Africa news
Nigeria - new guidance on registering data controllers and processors of major importance
The Nigeria Data Protection Commission (NDPC) has issued guidance on the registration of data controllers and data processors of major importance. This guidance relates to those entities that are processing personal data “of particular value or significance” (e.g. because of the number data subjects affected, or because the processing relates to key sectors such as finance, health, insurance, aviation, oil and gas, etc.). Note: existing data controllers and processors of major importance are required to register by 30 June 2024.
Americas news
USA – amendments to Virginia’s legislation on children’s data
Two bills have been passed amending provisions of the Virginia Consumer Data Protection Act regarding children’s data. From 1 January 2025, it would be prohibited (subject to parental consent) to process the personal data of a known child for the purposes of targeted advertising, the sale of personal data, or profiling to further decisions that produce legal or similarly significant effects.
Read the supporting legislation:
USA - new cybersecurity framework published
On 26 February 2024, the National Institute of Standards and Technology (NIST) published a final form of its updated Cybersecurity Framework. The framework, which has been broadened to apply to all organisations seeking to manage and reduce cybersecurity risks, is based around six key functions: Govern; Identify; Protect; Detect; Respond; and Recover.
View the framework
View the supporting documentation
USA - Kentucky introduces its first consumer privacy act
Introduced last month, this standalone consumer privacy bill - the first comprehensive privacy law to pass through a state legislature in 2024 - will become effective on 1 January 2026 (once approved by the Kentucky Governor). The Kentucky act (the USA’s 15th state privacy law) is based on Virginia’s existing consumer data privacy law and covers all major expected compliance topics.
Asia news
South Korea - PIPA amendments come into effect
Amendments to the Personal Information Protection Act (PIPA) came into effect on 15 March 2024. The Personal Information Protection Commission (PIPC) has issued a guide to the amendments covering, among other things:
• improvements to the privacy officer system;
• individuals’ rights in relation to automated decision-making;
• provisions on persons obliged to cover liability for damages under PIPA; and
• the disclosure of information on cross-border data transfers
Read the PIPC’s announcement about amendments to PIPA (in Korean)
Read the guide (in Korean)
Vietnam - government report on personal data protection legislation
The Vietnamese Ministry of Public Security has published a report assessing the status of personal data protection legislation in Vietnam. The report concludes that sanctions need to be more effective in acting as a deterrent and that a new overarching law is necessary to regulate personal data protection. The government is now seeking comments from the public on the proposal for such a law.
Read the consultation documents (in Vietnamese)
Singapore - new guidelines on use of personal data in AI systems
The Singapore data protection authority (PDPC) has published advisory guidelines on the use of personal data in AI systems used to make autonomous decisions or assist human decision-making. The guidelines aim to provide:
- organisations with certainty on when they can use personal data to develop AI systems;
- consumers with assurance on the use of their personal data in AI systems; and
- third-party developers with guidance on their obligations under the Personal Data Protection Act (PDPA).
China - free trade zone plans to ease cross-border data transfer restrictions
Following steps taken by the Shanghai Government to accelerate cross-border data transfers, a number of China’s other Free Trade Zones (as listed below) have started implementing their own rules to relax their cross-border data transfer regimes. The aim is to provide a simpler and less burdensome transfer regime.
Read Shanghai’s implementation plan (in Chinese)
Read Tianjin’s notice regarding its pilot FTZ (in Chinese)
Read Beijing’s press release about its FTZ (in Chinese)
Australasia news
New Zealand - updated privacy impact assessment toolkit published
The Office of the Privacy Commissioner in New Zealand has published an updated Privacy Impact Assessment toolkit with new templates for undertaking a preliminary privacy analysis and a privacy impact assessment.
Australia - notifiable data breaches report published
The Office of the Australian Information Commissioner (OAIC) has released a report on notifiable data breaches from July to December 2023, highlighting areas of potential risk for organisations to consider.
Europe news
Turkey - KVKK announces amendments to the PDL
The Turkish Personal Data Protection Authority (KVKK) has announced amendments to the Personal Data Protection Law (PDL) contained within the Law on the Amendment of the Criminal Procedure Code and Certain Laws. The amendments will come into force in two phases, on 1 June 2024 and on 1 September 2024.
Read the amendments (in Turkish)
Sweden - IMY announces supervision plan for 2024
The Swedish data protection authority (IMY) has published its supervision plan for 2024 which includes an increased focus on investigating complaints from individuals. The plan gives guidance on the criteria for applying the IMY’s risk-based approach to supervision and/or investigation which could be instigated as a result of a personal data breach report, a tip-off, information in the media, or other information.
Read the press release (in Swedish)
Spain - AEPD’s blog post on evaluating human intervention in automated decisions
The Spanish data protection regulator (AEPD) has published a blog post on evaluating human intervention in automated decision-making. The post states that, to assess whether human intervention is possible and effective, an evaluation of both the system used, and the processing and its context, must be made.
Sweden - IMY guidance on GDPR and AI
The Swedish data protection supervisory authority (IMY) has published guidance on GDPR and AI which aims to create the conditions for combining the development and use of AI with good data protection practices. The IMY recognises the great opportunities that exist with AI but also highlights risks, including in relation to the protection (or integrity) of personal data.
Read the guidance (in Swedish)
UK - ICO publishes guidance on use of biometric data
The ICO has published new guidance for organisations on the use of biometric data. The guidance focuses on the use of "biometric recognition", which is a term not used in UK data protection legislation, but which is taken from industry standards, and which refers to the use of systems that use biometric data to uniquely identify an individual. The guidance is aimed at organisations using (or proposing to use) biometric recognition and at providers of these systems.
European Union - EDPB commences coordinated action on data subject access rights
On 28 February 2024, the European Data Protection Board (EDPB) launched its third coordinated enforcement action (CEF), the implementation of access rights by data controllers. The EDPB will gauge how organisations comply with the CEF in a number of ways, including follow-up of ongoing formal investigations.
Middle East news
Saudi Arabia – SDAIA publishes consultation on data sovereignty
The Saudi Data and Artificial Intelligence Authority (SDAIA) has published a consultation on a draft policy on data sovereignty for the Kingdom of Saudi Arabia. The draft policy sets out a broad direction for data governance that responds to emerging risks associated with new data processing methods, emerging technologies and a heightened awareness of data privacy concerns internationally.
Israel - collection and use of biometric information in the workplace
The Israeli Privacy Protection Authority has issued its policy on the ‘Collection and use of biometric information for reporting and controlling employee attendance at the workplace’. The policy is intended for private and public organisations considering the use, or are using, technologies for the biometric identification of employees. It includes an overview of the relevant legal background and a series of guidelines and recommendations for employers.
UAE - new AI and Advanced Technology Council
At the end of January 2024, a new council was established by the UAE President to examine AI and Advanced Technologies. The council, the AIATC, is expected to develop and implement new polices that react to emerging technological developments and to pursue strategies for research, infrastructure development and investments in the field.
Sanctions. We're keeping count.
122. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 200 million US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
