Americas news
Canada - updated breach reporting form
The Office of the Privacy Commissioner of Canada has updated its online breach reporting form for businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). The updated notification form, which is optional, is intended to make it easy to submit new privacy breach reports and related documents. It also gives businesses the ability to add documents to existing breach reports.
Argentina - changes to sanctions calculations under DPA and Do Not Call Registry
The Argentine data protection authority has issued Resolution No. 126/2024, effective 1 June 2024, which introduces changes to the classification and calculation of sanctions for breach of the Personal Data Protection Law (PDPL) and the National Do Not Call Registry Law.
The new resolution also approves:
- the implementation of the Do Not Call Registry and its new management system, establishing that holders or users of telephone services may file complaints for non-compliance through a new website
- new procedures related to complaints and administrative proceedings for breach of the Registry Law and for registration, cancellation and change of ownership of telephone lines in the Registry
View Resolution No. 126/2024 (in Spanish)
USA - Vermont Data Privacy Act vetoed by Governor
In May 2024, the Vermont Data Privacy Act (VDPA) was passed by the Vermont legislature. Based broadly on the laws in Connecticut and Maryland, the VDPA included a private right of action, data minimisation obligations, and provisions regarding age-appropriate design.
On 13 June 2024, the Governor of Vermont vetoed the VDPA on the basis that an ‘‘unnecessary and avoidable level of risk’’ was created by the law’s private right of action and by its provisions relating to age-appropriate design. The Vermont Senate has since failed to override the Governor’s veto.
Asia news
South Korea - guidance on preparing for enhanced security measures
The Personal Information Protection Committee (PIPC) has issued guidance to assist controllers in preparing for enhanced security measures coming into effect from 15 September 2024. The enhanced measures arise from revisions of the ‘Enforcement Decree of the Personal Information Protection Act’ and the ‘Standards for Ensuring the Safety of Personal Information’ made in September 2023.
View the press release (in Korean)
Hong Kong SAR - AI Data Protection Framework published
The Office of the Privacy Commissioner for Personal Data (PCPD) has issued its ‘Artificial Intelligence: Model Personal Data Protection Framework’. The framework is intended to provide internationally well-recognised and practical recommendations and best practices to assist organisations with procuring, implementing and using artificial intelligence, including generative AI, in compliance with the relevant requirements of the Personal Data (Privacy) Ordinance.
View a leaflet summarising the framework
Singapore - US-Singapore Shared Principles and Collaboration on Artificial Intelligence
On 5 June 2024, the U.S. and Singapore published a joint statement that reflects the two countries’ shared interest in deepening cooperation in critical and emerging technologies. The statement provides an overview of shared principles and objectives related to AI, as well as plans for future collaboration between the U.S. Department of Commerce and Singapore’s Ministry of Communications and Information.
Europe news
Finland - updated regulatory guidance on DPOs
The Finnish data protection regulator has updated its guidance on data protection officers (DPOs) following the publication of the European Data Protection Board’s report on coordinated enforcement action which focused on DPOs and found that they still face challenges in performing their role.
The updated guidance highlights, among other things, the key criteria that must be considered when appointing a DPO, particularly the need for them to be independent and have adequate resources to do their job in terms of skill, tools and sufficient time.
View the updated guidance (in Finnish)
Germany - awareness campaign on requirements for direct marketing
The State Commissioner for Data Protection in Rhineland-Palatinate has launched an information campaign to raise awareness of data protection requirements when sending direct marketing material. The authority has sent information letters to 30 organisations, from various sectors, to draw their attention to the applicable requirements.
View the press release (in German)
Norway - employer guidance on personal data of deceased employees
The Norwegian data protection authority has published guidance to help employers assess what to do with a deceased employee’s personal data. The guidance covers what characterises information about the deceased, what procedures an employer should put in place in relation to an employee’s death, and what rules apply if an employer or a survivor wants access to information about a deceased employee.
View the guidance (in Norwegian)
Netherlands - guidance on camera drones
The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP), has published guidance to help organisations using camera drones identify data privacy risks, and provide clarity on how the GDPR applies.
The guidance has been published in response to an increase in the use of camera drones in the private sector for a range of functions (e.g. building security). The AP highlights that recording by camera drones can have a significant impact on privacy, particularly as individuals may not be aware they are being recorded and that drones can cover large numbers of individuals and areas (potentially including private places) in a relatively short time.
The guidance emphasises that organisations must comply with the GDPR if a camera drone records individuals in a recognisable or identifiable manner (even if this is not the intention).
Austria - awareness-raising note on AI and data privacy regulations
The Austrian regulator, the DSB, has published a short awareness-raising note on the interaction of AI and data privacy regulations for data controllers. The note highlights aspects of data protection laws that must be considered when AI systems are developed or deployed. This supplements existing FAQs on the topic, published by the DSB, which are due to be updated and expanded upon.
France - second public consultation on new AI factsheets
The French supervisory authority has launched a second public consultation on artificial intelligence (AI). The consultation focuses on a second series of practical AI factsheets, and a questionnaire regarding the supervision of AI system development. The consultation closes on 1 September 2024.
There are a total of seven factsheets, covering:
- the legal basis for legitimate interest and the development of AI systems
- legitimate interest - focus on the dissemination of open-source models
- legitimate interest - focus on web scraping
- respect and facilitation of the rights of data subjects
- annotation of data
- ensuring the security of the development of an AI system
Sanctions. We're keeping count.
353. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 442 million US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
