensive amendments to the PPL
On 5 August 2024, the Knesset Plenum, the supreme authoritative body of the Israeli Parliament, approved Amendment 13 to the Protection of Privacy Law (PPL). Among other things, the Amendment updates and clarifies the PPL and provides effective enforcement tools to increase the protection of the basic right to privacy. The Amendment is seen as an important step in view of the recognition of the State of Israel by the European Union as a country with an adequate level of protection for personal data. The Amendment comes into force in August 2025.
Sanctions. We're keeping count.
501. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 1 billion US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.