IAPP Privacy Tracker https://iapp.org/news/privacy-tracker/ Privacy Tracker - Following privacy and data protection legislation through the process, into law, and into future court interpretations. Argentina's AAPI publishes Draft Law on the Protection of Personal Data https://iapp.org/news/a/argentinas-aapi-publishes-draft-law-on-the-protection-of-personal-data https://iapp.org/news/a/argentinas-aapi-publishes-draft-law-on-the-protection-of-personal-data In June, Argentina's executive branch filed a new bill to replace the current Personal Data Protection Law with the National Congress of Argentina.

The new bill, the Draft Law on the Protection of Personal Data, is based on the preliminary bill drafted by Argentina's data protection authority, the Agency for Access to Public Information, in Sept. 2022 and comments to the preliminary draft filed by members of the public and private sectors during a public consultation process.

If the proposed legislation is passed, the current personal data protection regime will be updated to reflect the following principles.

Under the proposed legislation, the definition of sensitive data would be updated to include any information referring to the private sphere of individuals, including gender identity, genetic information and biometric data, and use that might result in discrimination or entail a high risk to data subjects. It would also clarify the scope of the provisions of the law to indicate they cannot affect the duty of secrecy regarding a journalist's sources. However, they apply to any other processing of personal data carried out in the context of a journalist's activities.

Extraterritorial application of the law is included in the proposed bill and applies to those located in Argentina, even when the processing is performed in another country. It also applies to those not located in Argentina but who comply with other conditions, such as providing goods and services to those within the country.

Processing of personal data

The proposed legislation includes the accountability principle, which makes controllers and processors responsible for conducting due diligence measures to identify, prevent, be accountable for and mitigate the impacts of its processing activities.

Additionally, a new legal basis apart from consent will be recognized in the proposed draft, including the data controller's legitimate interest or execution of preliminary contractual measures. Data controllers must carry out a detailed, prior and documented analysis when relying on legitimate interest. It also provides that consent must be specifically and unequivocally given, in addition to the current characteristics required under the Data Protection Law.

The proposed legislation will expand the information provided to data subjects and include, among others, the legal basis for processing personal data and the length of time it will be retained. It also includes a new legal basis for processing sensitive data subject to reinforced accountability. Additional changes include:

  • The processing of minors' personal data will be specifically governed under the draft, and the minimum age for granting consent is 16 years. 
  • Data controllers must report security incidents to the DPA and data subjects within 72 hours of becoming aware of a potential breach.
  • Consent will only be permitted as a legal basis for the international transfer of personal data when it is exceptional or does not involve a huge number of individuals.

Rights of data subjects

Under the proposed draft, data subjects' right to object to processing personal data will be recognized, in addition to the right to access, rectify, update or suppress their personal data. Currently, this right is only recognized in cases of direct marketing. Data subjects will also have the right not to be subject to a decision based solely on automated or semiautomated processing of personal data when the decision could have discriminatory effects. They will have the right to data portability and the right to request the limitation of data processing. The term to answer data subjects' requests will be ten days for all cases.

When making decisions based solely on automated or semiautomated processing of personal data, data controllers must provide data subjects, upon request, information on the criteria and procedures used in the decision, considering trade and industrial secrets. If data controllers do not provide information based on trade and industrial secrets, the DPA may conduct audits to verify any discriminatory, wrong or biased content of the processing.

Under the proposed draft, data controllers will be allowed to audit data processors to verify compliance with the law. Data processors will be required to inform data controllers and the DPA about security incidents that entail a risk to the administration of personal data. Both data controllers and data processors will be required to implement privacy policies.

Data controllers will also be required to implement privacy by design and privacy by default measures and carry out data protection impact assessments under certain conditions. When the DPIA triggers high risk to data subjects, data controllers will have to file a report before the DPA and will not be allowed to start processing activities until it issues an opinion.

Data controllers and data processors will need to appoint either a data processing officer or a representative in Argentina to register before the National Registry of Persona Data Protection if certain conditions are met.

The draft includes specific rules on data subjects' profiling, and scoring will be introduced.

The DPA will be able to impose fines for a total and maximum amount of USD40 million (at the current exchange rate) or a fine of 2-4% of the total worldwide annual turnover of the data controller or data processor.

Finally, data processors are included as possible defendants of habeas data actions under the proposed draft.

If the bill is passed, provisions will enter into force after 180 days of its publication in the Official Gazette, except for Section 79 on administrative sanctions, which will enter into force once it has been published. The DPL will remain in force during the mentioned period, and infringements to the DPL will be sanctioned based on penalties outlined in Section 79.

]]>
2023-10-11 10:00:47
U.S. privacy legislation in 2023: Something old, something new? https://iapp.org/news/a/u-s-federal-privacy-legislation-in-2023-something-old-something-new https://iapp.org/news/a/u-s-federal-privacy-legislation-in-2023-something-old-something-new While there is little sign that the American Data Privacy and Protection Act will be (re)introduced to Congress any time soon, 2023 has already been marked by both new and previously introduced federal privacy bills vying for lawmakers' attention, scrutiny and support. To further complicate matters, however, federal privacy discussions this year confront several additional entanglements. From the passage of new state privacy laws, to proposed legislation on artificial intelligence governance, to numerous efforts to reform U.S. surveillance law, multiple issues are intersecting with privacy lawmaking efforts at the federal level. Given these recent developments, it is worth examining in more detail the privacy-related legislation proposed within the current Congress to better understand where the federal privacy debate has been recently and where it may be headed.

