Africa news
South Africa - Information Regulator publishes guidance on direct marketing
On 3 December 2024, the Information Regulator published a guidance note on how organisations should comply with their obligations under the Protection of Personal Information Act (POPIA) when conducting direct marketing. The guidance covers both electronic and non-electronic forms of unsolicited communications and addresses various areas, including:
- reliance on consent and legitimate interest
- types of communication that are deemed electronic (and which therefore require consent)
- how to request consent
- requirements under the Consumer Protection Act
- compliance with general data protection principles
- considerations for automated decision-making
Americas news
Brazil - ANPD issues new guidance on the role of the DPO
On 19 December 2024, the Brazilian Data Protection Authority (ANPD) issued guidance on the role of the 'encarregado' (DPO), required to be appointed by data controllers under article 41 of the Brazilian Data Protection Law. A resolution issued by the ANPD in July 2024 clarified, among other things, that the appointment of a DPO by processors is optional but will be considered good practice.
The guidance addresses how to appoint a DPO, who can be appointed, substitutes, identity and contact information, duties of the controller, necessary characteristics of the DPO, the DPO’s activities and duties, and how to deal with conflicts.
Read the press release (in Portuguese)
Chile - Comprehensive amendments to the DPA
On 13 December, 2024, Law No. 21.719 (the DPA Bill) was published in the Official Gazette.
The DPA Bill introduces significant modifications to Law No. 19,628 on Protection of Private Life that will bring Chile’s data privacy regime more into line with international standards. For example, the DPA Bill includes: (i) the creation of a data protection regulator; (ii) a range of legal bases that will permit processing of personal data and/or sensitive data other than consent; (iii) rules on international data transfers; (iv) general breach notification requirements to the regulator and individuals; and (v) a wide range of new compliance requirements and recommendations.
The DPA Bill will enter into force on 1 December 2026.
Read the DPA Bill (in Spanish)
Peru - New Regulations passed under Data Protection Law
The Peruvian government has issued a decree approving new regulations under Law No. 29733 on the Protection of Personal Data (the New Regulations). The decree was published in the Official Gazette, El Peruano, on 30 November 2024. The New Regulations substantially amend Peru’s data privacy laws and are aimed at modernising Peru’s regulatory framework to meet the challenges of the digital age (as the existing regulations date back to 2013).
The reforms are wide-ranging and include new requirements on the appointment of data protection officers and local representatives, data breach notification, the right to data portability, rights for children, data security, and cross-border data transfers.
Most of the provisions in the New Regulations will come into force on 30 March 2025. However, the right to portability will come into force on 30 September 2025 and the obligation to appoint a data protection officer will come into force in stages, beginning on 30 November 2025 for the highest revenue businesses.
Read the New Regulations (in Spanish)
United States - California - Increased CCPA penalties and thresholds
In line with its obligations under the California Consumer Privacy Act (CCPA), the California Privacy Protection Agency has announced adjustments to fines and monetary thresholds under the CCPA in order to align with inflation.
The new amounts are effective from 1 January 2025 and include changes to: (i) the annual gross revenue threshold pursuant to which an organisation falls within the definition of a ''business'' covered by the CCPA (increased to USD 26,625,000); (ii) the range of monetary damages available under the CCPA (increased to between USD 107 and USD 799 per consumer per incident); and (iii) the level of administrative fine amounts (to a maximum of USD 2,663 for each violation or USD 7,988 for each intentional violation).
United States - New York - Package of bills signed
On 21 December 2024, the Governor of New York signed a legislative bill package that is aimed at strengthening protections for the personal data of consumers. The package is wide-ranging and while some elements only apply to specific types of organisations, other parts have more general application. Of particular note are:
- Legislation S2659B/A8872A, which Introduces a new time limit of 30 days for organisations to notify a data breach, and adds the department of financial services to the list of entities that must be notified.
