Americas news
Canada - final phase of amendments to Quebec’s Privacy Act comes into force
The final phase of the amendments to Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (PPIPS) came into force on 22 September 2024. The amendments have entered into force on a staggered basis, and this final phase introduces the right to data portability. If a data subject so requests, organisations will be required to communicate to the data subject the computerised personal information collected from them. This communication may also be made to a person or organisation authorised to collect the information, at the data subject's request.
Read a summary from the Quebec regulator (in French)
Argentina - Agency issues guidance on transparency and personal data protection in AI systems
As part of its Artificial Intelligence Transparency and Personal Data Protection Program, the Agency for Access to Public Information (the Agency) has published guidelines for organisations in both the public and private sectors. The guidelines examine the risks to fundamental rights when using AI in automated decision-making systems, as well as providing guidance on how to overcome the challenges presented.
Read the guidelines (in Spanish)
United States - Connecticut - Privacy Act amendments in force
Amendments to the Connecticut Data Privacy Act, which restrict the processing of children's online data and limit the sale and processing of consumer health data, have come into effect as of 1 October 2024. The requirements include (i) the use of reasonable care to avoid harm to minors, (ii) the use of consent in relation to targeted advertising, sale of data, and profiling, and (iii) the conduct of data protection impact assessments. The amendments also provide that consent will now be required to process consumer health data.
United States - California - Governor approves sensitive data amendment
The Governor of California has approved SB-1223 (Consumer privacy: sensitive personal information - neural data). The amendment adds ''neural data'' to the existing definition of ''sensitive personal information'' under the California Consumer Privacy Act (CCPA). Under the CCPA, sensitive personal information is treated differently to ordinary personal information (for example, individuals have the right to limit its use). The amendment was introduced by California lawmakers to address concerns regarding the ''emergence of consumer neurotechnologies such as neuromonitoring devices, cognitive training applications, neurostimulation devices, mental health apps, and so-called brain wearables''.
Asia Pacific news
China - NCSTC issues Guidelines for Identifying Sensitive Personal Information
Following on from a consultation earlier this year, the Secretariat of the National Cybersecurity Standardization Technical Committee (NCSTC) has issued Guidelines for Identifying Sensitive Personal Information.
Sensitive Personal Information is defined under the Personal Information Protection Law (PIPL) as "Personal Data which once leaked or used illegally, may easily infringe on the personal dignity of natural persons or endanger their personal or property safety". The PIPL contains a non-exhaustive list of types of data that are likely to constitute Sensitive Personal Information (i.e. biometric data, religious beliefs, specific identity data, medical or health data, financial account data, location data and data of children under 14 and other sensitive data). The Appendix to the guidelines elaborates on this list by setting out a table of typical examples.
Read the guidelines (in Chinese)
Vietnam - draft law on personal data protection published for consultation
On 24 September 2024, the Vietnamese Ministry of Public Security published for comment its proposed new law on Personal Data Protection (Draft PDP Law). The Draft PDP Law is more extensive than the existing data protection legislation (namely Decree No. 13/2023/ND-CP which came into force in July 2023) and addresses various areas, including marketing, behavioural advertising, Big Data processing, AI, cloud computing, employment matters, and specific sectors (such as finance and health). This follows the Ministry’s assessment earlier this year of the current data protection regime.
The Draft PDP Law indicates that it will come into force on 1 January 2026 without any transition period, except in a limited way in relation to micro-enterprises, SMEs and start-ups. It is not clear whether this new law will replace the existing data protection legislation or sit alongside it.
Read the documentation (in Vietnamese)
South Korea - PIPC publishes guidance on automated decision-making
On 26 September 2024, South Korea’s Personal Information Protection Commission (PIPC) published guidance for controllers on automated decision-making. Rights for individuals were introduced in this area through a revision to the Personal Information Protection Act (PIPA) in 2023, which became effective in March 2024. The guidance covers the scope of automated decision-making, measures to be taken by the controller, and details of necessary disclosures on standard procedures, processing methods, and processes for dealing with individual requests.