Comprehensive consumer privacy bills

Within the 118th Congress, at least six bills related to consumer privacy have been introduced through the first half of 2023. Two of these, the Data Care Act of 2023 and the Online Privacy Act of 2023, fall into the omnibus or comprehensive category, establishing a broad range of business obligations and consumer rights. In addition, both bills are modified reintroductions of legislation that appeared in previous years.

Data Care Act

The Data Care Act of 2023, sponsored by Sen. Brian Schatz, D-Hawaii, imposes various duties — a duty of care, duty of loyalty and duty of confidentiality — on online service providers. The duty of care is essentially a cybersecurity provision, requiring online service providers to "reasonably secure individual identifying data from unauthorized access" and to inform users of any breaches of this duty. The duty of confidentiality places conditions on a service provider's disclosure or sale of individual identifying data. The duty of loyalty is perhaps the most novel of the three. It prohibits the use of consumer data in ways that "benefit the online service provider to the detriment of an end user."

Within U.S. privacy law, the duty of loyalty has gained attention over the years. In addition to Sen. Schatz's legislation, a duty of loyalty has also been included in a prior iteration of the New York Privacy Act, though the version from the current 2023-24 session includes only a duty of confidentiality. And, both the bipartisan ADPPA and the Consumer Online Privacy Rights Act, introduced in the prior Congress and sponsored by Sen. Maria Cantwell, D-Wash., include a duty of loyalty. Yet, while the duty of loyalty concept in privacy law has been articulated perhaps most eloquently by Professors Neil M. Richards and Woodrow Hartzog in "Duty of Loyalty for Privacy Law," each piece of privacy legislation interprets the duty of loyalty in a different way. Indeed, the contents of its provisions differ substantively from bill to bill.

Although the Data Care Act was previously introduced in the 115th, 116th and 117th Congresses, the current version secured more co-sponsors, with 19 in the Senate than any of its prior manifestations.

Online Privacy Act

The other comprehensive consumer privacy bill,  the Online Privacy Act of 2023, sponsored by Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif.,  is also a slightly modified version of previously introduced legislation as it first appeared in 2019 then again in 2021. While it resembles the basic framework of most other comprehensive privacy bills — providing rights to access, correction, deletion, portability, human review of automated decisions, etc., along with requirements for covered entities, including data minimization, prohibitions on disclosure of personal information, notice and consent processes, and privacy policies — it may be the only proposal to establish a new federal entity, the Digital Privacy Agency. The bill vests the agency with certain powers as well as transfers power from the Federal Trade Commission in prescribing rules, issuing guidelines and enforcing federal privacy laws, including the FTC Act, insofar as enforcement pertains to "unfair or deceptive acts or practices relating to privacy, information security, identity theft, data abuses, and related matters."

Narrow consumer privacy bills

The four other bills related to consumer privacy are more limited in scope. They each touch on issues that have defined the federal privacy debate and are worth considering as their provisions may reappear or shape a future compromise privacy bill.

Informing Consumers about Smart Devices Act

The Informing Consumers about Smart Devices Act is the only bipartisan, bicameral piece of consumer privacy legislation that has been introduced this session. The others are solely sponsored by Democrats. In the Senate, the act is cosponsored by Chair and Ranking Member of the Commerce, Science and Transportation Committee Sen. Ted Cruz, R-Texas, and Sen. Cantwell, while in the House of Representatives it is sponsored by Rep. John Curtis, R-Utah. Narrow in scope, the bill requires smart device makers to disclose that a camera or microphone is included in a device to consumers prior to purchase. It does not apply, however, to mobile phones, laptops or other devices that a reasonable consumer would expect to have a camera or microphone.

Yet, like the others, this is not a new piece of legislation. It was previously introduced in both the 117th and 116th Congresses—again, in the Senate by Cruz and in the House by Curtis.

The UPHOLD Privacy Act

The Upholding Protections for Health and Online Location Data Privacy Act, sponsored by Sen. Amy Klobuchar, D-Minn., establishes protections for personally identifiable health and location data. This is one of several bills proposed in the wake of the Dobbs decision overturning Roe v. Wade, aimed at preventing the collection and sale of health and location data "that could be used to identify women seeking reproductive health care services." These bills align with President Joe Biden's July 2022 executive order intended to protect the privacy of abortion-related data, which also prompted the Department of Health and Human Services and the FTC to "use their statutory authorities to protect this data."

In terms of its main provisions, the UPHOLD Privacy Act:

  • Prohibits the use of health data in commercial advertising.
  • Establishes minimization requirements for the collection, retention, use, disclosure and employee access to data.
  • Prohibits sale of location data to and from data brokers.
  • Establishes rights of access and deletion.

Exceptions to the bill include "publication of newsworthy information of legitimate public concern," issuance of public health campaigns and compliance with the Health Insurance Portability and Accountability Act. Violations would be enforced jointly by the FTC, under its Section 5 authority, and through an individual private right of action. It would preserve, rather than preempt, state laws that provide greater protection.

The DELETE Act

The Data Elimination and Limiting Extensive Tracking and Exchange Act is another previously introduced bill  that reappeared in the 118th Congress. First proposed in both the House and the Senate last year, the bipartisan, bicameral DELETE Act would direct the FTC to establish a centralized system allowing individuals to request deletion of their personal information from data brokers. Data brokers, defined in the bill as entities that knowingly collect or obtain the personal information of individuals with whom the entity does not have a "direct relationship," would have to register annually with the FTC.