- Legislation S2376B/A4737B, which increases protections in relation to medical and insurance data, by including such information within the legal definition of identity theft. It also brings medical and health insurance information within the scope of New York’s data breach reporting requirements.
United States (Federal) - US Justice Department issues Final Rule on access by countries of concern
On 27 December 2024, the US Justice Department issued a Final Rule implementing Executive Order (E.O.) 14117 (which was issued in February 2024) to prevent access to Americans’ bulk sensitive data and US government data by “countries of concern”. It is designed to address threats from certain states and “covered persons” that may act on behalf of such states (and it includes a definition of covered persons). It will mainly take effect 90 days from the date of its publication, with certain due diligence, reporting, and auditing requirements taking effect 270 days after publication.
The Final Rule sets out prohibitions on entering into data brokerage agreements involving access by countries of concern and includes restrictions on vendor, employment, and investment agreements, with set minimum security standards to be met. Various transactions are exempt, including certain financial services transactions.
Asia Pacific news
Australia - Reform of the Privacy Act
On 29 November 2024, the Privacy and Other Legislation Amendment Bill 2024 (the Bill) passed both Houses of the Australian Parliament. The Bill contains the first tranche of long-awaited reforms to the Privacy Act 1988 (Cth) (the Privacy Act) and it has been welcomed by the Office of the Australian Information Commissioner (the OAIC) as, ‘a significant step forward in advancing privacy protections for the Australian community’. In particular, the Bill will strengthen the investigative and enforcement powers of the OAIC; require the OAIC to develop a new Children’s Online Privacy Code; introduce an adequacy mechanism for cross-border transfer; increase transparency requirements for automated decision-making; and introduce a statutory tort for serious invasions of privacy.
Most provisions of the Bill will come into effect immediately once the Bill receives Royal Assent, except for the statutory tort for serious invasions of privacy (six months after Royal Assent or on a data to be announced) and the provisions relating to automated decision-making (two years after Royal Assent).
India - Draft DPDP Act rules published
On 3 January 2025, the Indian Ministry of Electronics and Information Technology (MeitY) published a draft of the Digital Personal Data Protection Rules, 2025 (the Draft Rules) to accompany the Digital Personal Data Protection Act, 2023 (the DPDP Act). The DPDP Act originally received Presidential assent in August 2023.
The Draft Rules (which are available in full here, along with an Explanatory Note), provide detailed information and guidance on the implementation of the DPDP Act, and are subject to a period of public consultation until 18 February 2025. Key areas covered by the Draft Rules include transparency, registration, security, breach notification, data retention, children’s data, data protection impact assessments, individual rights, and processing outside India. The Draft Rules set out a phased implementation process. Those rules relating to the functioning of the Indian Data Protection Board will take effect immediately upon publication in the Official Gazette. The remaining bulk of the rules will come into effect at a date yet to be specified.
Malaysia - Effective dates for PDPA amendments confirmed
On 24 December 2024, Malaysia's Minister of Digital published a notification in the Gazette (P.U.(B) 522) to announce the coming into force of different parts of the PDPA Amendment Act. Key dates for provisions to come into force are as follows:
- 1 January 2025: certain ancillary provisions, e.g. to allow service of notice and documentation via electronic means
- 1 April 2025: key provisions, e.g. in relation to: (i) security obligations for processors, (ii) changes to cross-border transfer rules, (iii) revised definitions and (iv) increased penalties
- 1 June 2025: further key provisions, e.g. in relation to: (i) appointment of a DPO, (ii) mandatory data breach notification, and (iii) data portability rights
Guidelines are also under consultation, which are likely to be finalised and published ahead of the relevant provisions coming into force.
Philippines - NPC issues Advisories on child-oriented transparency and AI
In mid-December 2024, the National Privacy Commission (NPC) issued two new Advisories, which are legal requirements under the rule-making function of the NPC.
