Africa news
Ivory Coast – ARTCI opens public consultation on advanced technologies
The Ivory Coast Data Protection Authority (ARTCI) is conducting a study on the impact of advanced technologies on personal data protection. The public can actively participate by completing questionnaires on biometrics, video surveillance, drones, and AI.
Americas news
Canada – privacy regulators launch AI principles
The Canadian privacy authorities have developed a set of principles to advance the responsible, trustworthy, and privacy-protective development and use of generative artificial intelligence (AI) technologies in Canada. Their joint statement sets out the principles and provides examples of best practice.
Uruguay – updated list of adequate jurisdictions
Uruguay has updated its list of adequate jurisdictions and recipients to include recipients in South Korea (that are subject to the Korean Personal Data Protection Law), and entities included on the USA Department of Commerce's Data Privacy Framework Listing.
Read the supporting resolution (in Spanish)
Brazil – ANPD sets out priority topics for 2024/2025
The Brazilian data protection authority (ANPD) has published its areas of focus for 2024-2025, in terms of both regulatory research and inspection activities. Those areas are: individual rights; children’s personal data in the digital environment; processing in the context of artificial intelligence for facial recognition; and data scraping and data aggregators.
View the resolution (in Portuguese)
United States – FCC launches privacy enforcement partnerships
The Federal Communications Commission (FCC) has announced that it will formally work in partnership with the attorneys general of Connecticut, Illinois, New York, and Pennsylvania to investigate consumer-related privacy, data protection and cybersecurity issues (with a particular focus on data breaches, telephone scams and other fraudulent activity).
Asia news
South Korea – second amendment proposed to Enforcement Decree
The Personal Information Protection Commission (the PIPC) has published notice of a second amendment to the Enforcement Decree of the Personal Information Protection Act. The notice sets out certain proposed standards and procedures for the law due to take effect on 15 March 2024, covering areas such as automated decision-making, requirements for DPOs, and compensation for individuals.
View the PIPC’s announcement (in Korean)
Indonesia – government increases online child protection
The Indonesian government has passed the second amendment to Law No.11/2008 on Electronic Information and Transactions (the ITE law), aiming to increase child protection in the digital space. Of particular note are obligations relating to age verification, to detect if children are using a particular service.
View the press release (in Indonesian)
China – measures for the management of cybersecurity incident reporting proposed
The Cyberspace Administration of China has issued a consultation on proposed ‘Cybersecurity Incident Reporting Management Measures.’ The measures aim to standardise the reporting of network security incidents, reduce the losses and harm caused by network security incidents, and maintain national network security.
Australasia news
New Zealand – consultation on biometrics announced
The New Zealand Privacy Commissioner has announced that a consultation will take place on a proposed code for the processing of biometric information. The draft code will be issued in 2024.
Europe news
EU Member States – CJEU issues numerous decisions
The Court of Justice of the European Union (CJEU) has issued several significant decisions on the application of the GDPR, including:
- Case – C683/21 – regarding the liability of controllers/joint controllers
- Case – C807/21 – regarding breaches of the GDPR without the knowledge of management
- Case – C-634/21 – regarding data processing by credit information agencies
View the CJEU’s press release about these decisions
Switzerland – digital strategy adopted
On 8 December 2023, the Federal Council adopted the Digital Switzerland Strategy which sets out guidelines for Switzerland’s digital transformation and gives those involved in digitalisation, public and private, a framework on which to rely.
Spain – AEPD issues guidance on the use of biometric technologies
The Spanish Data Protection Authority (AEPD) has published guidance on the use of biometric technologies to collect and process biometric data, for both work and non-work purposes. The guide also sets out a list of organisational, technical and security measures to protect such data.
View the AEPD’s guidance (in Spanish)
European Union – Artificial Intelligence Act provisionally agreed
On 9 December 2023, EU policymakers reached a provisional political agreement on the EU AI act. The text of the act will now need to be finalised and formally adopted by the European Parliament and Council to become EU law.
View the EU Council press release
View the EU Parliament press release
UK – ICO issues cookies warning
The Information Commissioner’s Office (ICO) has contacted several (unnamed) organisations operating some of the UK’s most visited websites warning them that they face enforcement action if they do not comply with data protection law regarding cookies. In particular, the ICO emphasises that it must be as easy for site users to “Reject all” advertising cookies as it is to “Accept all.”
Middle East news
Israel – government issues emergency cyber regulations
The Saudi Data and Artificial Intelligence Authority (SDAIA) has published a consultation on proposed rules for the appointment of a Data Protection Officer (DPO).
View the regulations (in Hebrew)
Qatar – privacy by design assessment tool launched
The Qatari privacy regulator has launched a new privacy by design assessment tool for organisations to evaluate their systems and applications that handle personal data (but not to assess their compliance with Qatari data privacy law).
Sanctions. We're keeping count.
42. That's the number of regulatory sanctions Rulefinder Data Privacy has tracked since last month's newsletter. It amounts to over 4 million US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