A similar bill, SB 362, the Delete Act, was also recently approved by the California Senate. Mirroring the federal bill, SB 362 would require data brokers to register with the California Privacy Protection Agency and provide a centralized system for Californians to freely request any personal information held by data brokers to be deleted. The so-called "data brokerage ecosystem" that would be regulated by these bills was also the subject of the "Who is Selling Your Data: A Critical Examination of the Role of Data Brokers in the Digital Economy" hearing by the House Energy and Commerce Oversight and Investigations Subcommittee in April. In her testimony urging Congress to act, Georgetown University Law Center Professor Laura Moy argued "people are not okay with the status quo" and they "overwhelmingly express dissatisfaction regarding this lack of control" of the information data brokers hold about them. She also explained how the "booming" data broker industry "does real harm to real people in a multitude of ways"” such as by fueling scammers, enabling predatory marketing, facilitating stalking and harassment, helping law enforcement agencies circumvent constitutional protections, disseminating inaccurate information, increasing data breach vulnerabilities, and putting minors at risk.

Stop Spying Bosses Act

Lastly, the Stop Spying Bosses Act, as its name implies, focuses on providing workplace privacy for individuals. This bill would require any employer who engages in surveillance of, or data collection about, its employees or applicants to disclose:

  • What data is collected.
  • How it is used.
  • How such surveillance affects workers' performance assessments.

Certain types of employee workplace surveillance are also prohibited by the bill, including monitoring activities related to labor organizations, collecting health information unrelated to job duties, monitoring off-duty workers and using of automated decision-making, including machine learning or AI techniques, to predict the behavior of workers unrelated to their jobs. The bill would also establish a new Privacy and Technology Division within the Department of Labor to enforce the law, in conjunction with state attorneys general and individuals via a private right of action.

What next?

While other pieces of U.S. federal privacy legislation have been introduced in the 118th Congress, the above represent only the consumer-centric privacy bills. Although many such bills will be introduced this session, the ones proposed so far have unique provisions, from the Data Care Act establishing a "duty of care" to The Online Privacy Act overhauling the FTC’s privacy enforcement authority to the DELETE Act bringing regulation to an industry that has mostly been operating without oversight.

Paradoxically, the increasing number of comprehensive state privacy laws may be both a cause and an effect of the absence of federal legislation. As Joe Duball explains in his state privacy dispatch, one of the biggest reasons more state legislators are working on privacy legislation is lack of such movement in Congress. The effect of the continued passage of comprehensive state privacy laws on the prospects for a federal comprehensive privacy law remains a key question.

The partisan dynamics around state-level privacy lawmaking, highlighted by Cobun Zweifel-Keegan, as well as the interplay between the federal and state levels are fascinating. Yet the scenario in which companies must comply with 50 different U.S. privacy standards does not seem to be materializing. This is, at least in part, due to the way state lawmakers have communicated with their counterparts in other states to ensure some consistency across the state privacy laws and avoid the emergence of a "patchwork" of legislation.

Discussions around federal privacy continue to be shaped by numerous competing priorities and agendas. Ongoing legislative and executive focus on issues such as children's privacy and reproductive health privacy, for example, may tip the scales in favor of a narrower privacy bill over a comprehensive or omnibus one passing at the federal level. Were any one of these bills — whether comprehensive or narrow — to become law, it would have a significant impact on U.S. privacy rights in the and the future trajectory of such right.

]]>
2023-07-26 12:00:55
Global News Roundup: 31 May-5 June 2023 https://iapp.org/news/a/global-news-roundup-31-may-5-june-2023 https://iapp.org/news/a/global-news-roundup-31-may-5-june-2023 In this week's Global News Roundup, Ireland's Data Protection Commission is set to impose a significant fine to Microsoft over LinkedIn's alleged targeted advertising practices. The U.K. Information Commissioner's Office came out in support of the proposed Data Protection and Digital Information Bill. The U.S. Federal Trade Commission levied multiple fines against Amazon. And the California Senate approved legislation placing restriction on data brokers' practices.

The Latest

Four U.S. senators wrote Twitter Executive Chair Elon Musk and CEO Linda Yaccarino probing the company leaders on privacy practices and compliance with a 2011 U.S. Federal Trade Commission consent decree.

The Biden administration will likely face an uphill climb to reauthorize Section 702 of the U.S. Foreign Intelligence Surveillance Act before it expires in December.

Enforcement

The Berlin Commissioner for Data Protection and Freedom of Information fined an unnamed bank 300,000 euros for violating transparency obligations under the EU General Data Protection Regulation in an automated decision rejecting a credit card application.

Ireland's Data Protection Commission is set to serve Microsoft with a USD425 million GDPR fine over LinkedIn's targeted advertising practices.

The U.S. Federal Trade Commission and the Department of Justice announced proposed action against Amazon's Alexa that includes a USD25 million fine and various corrective measures over alleged privacy violations.

The U.S. FTC also announced a USD5.8 million fine and corrective measures against Amazon's Ring, pending federal court approval.

U.S. House Committee on Oversight and Reform Chairman James Comer, R-Ky., is investigating abuse of power complaints against FTC Chair Lina Khan.

The Indiana Medical Licensing Board found an Indianapolis doctor's handling of information related to the abortion of a 10-year-old victim of rape from Ohio violated privacy laws.

Europe

The U.K. Information Commissioner's Office released its opinion on the proposed Data Protection and Digital Information Bill, with Information Commissioner John Edwards indicating the bill "has moved to a position where I can fully support it."

US

California SB 362, the Delete Act, passed out of the Senate and moved to cross-chamber consideration.

Guidance

The Office of the Privacy Commissioner of Canada published guidance on workplace privacy for employers, outlining considerations for managing employees' personal information and topics like monitoring employees. 

Spain's data protection agency, the Agencia Española de Protección de Datos, published guidance on the importance of the GDPR's accuracy principle in artificial intelligence processing activities.

