In this week’s Global News Roundup, the European Commission launches a new General Data Protection Regulation enforcement review plan. The U.S. Department of Health and Human Services’ Office for Civil Rights entered a settlement with a health care provider for a patient privacy rights violation. And British Columbia has new rules for its Freedom of Information and Protection of Privacy Act.

The latest

Denmark’s data protection authority, Datatilsynet, published an overview of its primary topics of focus in 2023.

The EU and Singapore announced an agreement on a new Digital Partnership.

Italy's data protection authority, the Garante, banned U.S.-based artificial intelligence chatbot company Replika from processing personal data of Italian users.

The Nigeria Data Protection Bureau announced the revocation of operating licenses for 19 “data protection compliance organizations.”

Enforcement

France's data protection authority, the Commission nationale de l'informatique et des libertés, released a report on sanctions and corrective measures taken in 2022

The European Commission will launch a new enforcement review plan to ensure adequate application of the EU General Data Protection Regulation.

The European Commission held a webinar to prepare national authorities for their role in Digital Services Act implementation.

The U.K. Information Commissioner's Office fined a former employee of automotive services company RAC 5,000 GBP for stealing data belonging to victims of traffic accidents.

The U.S. Health and Human Services Office for Civil Rights reached a $1.25 million settlement with Arizona-based health care provider Banner Health Affiliated Covered Entities over alleged violations of the Health Insurance Portability and Accountability Act Security Rule.

In its first enforcement action under the Health Breach Notification Rule, the U.S. Federal Trade Commission prohibited GoodRx from sharing user health data with third parties for advertising purposes. 

Canada

The Office of the Information and Privacy Commissioner for British Columbia announced new requirements for privacy management programs and data breach reporting under the Freedom of Information and Protection of Privacy Act that entered into force Feb. 1.

Europe

Members of European Parliament plan to debate the proposed Artificial Intelligence Act's classification criteria for high-risk AI deployments

Slovenia'sPersonal Data Protection Act entered into force. 

US

U.S. Rep. Chris Stewart, R-Utah, introduced legislation barring children under age 16 from accessing social media platforms and requiring companies to verify user ages for compliance

Guidance

Australia’s Salinger Privacy published an overview of the protocols companies should follow when considering participation in a data "hackathon” to solve privacy issues. 

Sweden's data protection authority, the Integritetsskyddsmyndigheten, released "Data Protection in Practice," a privacy operations management survey of more than 800 Swedish data protection officers.

ICYMI

Personal data collection and user tracking are mainstays in advertising and retail business models but utilizing both with regulatory compliance and user trust is more and more daunting. Data clean rooms, with their first-party data sharing capabilities, are the latest attempts at compliant, friendly solutions. IAPP Staff Writer Joe Duball discusses where pitfalls appear with professionals.

Australia's passing of the Privacy Legislation Amendment Bill in November 2022 was a major upgrade to the country’s landmark federal privacy bill, originally passed in 1988. IAPP Westin Research Fellow Amy Olivero created a timeline of Australia’s privacy regulatory developments.

The growth of India’s digital lending industry has created a trade-off between quick access to loans with higher interest rates for creditors and lack of transparency and security to lenders’ financial identity, EY Global Delivery Services Senior Cyber Security Consultant Rishi Wadhwa, CIPP/E, writes

Though data anonymization offers a reprieve from some of the “onerous requirements” of the EU and U.K. General Data Protection Regulations, VeraSafe’s Scott Quellhorst and Renata Valkova, CIPP/E, CIPP/US, write that practitioners are left with unclear guidance as both jurisdictions create diverging standards.

The California Privacy Protection Agency adopted its first set of proposed final California Privacy Rights Act regulations. IAPP Staff Writer Joe Duball reports on the finalization with reactions from the privacy community.

California and Colorado are in the midst of drafting rules for their respective privacy legislations. Hintze Law Partner Sam Castic, CIPP/US, CIPM, FIP, PLS, outlines the privacy operations and business practices likely to be affected by the final products in California and Colorado.