The first Advisory, issued on 17 December, provides guidelines for organisations on how to comply with the requirement for transparency under the Data Privacy Act of 2012 (DPA) when processing children’s personal data. It covers key areas including child privacy impact assessments, readability, comprehension and granularity of privacy notices, data breach notification, and accountability. The second Advisory, issued on 19 December, provides guidelines on how organisations should comply with Philippine data privacy law when processing personal data using AI systems, covering core data protection principles.
Taiwan - Draft amendments to provisions of the Personal Data Protection Act announced
The draft amendments primarily focus on the implementation of a 2022 judgment from Taiwan's Constitutional Court which requires the establishment of an independent data protection supervisory authority in Taiwan by August 2025. As a result of the judgment, the Taiwanese Government has been working to establish the Personal Data Protection Commission. As part of this effort, draft amendments to the Personal Data Protection Act (the PDPA) have been published for public consultation.
The draft also includes changes to the PDPA which may affect organisations, including (i) new data breach notification requirements; (ii) an obligation to appoint a DPO and conduct audits; and (iii) prioritisation of high-risk industries for regulatory inspections.
Read the draft amendments (in Chinese)
South Korea - PIPC publishes guidance on biometric data
South Korea’s Personal Information Protection Commission has issued new guidance on the use of biometric personal information. The guidance sets out the various checks that should be considered to ensure the information is processed safely and in accordance with the Personal Information Protection Act. It includes guidance aimed at different parties, including manufacturers, users, and organisations processing biometric data.
The guidance covers specific measures that the relevant parties should consider taking, including in relation to privacy by design, proportionality, allowing for alternatives to the use of biometric information, and the conduct of personal information impact assessments.
Europe news
EU Member States - EDPB adopts opinion on AI and data protection
On 18 December 2024, the European Data Protection Board (EDPB) announced the adoption of Opinion 28/2024 on the processing of personal data in the context of AI models, which was produced in response to a request by the Irish supervisory authority.
The Opinion provides guidance on whether data in AI models can be considered anonymous, and the EDPB note here that the definition of personal data is intentionally broad. There is also guidance on reliance on legitimate interest as a lawful basis for processing, where the EDPB concludes that technical measures may help to satisfy the balancing test. Finally, the Opinion considers the consequences of unlawful processing of personal data in the development phase of an AI model, which may affect the lawfulness of any later deployment.
EDPB consults on guidelines for court ordered data transfer
The EDPB has published guidelines on Article 48 GDPR for public consultation. Comments are invited here until 27 January 2025. Article 48 provides that orders from courts in third countries (outside the EU) requiring transfer of data to the relevant jurisdiction are only enforceable if based on an international agreement between the third country and the EU or a Member State. The guidelines aim to clarify the rationale and objective of this provision, while also seeking to clarify the interaction between Article 48 and the other international transfer provisions of Chapter V GDPR. They contain practical recommendations for controllers and processors in the EU that receive requests from third country authorities to disclose or transfer personal data.
France - CNIL issues formal notice in relation to dark patterns in cookie banners
On 12 December 2024, the CNIL issued a formal notice to website publishers to modify cookie banners which are considered misleading. The notice comes following complaints about "dark patterns" in consent banners, essentially encouraging individuals to accept cookies. The CNIL warns publishers that, generally speaking, cookies can only be used with consent, and rejecting cookies should be just as easy as accepting them.
In the notice, the CNIL states that it has issued "orders to comply" to several publishers because their cookie banners (i) make it easier to accept than reject them; and/or (ii) encourage individuals to consent "through ambiguous or misleading designs". The notice serves as an important reminder that the CNIL remains focused on cookie compliance. (Perhaps not a bad 2025 resolution to review your cookie banner if you are active in France).
Netherlands - AP highlights privacy risks of cookies
On 16 December 2024, the Dutch data protection authority (the AP) launched a two-week campaign to highlight the privacy risks of cookies. For organisations, the campaign explained the key steps that are required to comply with the rules on cookies. In particular, it flagged the current AP guidance in relation to cookie banners, cookie policies, and cookie walls. As part of the campaign, the AP noted that it monitors (and is increasingly investigating) whether organisations are complying with the law on cookies and that it will take action for non-compliance, which may include a financial penalty.