ICYMI

The world's first comprehensive law to regulate AI is approaching the finish line two years after it was presented. Journalist Luca Bertuzzi evaluates where the EU AI Act stands, key points of discussion throughout its process, compliance requirements, enforcement and more.

The IAPP Research and Insights team updated the U.S. Federal Privacy Legislation Tracker, which summarizes privacy-related legislation introduced by members of the 118th Congress.

Florida is on its way to finalizing targeted privacy legislation, SB 262, the Florida Digital Bill of Rights, after attempts to pass comprehensive legislation failed in recent years. Stearns Weaver Miller Shareholder Douglas Kilby, CIPP/US, analyzes the range of implications businesses may face with the proposed bill.

The U.S. is on the cusp of one-fifth of its states adopting their own comprehensive state privacy legislation, with Texas set to be the 10th. IAPP Staff Writer Joe Duball has the details.

]]>
2023-06-05 11:35:12
Global News Roundup: 23-30 May 2023 https://iapp.org/news/a/global-news-roundup-may-23-30-2023 https://iapp.org/news/a/global-news-roundup-may-23-30-2023 In this week’s Global News Roundup, Ireland's Data Protection Commission fined Meta a record 1.2 billion euros for EU General Data Protection Regulation violations. Belgium's data protection authority ruled the transfer of certain taxpayer data to the U.S. is illegal under the GDPR. The European Data Protection Board elected a new chairperson. And Privacy Commissioner of Canada Philippe Dufresne announced his office will partner with provincial DPAs to investigate generative AI developer OpenAI. 

The Latest

India's Minister of State for Electronics and Information Technology Rajeev Chandrasekhar indicated the proposed Digital Personal Data Protection Bill will bring "deep behavioural changes" to platforms operating in India.

The Office of the Privacy Commissioner of Canada published guidance on workplace privacy for employers outlining considerations for managing employees' personal information and topics like monitoring employees.

The Texas Legislature signed off on final text for a proposed comprehensive privacy bill, House Bill 4, following a resolution struck between chambers in a conference committee.

Enforcement

Belgium's data protection authority, the APD, ruled transfers of generalized taxpayer data by the Belgian Federal Public Service Finance to U.S. tax authorities violate the EU General Data Protection Regulation. 

The European Data Protection Board elected Finland Data Protection Ombudsman Anu Talus as the board's next chairperson.

The European Data Protection Board published a case digest, commissioned as part of its Support Pool of Experts initiative, analyzing one-stop-shop decisions under the GDPR. 

France's data protection authority, the Commission nationale de l'informatique et des libertés, closed a December 2022 injunction against Microsoft. 

France's data protection authority, the Commission nationale de l'informatique et des libertés, published its 2022 annual report

Finland's Office of the Data Protection Ombudsman ordered the Finnish Meteorological Institute to halt EU-U.S. data transfers using Google Analytics and Google's reCAPTCHA. 

The U.K. Information Commissioner's Office issued a formal reprimand to the Ministry of Justice after 14 bags of confidential documents, including medical and security data, were left unsecured in a prison holding area for 18 days.

The U.S. Federal Trade Commission announced an enforcement order against education technology provider Edmodo over alleged Children's Online Privacy Protection Act violations. 

Asia-Pacific

The Real Estate Institute of Australia opposes certain reforms to the Privacy Act on the grounds they may harm small businesses.

Data use and transfer restrictions within China's Personal Information Protection Law are negatively impacting international collaboration among researchers.

US

U.S. Sens. Michael Bennet, D-Colo., and Peter Welch, D-Vt., introduced the Digital Platform Commission Act.

Guidance

The Office of the Privacy Commissioner of New Zealand published a report highlighting privacy considerations for small- and medium-sized businesses. 

The Bavarian State Office for Data Protection Supervision issued fresh guidance on facilitating cross-border data transfers. 

The U.K. ICO published guidance for responding to subject access requests. 

ICYMI

At the IAPP Canadian Privacy Symposium 2023, Privacy Commissioner of Canada Philippe Dufresne announced his office would partner with multiple provincial data protection authorities to investigate generative artificial intelligence developer OpenAI. IAPP Staff Writer Alex LaCasse covered Dufresne's opening keynote address at the conference.

After its introduction in Canada's Parliament last year, Bill C-27, the Digital Charter Implementation Act, became a major point of debate among privacy professionals. IAPP Staff Writer Alex LaCasse has the details.

The world's first comprehensive law to regulate AI is approaching the finish line two years after it was presented. "The EU AI Act has the potential to become the international benchmark for regulating the fast-paced AI field," journalist Luca Bertuzzi writes.

Meta Platforms Ireland was fined a record 1.2 billion euros under the EU General Data Protection Regulation by Ireland’s Data Protection Commission for alleged unlawful data transfers from the EU to the U.S. Meta said it would appeal the ruling. IAPP Editorial Director Jedidiah Bracy, CIPP, has the details, including reaction from several privacy pros.

IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP, and IAPP Research and Insights Director Joe Jones evaluated Ireland Data Protection Commission’s Meta decision in terms of the orders it contains but also the political history that helped the DPC arrive at its final ruling.

Stearns Weaver Miller Shareholder Douglas Kilby, CIPP/US, breaks down the range of implications businesses face with the passage of Florida Senate Bill 262, the Florida Digital Bill of Rights.

]]>
2023-05-30 11:39:02
Global News Roundup: 9-15 May 2023 https://iapp.org/news/a/global-news-roundup-may-9-15-2023 https://iapp.org/news/a/global-news-roundup-may-9-15-2023 In this week's Global News Roundup, outgoing European Data Protection Board Chair Andrea Jelinek reflected on her time overseeing enforcement of the EU General Data Protection Regulation. France's data protection authority levied an expanded penalty against Clearview AI for delayed compliance. The U.S. Federal Trade Commission is considering amending the Health Breach Notification Rule. And the Privacy Commissioner of Canada told members of Parliament that political parties should be subject to relevant privacy laws.

