Americas news
Brazil – preliminary regulatory study on biometric data and facial recognition technology
The Brazilian data protection authority (ANPD) has published the results of a number of case studies on processing biometric data and using facial recognition technology. The study highlights the potential risks involved and recommends that further studies be carried out.
View the study (in Portuguese)
Canada – regulatory consultation on privacy and age assurance
On 10 June 2024, the OPC issued an exploratory consultation on ‘Privacy and age assurance’ setting out its current understanding of, and thinking on, the topic. The consultation aims to prompt meaningful discussion and increase the OPC's understanding of the benefits, concerns, and existing research or writing associated with age assurance. Next steps include the creation of draft guidance on the use and design of age assurance systems.
Read the regulator’s exploratory consultation
USA – New York children’s privacy laws passed
In June 2024, the New York legislature passed two laws relating to children’s privacy. Firstly, the New York Child Data Protection Act (SB 7695) aims to restrict digital services from processing the personal data of users under the age of 18 without consent, and prohibiting (or requiring safeguards for) the sale or disclosure of the personal data of users under the age of 18. Secondly, the Stop Addictive Feeds Exploitation for Kids Act (SB 7694) (referred to as ‘SAFE’) broadly requires social media companies to restrict addictive feeds on their platforms for any users under the age of 18.
Read the New York Governor’s press release on the legislation
USA – Rhode Island passes standalone privacy law
On 25 June 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500, collectively the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA), into law without signature. The RIDTPPA will enter into force on 1 January 2026 and is the 20th standalone state consumer data privacy law in the United States. It follows the most common model of state privacy law (based on the original Washington consumer data privacy law). Key differences of note relate to privacy notices and an absence of requirements regarding data minimisation and universal opt-out mechanisms.
Asia news
South Korea – regulatory guidelines for processing public data in AI
The Personal Information Protection Committee has released its ‘Guide for processing open data for AI development and services’. The guide aims to clarify the legal standards for the collection and use of open (i.e. publicly disclosed) personal information. It also provides minimum standards for measures to be taken in AI development and service delivery.
Read the guidelines (in Korean)
China – consultation on cybersecurity and sensitive personal information guidelines
The National Information Security Standardization Technical Committee is consulting its draft Cybersecurity Standard Practice Guidelines – Guidelines for Identifying Sensitive Personal Information. The guidelines aim to guide personal information processors in identifying sensitive personal information, and in standardising the processing, export and protection of sensitive personal information.
Read the Technical Committee’s announcement (in Chinese)
Japan – public consultation on regulatory review of DP law
On 27 June 2024, the Personal Information Protection Commission published an interim summary of possible updates to Japan’s main data protection law, the APPI. A consultation around this summary is open until 30 July 2024, covering topics such as: children's personal data; new regulations on biometric data; privacy impact assessments; effectively responding to individual requests; and breach notification and effective monitoring and supervision.
No official date has been given for enacting the draft changes, but it is widely expected to occur in 2025, with the changes becoming enforceable two years later (i.e. in 2027).
View the press release (in Japanese)
Malaysia – PDPA Amendment Bill passed
On 16 July 2024, the Personal Data Protection (Amendment) Bill 2024 was passed by the House of Representatives with no amendments. The Bill will now pass to the Senate, and once the legislative process is completed, the Bill will come into operation on a date to be confirmed by the Digital Minister by notification in the Gazette. The Amendment Bill introduces a number of significant changes to the Personal Data Protection Act 2010, with the aim of aligning Malaysian data protection laws more closely with international standards and practices.
Europe news
Norway – regulatory focus on camera surveillance in the workplace
The Norwegian data protection authority, Datatilsynet, has launched a summer campaign focussing on camera surveillance (CCTV) in the workplace, prompted by complaints regarding alleged illegal use by employers. Camera surveillance is widespread in working life but not all employers consider the consequences for employees’ privacy.
View Norway’s rules on using camera surveillance in the workplace (in Norwegian)
Turkey – overseas data transfer regulations come into force
The ‘Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad’ came into force on 10 July 2024. The Regulation applies to data controllers and processors party to the transfer of personal data abroad in accordance with Article 9 of the Law on the Protection of Personal Data. In addition, a data processor transferring personal data must also comply with the instructions of the data controller.
View the Regulation (in Turkish)
France – draft guidance on employee diversity monitoring
The French supervisory authority, the CNIL, has published draft guidance on diversity monitoring surveys at work. While diversity and inclusion surveys are not prohibited in France, guarantees are required to protect the personal data and privacy of individuals, and the collection of data relating to race or ethnic origin is strictly and specifically regulated.
View the draft guidance (in French)
Spain – AEPD publishes report on dark patterns
The Spanish data protection authority has published a report on the influence of “addictive patterns” in online services. The report points out that these practices involve the use of “deceptive patterns”, which are designed to mislead users into making unintended and potentially harmful decisions. The report includes a general overview of the regulatory landscape, including the Digital Services Act, guidance from the EDPB, and a resolution of the European Parliament on addictive service design.
Ireland – DPC publishes 2023 Annual Report
The Irish Data Protection Commission (DPC) has published its 2023 Annual Report. The report sets out the work it undertook in 2023, including the handling of complaints and breach notifications, taking enforcement action and providing input on legislative proposals.
International – Berlin Group adopts working paper on facial recognition technology
The International Working Group on Data Protection in Technology (the Berlin Group) has adopted a working paper on the use of facial recognition technology. In the paper, the Berlin Group, which is made up of participants from data protection supervisory authorities, government agencies, international organisations and non-governmental organisations, calls on all stakeholders to be aware that facial recognition technology can lead to intrusive, arbitrary and unlawful surveillance and sets out risks and practical recommendations.
Middle East news
Saudi Arabia – consultation on Rules for Data Protection Officers
The Saudi Data and Artificial Intelligence Authority (SDAIA) has published a consultation on proposed rules for the appointment of a Data Protection Officer (DPO).
View the consultation in English
UAE – Open Finance Regulation
The UAE Central Bank has published the Open Finance Regulation which contains security, notification and sharing provisions for financial data in certain contexts. This is due to be rolled out to relevant organisations in phases and guidance is likely to emerge in due course.
Sanctions. We're keeping count.
391. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 455 million US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.