Australia - Notifiable data breaches report published
The Office of the Australian Information Commissioner (OAIC) has released a report on notifiable data breaches from January to June 2024. The report provides information on data breaches notified to the OAIC between January to June 2024 and highlights areas of potential risk for organisations to consider. There was a 9% increase in breach reporting from the previous six months and the leading sources of breaches were malicious or criminal attacks.
China - New Regulations on Network Data Security Management
The State Council has adopted new Regulations on Network Security Management which will come into force on 1 January 2025. The Regulations include general security requirements and specific requirements on the processing of personal information (including in relation to transparency, purpose limitation, individual rights to access and data portability, and cross-border transfer). There are additional requirements applicable to the processing of important data (i.e. personal information of more than 10 million individuals) including in relation to risk assessments, data security and incident response.
Europe news
EDPB plenary meeting
At its plenary meeting on 7-8 October 2024, the European Data Protection Board (EDPB) adopted various documents:
- opinion 22/24, which aims to clarify accountability obligations where processors/sub-processors are appointed
- guidelines on legitimate interest, which have been published for consultation. These analyse the criteria that controllers must meet to rely on legitimate interest and detail how to carry out a legitimate interest assessment. This follows the ruling of the Court of Justice of the European Union that a commercial interest can qualify as a legitimate interest, provided that the processing is strictly necessary for the purposes of the legitimate interest and the interests or fundamental rights of the individual do not override the legitimate interest
- statement on draft Regulation for GDPR enforcement, which makes practical recommendations on the proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR
- 2024-25 Work Programme, which sets out the EDPB’s priorities, along with key actions that it will take to achieve its objectives
European Commission reports on EU-US Data Privacy Framework
The European Commission has published its report on the periodic review of the functioning of the adequacy decision on the EU-US Data Privacy Framework. The report sets out that, based on the information gathered during the review, the Commission concludes that the U.S. authorities have put in place the necessary structures and procedures to ensure that the Data Privacy Framework functions effectively. The Commission will continue to closely monitor relevant developments in the coming months.
UK - ICO publishes data protection audit framework
On 7 October 2024, the Information Commissioner’s Office (ICO) published a new audit framework to help organisations assess their own compliance with UK data protection law. This forms part of the ICO’s existing Accountability Framework. The ICO emphasises that the audit framework is not intended to be exhaustive, and each organisation will still need to consider the risks associated with their data processing in the specific context of their business. Nevertheless, it provides a useful benchmark for the ICO's expectations, and may be used to design privacy programmes, improve practices, track progress, or increase engagement from leadership.
Portugal - CNPD publishes 2023 annual report
Portugal’s National Commission for Data Protection (CNPD) has published its annual report for 2023. The report emphasises the CNPD’s role of raising awareness, promoting data protection, and assisting individuals and organisations to understand and comply with data protection law. It lists guidelines the CNPD has published in 2023 and contains statistics and information on complaints, data breach notifications, and enforcement activities.
Spain - new AEPD publication on protecting children online
The Spanish data protection authority, the AEPD, continues its focus on seeking to protect children online with its recent publication entitled "Safe internet by default for children, and the role of age verification". In it the AEPD analyses how children and young people can be protected on the internet without it entailing surveillance and invasion of the privacy of all users, and without exposing children to being located and exposed to new risks. It focuses on the obligation to comply with the data protection principles included in the GDPR, together with other regulations that complement or enhance the protection of minors.
Middle East news
Israel - PPA issues guidance on data security obligations of a company board
On 9 October 2024, following a period of public consultation, the PPA published final guidance on the role of the board in fulfilling a company's obligations under the Privacy Protection (Data Security) Regulations, 5777-2017 (DSR). The PPA's position is that in companies in which the processing of personal data is at the core of the activity (or where the activity creates an increased risk to privacy), the company's board of directors is obliged to monitor compliance with the Privacy Protection Law (PPL) and the regulations made under it (which include the DSR). The guidance sets out specific ways in which the board of directors is expected to be involved.
Sanctions. We're keeping count.
544. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 1.2 billion US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