The Latest

The California Privacy Protection Agency published potential California Privacy Rights Act regulations it will consider during its 15 May board meeting.

Enforcement

The Office of the Australian Information Commissioner welcomed the increased funding in the upcoming 2023-2024 federal budget.

Quebec's data protection authority, the Commission d'accès à l'information du Quebec, appointed Rady Khuong vice president of its jurisdictional section and Naomi Ayotte as a member of its oversight section. 

European Data Protection Board Chair Andrea Jelinek joined Euractiv's "The Tech Brief" podcast to discuss her tenure and overseeing enforcement of the EU General Data Protection Regulation since its establishment. 

France's data protection authority, the Commission nationale de l'informatique et des libertés, announced Clearview AI is required to pay a 5.2 million euro penalty for delayed compliance with a prior order. 

The CNIL also selected Contentsquare, Hugging Face and Lifen to benefit from its "enhanced support" over the coming months. 

The Netherlands' data protection authority, Autoriteit Persoonsgegevens, fined Social Insurance Bank 150,000 euros for potentially enabling unauthorized access to personal details of pension recipients. 

The U.S. Federal Trade Commission's 18 May open meeting agenda features consideration of a policy statement on biometric data collection and a Notice of Proposed Rulemaking to amend the Health Breach Notification Rule.

Asia-Pacific 

The Australian Banking Association claimed potential reforms to the Privacy Act could have unintended consequences, such as "consent fatigue."

Canada

Privacy Commissioner of Canada Philippe Dufresne told the Senate of Canada's Standing Committee on Legal and Constitutional Affairs federal political parties should be subject to relevant privacy laws.

Europe

The European Commission opened a public consultation for how independent audits should be conducted under the EU Digital Services Act.

Members of European Parliament voted 306-27 with 231 abstentions to adopt a nonbinding opinion rejecting the proposed EU-U.S. Data Privacy Framework.

European Parliament's Committee on Civil Liberties, Justice and Home Affairs and Committee on Internal Market and Consumer Protection each approved the proposed Artificial Intelligence Act.

A new EU draft Cybersecurity Certification Scheme for Cloud Services will be reviewed by the European Cybersecurity Certification Group.

U.K. Information Commissioner John Edwards does not foresee a breach of the EU-U.K. adequacy agreement if U.K. Parliament passes the proposed Data Protection and Digital Information Bill.

US

U.S. Sen. Michael Bennet, D-Colo., introduced the Assuring Safe, Secure, Ethical, and Stable Systems for AI Act, which would establish a task force to oversee the federal government's use of AI. 

Members of the U.S. House Energy and Commerce Committee have participated in six data privacy hearings this year and will be considering updates to the American Data Privacy and Protection Act, which passed the committee last Congress.

Florida lawmakers passed Senate Bill 262, legislation that would give consumers access to information collected about them by companies and the right to have some data deleted.

Guidance

Spain's data protection authority, the Agencia Española de Protección de Datos, published a guide for cryptographic systems as a data protection security measure in partnership with the Spanish Association for the Promotion of Information Security and Spanish Professional Association for Privacy.

In a blog post, U.K. Information Commissioner's Office Deputy Commissioner for Regulatory Policy Emily Keaney addressed challenges law enforcement agencies face when using personal data during investigations. 

]]>
2023-05-15 12:13:08
Global News Roundup: 2-8 May 2023 https://iapp.org/news/a/global-news-roundup-may-2-8-2023 https://iapp.org/news/a/global-news-roundup-may-2-8-2023 In this week’s Global News Roundup, Australian Attorney-General Mark Dreyfus announced the restructuring of the Office of the Australian Information Commissioner. The European Commission set a 3 July deadline for gatekeepers to notify their core platform service. Indian citizens condemned a potential amendment to the Aadhaar Authentication. And, in the U.S., a bipartisan group of senators reintroduced the Children and Teens' Online Privacy Protection Act 2.0.

The Latest

The European Commission opened a public consultation for how independent audits should be conducted under the EU Digital Services Act.

European Data Protection Board Chair Andrea Jelinek joined Euractiv's "The Tech Brief" podcast to discuss her tenure and overseeing enforcement of the EU General Data Protection Regulation since its establishment.

Enforcement

Australia Attorney-General Mark Dreyfus announced the federal government will allocate resources to restructure the Office of the Australian Information Commissioner.

Deputy Privacy Commissioner of Canada Brent Homan wrote a blog explaining the positives of human-centric privacy enforcement "that seeks to understand and ultimately serve the best interests of individuals in the most effective and impactful way."

After the EU's Digital Markets Act took effect 2 May, the European Commission said potential online gatekeepers have until 3 July to notify their core platform services.

Norway's data protection authority, Datatilsynet, has prohibited Statistics Norway from collecting data on Norwegians' grocery purchases.

The California Privacy Protection Agency Board will hold its next public meeting 15 May. 

Asia-Pacific

Indian citizens condemned a move by the government to amend the Aadhaar Authentication for Good Governance Rules.

The Tasmania Law Reform Institute is seeking stakeholder input on potential reforms to the Personal Information Protection Act of 2004.

Europe

The Court of Justice of the European Union rendered a decision in a case regarding consumer rights to compensation with violations of the EU General Data Protection Regulation.

The Court of Justice of the European Union also ruled that a data subject's right to obtain a copy of their personal data means they must be given "a faithful and intelligible reproduction" of all data.

