Americas news
USA (federal) - data sharing agreement with Australia comes into effect
On 31 January 2024, the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (also known as the Australia-US CLOUD Act Agreement) came into force. The agreement requires US and Australian communications providers to share with each other’s country authorities electronic data needed to counter serious crime and safeguard national security.
Read a joint statement on the agreement
USA – Connecticut Data Privacy Act report
On 2 February 2024, the Attorney General of Connecticut published a report setting out the actions of the Attorney General’s Office to enforce compliance with the Connecticut Data Privacy Act. Among other things, the report sets out: the number of notices of violation issued to-date; the nature of each violation; and the number of violations cured within the 60-day cure period.
Canada - OPC issues Strategic Plan 2024-27
The Office of the Privacy Commissioner of Canada (OPC) has launched its ‘Strategic Plan 2024-27’. The Strategic Plan covers priorities such as: protecting and promoting privacy with maximum impact; advocating for privacy in a time of technological change; and championing children’s privacy rights. Stakeholders are invited to give feedback to guide the plan’s implementation.
Chile - public consultation on National AI Policy
The Chilean government has opened a public consultation on updates to its National AI Policy. In particular, the consultation focuses on AI governance and ethics, which is seen by the Chilean government as a priority, given the “accelerated advance of generative AI”. The consultation is open until 15 March 2024.
Asia news
South Korea - new standards for pseudonymisation in AI development
The Personal Information Protection Commission (PIPC) has issued new standards for the pseudonymisation of unstructured data in the development of artificial intelligence. The standards sit alongside the PIPC’s earlier Pseudonymous Information Processing Guidelines which focus on the pseudonymisation of structured data.
Read the press release and standards (in Korean)
Singapore - advisory guidelines on the use of personal data in AI systems
The AI Verify Foundation and Infocomm Media Development Authority (IMDA) have developed a draft Model AI Governance Framework for Generative AI. The draft expands on the Model AI Governance Framework 2020 by covering traditional AI and is open to public consultation until 15 March 2024.
Thailand - Thai government responds to data breaches
The Thai Minister of Digital Economy and Society has ordered the Personal Data Committee (PDPC) to establish a Personal Data Violation Surveillance Center to expediate investigations into data breaches and, along with the National Cyber Security Commission, investigate vulnerabilities in cybersecurity and information systems.
Read the Ministry of Digital Economy’s press release (in Thai)
Europe news
France - CNIL announces 2024 inspection priorities
The French supervisory authority (the CNIL) has published its priority areas of focus for regulatory inspections in 2024. Inspections are more specific than general investigatory priorities, but themes include: the processing of children’s data collected online; the right of access; the general compliance of loyalty programmes with applicable privacy laws; and data processing in the context of the 2024 Paris Olympic Games.
Read the CNIL’s press release and supporting materials (in French)
France - CNIL publishes cloud security factsheets
The French supervisory authority, the CNIL, has published two factsheets on data security and encryption within cloud computing. The factsheets are designed to provide organisations using cloud service providers with helpful technical information about encryption and the use of security and performance tools.
Read the factsheet on encryption (in French)
Read the factsheet on security tools (in French)
Netherlands - regulatory focus on misleading cookie banners
The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), has announced that in 2024 it will investigate more often how organisations request permission from website visitors for placing tracking cookies (or other tracking software) via cookie banners. The AP has also issued further guidance on compliance with the law in this area.
Read the AP’s press release (in Dutch)
Read the supporting guidance (in Dutch)
Italy - Garante issues guidance on employer email management
The Italian data protection authority, the Garante, has issued guidance entitled ‘IT programs and services for email management in the work context and metadata processing’. The guidance is aimed at employers in the public and private sectors who use email management software and services, especially those supplied in the cloud or as a service.
Read the guidance (in Italian)
UK - ICO publishes updated opinion on age assurance
The Information Commissioner’s Office (ICO) has published an updated version of its 2021 age assurance Opinion for the Children’s Code. The updated opinion aims to reflect new technological and legislative developments and explain to organisations how to meet their data protection obligations, while also complying with the Online Safety Act 2023.
Middle East news
Israel – PPA issues consultation on biometric information
The Israeli Privacy Protection Authority (PPA) has published, for consultation, a policy document on the collection and use of biometric information for attendance control in the workplace. The document does not seek to prohibit the use of such technologies, but only to ensure that it will be done with consideration to employees’ privacy.
International news
The European Commission (EC) concluded its review of 11 existing adequacy decisions that were adopted under pre-GDPR data protection legislation. The EC’s report found that:
- Personal data transferred from the European Union to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continues to benefit from adequate data protection safeguards.
- The adequacy decisions adopted for these 11 countries and territories remain in place.
- Personal data can continue to flow freely from the EU to these jurisdictions.
Sanctions. We're keeping count.
65. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 50 million US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