Read the press release (in Dutch)
Norway - new cookie rules in force from 1 January 2025
The Norwegian Storting has adopted a new Electronic Communications Act (E-Com Act) that came into force on 1 January 2025. The new law states that consent is required to use cookies and similar technologies. The change has brought Norwegian law in line with the EU and has given internet users in Norway stronger protection and better control over how websites track their activity.
Where consent is obtained, it must meet GDPR standards. Consent is not required for the technical storage of or access to information where it is: (i) solely for the purpose of transmitting communications in an electronic communications network; or (ii) strictly necessary to deliver an Information Society Service at the express request of the relevant end user or user.
Spain - blog post on data and information in Artificial Intelligence
As part of the its series on the use of "Innovation and Technology" in the field of data privacy, the Spanish data protection authority (the AEPD) has published a blog post on data and information in AI. In the post, it explores engaging with data science professionals in order to ensure that, in machine learning-based AI systems, the principles of accountability, minimisation, accuracy, and data protection by design are applied effectively. It does so by working through an illustrative example of using AI to determine if a person is overweight.
UK - ICO publishes response to the consultation series on generative AI
The ICO has published its response to the five-part generative AI consultation series which was launched in January 2024. The consultation series sought to address how specific aspects of UK data protection law apply to the use of generative AI. Key questions were: what is the appropriate lawful basis for training generative AI models; how does the purpose limitation principle play out in the context of generative AI development and deployment; what are the expectations around complying with the accuracy principle; and what are the expectations in terms of complying with data subject rights?
The response summarises feedback from respondents, but also clarifies misconceptions and sets out ICO analysis on how specific areas of data protection apply to generative AI systems.
Middle East news
Israel - Data Protection Authority publishes new directive on the transfer of database ownership
The directive focuses in particular on the question of consent in the context of a change in ownership. The Israeli Data Protection Authority comments that a change in the controlling ownership of a database can have consequences for relevant data subjects and their rights.
A new owner is not permitted to change the purpose of the database without consent, which usually needs to be obtained prior to the transfer. If the purpose remains the same, consent will generally not be necessary (but notice must be provided). However, even where there is no change in purpose, consent may still be required in “exceptional circumstances”, which usually apply where there is a special relationship of trust (e.g. between a lawyer and client).
Read the directive release (in Hebrew)
Saudi Arabia - SDAIA consults on draft audit and accreditation certificate rules
On 11 December 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) published two public consultations titled 'Rules Governing the Issuance of Accreditation Certificates for Personal Data Protection' and 'Rules Governing the Licensing of Audits or Checks of Personal Data Processing Activities and the Issuance of Accreditation Certificates'. The first draft set of rules covers requirements for obtaining accreditation certificates, the application procedure, and the duration, renewal, and revocation of accreditation certificates. The second draft set of rules covers license requirements, the granting of licenses, licensing procedures, and license terms, renewals, suspension, revocation, and cancellation.
Turkey - KVKK publishes guidance on international transfers
On 2 January 2025, Turkey’s data protection authority, the Kişisel Verileri Koruma Kanunu (KVKK) published guidance on international transfers, designed to assist organisations in complying with their obligations under the Law on the Protection of Personal Data, following amendments that came into force in July 2024.
The guidance sets out the test for the definition of a transfer of personal data abroad, which includes the transferor being subject to Turkish data protection law and the data being “transmitted or made accessible in another way” (which can include remote access). The KVKK goes on to provide guidance on the various transfer conditions that organisations may rely on. Notably, where organisations rely on the Turkish standard contractual clauses, these must be registered with the KVKK within 5 working days.
Sanctions. We're keeping count.
713. That's the total number of regulatory sanctions around the world that Rulefinder Data Privacy tracked in 2024.
It amounts to over $2 billion US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