US

U.S. Sens. Bill Cassidy, R-La., and Ed Markey, D-Mass., reintroduced the Children and Teens' Online Privacy Protection Act 2.0, which they said updates online privacy protections for children and teens for the 21st century.

The Information Accountability Foundation wrote a blog outlining the unique requirements for data protection assessments under the Colorado Privacy Act.

Guidance

Ireland's Data Protection Commission announced fresh employer guidance on handling the data of current, former and prospective employees.

Spain’s data protection agency, the Agencia Española de Protección de Datos, created a guide for the use of "data spaces" and personal data protection laws.

ICYMI

A new chart in the IAPP Resource Center offers a look at the EU regulatory decision-making process and how laws get approved. 

The U.S. Federal Trade Commission alleged Facebook "repeatedly violated its privacy promises" and is proposing a "blanket prohibition" on parent company Meta's monetization of data of users under age 18, while the company called the move "a political stunt." IAPP Staff Writer Jennifer Bryant has details and the latest reaction to the FTC's proposal.

On the heels of Iowa, Indiana became the seventh U.S. state to pass a comprehensive privacy law. While Indiana differentiated itself by providing covered entities with more than two and a half years to come into compliance, IAPP Westin Research Fellow Anokhy Desai, CIPP/US, CIPM, CIPT, wrote there is substantial overlap between the Indiana Consumer Data Protection Act and three of the six state privacy laws.

]]>
2023-05-08 10:55:40
Global News Roundup: 25 April -1 May 2023 https://iapp.org/news/a/global-news-roundup-april-25-may-1-2023 https://iapp.org/news/a/global-news-roundup-april-25-may-1-2023 In this week’s Global News Roundup, the European Data Protection Board presented candidates for upcoming chair and deputy chair vacancies. Data localization provisions were changed in India's draft Digital Personal Data Protection Bill. And Canada’s House of Commons approved the omnibus privacy legislation, Bill C-27, on its second reading.

The Latest

Marking Privacy Awareness Week 2023, 1-7 May, Australian privacy regulators urged individuals, organizations and agencies to get "back to basics" of privacy.

Officials have received over 20,000 public submissions on India's draft Digital Personal Data Protection Bill.

The Privacy Commissioner of New Zealand announced a series of hour-long free webinars to be held during Privacy Week 2023, 8-14 May, on topics related to digital privacy including online dating, biometrics and artificial intelligence.

Ireland's Data Protection Commission announced fresh employer guidance on handling the data of current, former and prospective employees.

Enforcement

The Philippines' National Privacy Commission is investigating the alleged leak of a document including personal information of police officers, prosecutors and judges. 

The EDPB presented candidates for upcoming board chair and deputy chair vacancies.

European Data Protection Supervisor Wojciech Wiewiórowski published his Annual Report 2022.

In response to a European Commission public consultation, the EDPS outlined ways to improve cooperation between national data protection authorities when enforcing EU General Data Protection Regulation cross-border cases.

Spain’s data protection authority, the Agencia Española de Protección de Datos, received the largest number of claims in its existence, according to its 2022 report, released 25 April.

Asia-Pacific

Transparency International Bangladesh raised concerns around surveillance and implementation of the draft Data Protection Act.

India's Minister of State for Electronics and Information Technology, and Skill Development and Entrepreneurship Rajeev Chandrasekhar said data localization provisions were changed in the recent version of the proposed Digital Personal Data Protection Bill.

Canada

The House of Commons of Canada passed Bill C-27, the Digital Charter Implementation Act, on second reading. 

Europe

Members of the European Parliament reached a provisional political deal 27 April on the EU AI Act.

U.S.

U.S. Sens. Lindsey Graham, R-S.C., and Richard Blumenthal, D-Conn., will reintroduce the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act for the third time.

A bipartisan group of U.S. senators is expected to introduce legislation setting age requirements for children to access social media platforms.

Members of the Maine Legislature reintroduced a biometric information privacy bill, similar to Illinois Biometric Information Privacy Act.

Montana Gov. Greg Gianforte, R-Mont., delayed signing a bill that would ban TikTok on all devices in the state and sought legislative changes.

In a 13-8 vote, the Nevada Senate passed Senate Bill 370, which is "an act relating to data privacy; requiring certain entities to develop … a policy concerning the privacy of consumer health data."

Guidance

The EDPB announced the rollout of its small- and medium-sized business data protection guidance suite.

France's data protection authority, the Commission nationale de l'informatique et des libertés, discussed the outcome of its first "compliance club" meeting dedicated to connected vehicles. 

ICYMI

The IAPP published an unofficial English translation of China's standard contractual clauses, created by Reed Smith, in its Resource Center. 

The growth of U.S. comprehensive state privacy law has hit a boom in 2023. Four state legislatures have given final passage to comprehensive bills this year, including the latest passages on the same day in Montana and Tennessee 21 April.  IAPP Staff Writer Joe Duball reports on how each bill came to pass and how they're being received in the privacy community.

The Washington State Legislature completed the final step needed to pass the My Health, My Data Act 17 April. IAPP Westin Research Fellows Anokhy Desai, CIPP/US, CIPM, CIPT, and Amy Olivero break down the MHMDA's scope, obligations of regulated entities, enforcement and consumer rights — including the ability to sue companies for violating provisions of the act.

]]>
2023-05-01 12:00:11
Global News Roundup: 18-24 April 2023 https://iapp.org/news/a/global-news-roundup-april-18-24-2023 https://iapp.org/news/a/global-news-roundup-april-18-24-2023 In this week’s Global News Roundup, Concerns emerged over surveillance in Bangladesh’s draft Data Protection Act. European Parliament is at odds over prohibited uses of artificial intelligence technology in the proposed AI Act. And the heads of several encrypted chat apps wrote to the U.K. government to abandon plans that may compromise end-to-end encryption in the proposed Online Safety Bill.

The Latest

India's Minister of State for Electronics and Information Technology, and Skill Development and Entrepreneurship Rajeev Chandrasekhar said data localization provisions were changed in the recent version of the proposed Digital Personal Data Protection Bill.

Revised text of the EU's AI Act indicates stricter proposed rules for "foundation model" systems, including generative AI systems like ChatGPT.

Israel's Constitution, Law and Justice Committee will discuss an amendment to the Privacy Protection Law to prevent Israel from being denied EU adequacy.

Spain’s data protection authority, the Agencia Española de Protección de Datos, published a list of public administrations  "sanctioned" for failure to uphold citizens' rights to data protection.

Enforcement

Hong Kong's Office of the Privacy Commissioner for Personal Data arrested a 27-year-old woman on doxxing charges after she allegedly posted another individual's personal details on a social media platform in violation of the Personal Data (Privacy) Ordinance.

Italy's data protection authority, the Garante, fined a digital marketing services company 300,000 euros for allegedly illegally processing users' personal data for marketing purposes. 

The U.K. Information Commissioner's Office reprimanded Surrey and Sussex police for using an app that recorded and automatically saved more than 200,000 phone calls without individuals' knowledge. 

Asia-Pacific

Salinger Privacy Principal Anna Johnston, CIPP/E, CIPM, FIP, called for strengthening the Australian Privacy Act's definition of "personal information."

Transparency International Bangladesh raised concerns around surveillance and implementation of the draft Data Protection Act.

Vietnam's government published a Decree on Protection of Personal Data, effective 1 July.

Europe

The European Commission announced the adoption of a proposal for the EU Cyber Solidarity Act.

The EU Council circulated a third draft of compromise text for updating the Product Liability Directive.

European Parliament's position on the proposed Artificial Intelligence Act is stuck on prohibited uses of AI-powered technologies. 

A European Parliament-commissioned impact assessment questioned several aspects of the European Commission's proposed legislation on child sexual abuse material.

U.K. Minister of State in the Department for Science, Innovation and Technology Julia Lopez presented the proposed Data Protection and Digital Information Bill for its second reading in the U.K. House of Commons. 

U.K. Parliament is taking written comments from those with "expertise and experience or a special interest" concerning the proposed Data Protection and Digital Information Bill.

The heads of multiple encrypted chat apps, including WhatsApp and Signal, wrote a letter to the U.K. government claiming the proposed Online Safety Bill would “in effect outlaw end-to-end encryption.”

US

U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., refiled the Online Privacy Act

U.S. Rep. Kathy Castor, D-Fla., said she plans to reintroduce the Protecting the Information of our Vulnerable Children and Youth Act, known as the Kids PRIVCY Act.

Gov. Spencer Cox, R-Utah, signed Utah House Bill 343, a bill concerning privacy practices for government records, into law 14 March.

Washington state's House voted 57-40 for concurrence and final approval of House Bill 1155, the My Health My Data Act.

Guidance

Denmark's data protection authority, Datatilsynet, published a questionnaire circulated to gauge competencies of municipal data protection officers. 

Ireland’s Data Protection Commission published a guidance note to assist data controllers in compliance with Article 30 of the EU General Data Protection Regulation, which requires a maintained record of processing activities.

The DPC also published four guides for parents on children's data protection rights under the GDPR.

Italy's data protection authority, the Garante, published an information page on dark patterns.

Lithuania's State Data Protection Inspectorate announced the results of its review of data protection officer requirements under the GDPR.

Spain's data protection authority, the Agencia Española de Protección de Datos, issued guidelines to aid public administrations' data protection impact assessments on proposed legislation.

The U.K. National Cyber Security Centre created guidance for implementing data-driven cybersecurity.

New York Attorney General Letitia James published a guide with recommendations to help businesses prevent data breaches and protect consumers' personal information. 

ICYMI

Standard contractual clauses remain a top international data transfer mechanism across the globe with at least 20 draft contract templates covering 71 countries. The IAPP Research and Insights team constructed an infographic to depict the specific jurisdictions, such as Brazil and the Europe Economic Area that rely on SCCs.

State legislatures in Montana and Tennessee granted final passage to comprehensive state privacy bills that now await a governor's signature. IAPP Staff Writer Joe Duball breaks down both pieces of legislation before they're signed into law. 

]]>
2023-04-24 12:45:05
Global News Roundup: 11-17 April 2023 https://iapp.org/news/a/global-news-roundup-11-17-april-2023 https://iapp.org/news/a/global-news-roundup-11-17-april-2023 In this week's Global News Roundup, the European Data Protection Board published its binding decision in the case regarding legality of Meta's EU-U.S. data transfers brought by Ireland's Data Protection Commission. The European Parliament Committee on Civil Liberties, Justice and Home Affairs adopted its nonbinding rejection of the proposed EU-U.S. Data Privacy Framework. And in the U.S., Indiana is on the cusp of becoming the seventh state to enact comprehensive privacy legislation.

The Latest

Members of European Parliament plan to add provisions to the proposed Artificial Intelligence Act that will better address the generative AI boom.

The European Data Protection Board published its 2022 activity report.

The Montana House of Representatives voted 54-43 on final approval of a bill to ban TikTok across the state

Enforcement

The EDPB announced the finalization of its binding decision in the case regarding legality of Meta's EU-U.S. data transfers brought by Ireland's Data Protection Commission. 

U.S. House Committee on the Judiciary Chair Jim Jordan, R-Ohio, subpoenaed U.S. Federal Trade Commission Chair Lina Khan seeking more information regarding the agency's investigation into the potential breach of Twitter's 2011 consent decree.

Asia-Pacific

Chairperson of South Korea's Personal Information Protection Commission Haksoo Ko and European Commissioner for Justice Didier Reynders published a joint statement in support of their partnership on privacy and data flows.

South Korea’s Supreme Court ruled Google must disclose if it shared citizens' personal data with third parties.

Canada

Canadian Deputy Prime Minister Chrystia Freeland proposed in the 2023 national budget a lift on exempting federal political parties from federal privacy laws.

Europe

The European Parliament Committee on Civil Liberties, Justice and Home Affairs adopted its nonbinding rejection of the proposed EU-U.S. Data Privacy Framework.

European Parliament's position on the proposed Artificial Intelligence Act is stuck on prohibited uses of AI-powered technologies.

Austria’s Data Protection Authority ruled in favor of privacy advocacy group NOYB's complaints against multiple Austrian newspapers and cookie paywalls.

Spain’s data protection authority, the Agencia Española de Protección de Datos, called on the European Data Protection Board to formally review the EU General Data Protection Regulation compliance of OpenAI's ChatGPT.

The U.K. Information Commissioner's Office published its opinion on the Department for Science, Innovation and Technology's proposal for regulating artificial intelligence technologies.

US

The U.S. Department of Health and Human Services' Office for Civil Rights called on health care providers to bring telehealth practices into compliance with the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.

DHHS published a notice of proposed rulemaking to prohibit the use or disclosure of health data "to investigate, or prosecute patients, providers, and others involved in the provision of legal reproductive health care, including abortion care."

The U.S. House Subcommittee on Oversight and Investigations will hold a hearing on the role of data brokers and online privacy protections 19 April.

U.S. state legislative proposals requiring parental access to children's social media raises surveillance concerns.

ICYMI

Bird & Bird's Ruth Boardman, Emma Drake, CIPP/E, and James Moss offered a comprehensive summary of proposed changes to a number of regulatory topics under the U.K. Data Protection and Digital Information (No. 2) Bill, including data transfers, enforcement powers and automated decision-making.

Indiana is on the cusp of becoming the seventh U.S. state to pass a comprehensive privacy law. IAPP Staff Writer Joe Duball had the details on and reactions to SB 5's passage.

Washington is poised to pass legislation that would implement substantive changes to consumer health data protections in the state, and potentially beyond. IAPP Staff Writer Jennifer Bryant reported on the bill’s broad scope, with reaction from the privacy community on the bill's anticipated impact.

]]>
2023-04-17 10:05:46
Global News Roundup: 4-10 April 2023 https://iapp.org/news/a/global-news-roundup-april-4-10-2023 https://iapp.org/news/a/global-news-roundup-april-4-10-2023 In this week's Global News Roundup, the U.K. Information Commissioner's Office fined TikTok for breaches of the U.K. General Data Protection Regulation. The European Data Protection Board issued updated guidelines on personal data breach notification under the EU GDPR. And the first review of the EU-Japan adequacy agreement was finalized.

The Latest

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a Q&A document outlining proper procedures for data protection impact assessments.

The Arkansas House of Representatives voted on final approval of Senate Bill 396, the Social Media Safety Act.

The California Chamber of Commerce filed a petition to the Superior Court of California, County of Sacramento, for a delay on enforcement of California Privacy Rights Act regulations.

Enforcement

The U.K. Information Commissioner's Office issued a formal reprimand to the NHS Highland health board for a "serious" data breach involving individuals likely to be accessing HIV services. 

The U.K. Information Commissioner's Office fined TikTok 12.7 million GBP for breaches of the U.K. General Data Protection Regulation.

Asia-Pacific

India's Minister of Communications and Information Technology Ashwini Vaishnaw said the Digital Personal Data Protection Bill will be tabled in Parliament during the Monsoon session.

Europe

European Commissioner for Justice Didier Reynders and Personal Information Protection Commission of Japan Chairperson Mieko Tanno announced the first review of the EU-Japan mutual adequacy agreement has successfully concluded.

US

Arkansas' Senate Bill 66, creating protections for minors online including age-verification requirements, passed the House and Senate and was sent to the governor for signature. 

Pennsylvania's House Bill 708, establishing consumer data protection measures including creating a Consumer Privacy Fund, was referred to the Committee on Commerce.

In a 27-21 vote, the Washington Senate passed HB1155 — proposed legislation on the collection, sharing and selling of consumer health data. 

Guidance

Deputy Privacy Commissioner of New Zealand Liz MacPherson called data retention "the sleeping giant of data security" in a blog post by the Office of the Privacy Commissioner, stating it is a key issue in several recent cyberattacks.

The European Data Protection Board published updated guidelines on personal data breach notification under the EU General Data Protection Regulation.

ICYMI

The finalization of the first California Privacy Rights Act regulations was another step forward in the state's efforts to be a leader on privacy protection and enforcement. Members of California's privacy enforcement bodies — the California Privacy Protection Agency and the Office of the Attorney General of California — took the stage at the IAPP Global Privacy Summit 2023 and IAPP Staff Writer Joe Duball rounds up highlights from the breakout sessions.

Organizations are considering biometric technologies and subsequent personal data collection more than ever before. In Illinois, those that follow through with adoption without privacy in mind may face the Biometric Information Privacy Act and its private right of action. IAPP Staff Writer Joe Duball looks at the risks companies run in Illinois and the potential for other state legislatures to follow its lead on biometric regulation.

]]>
2023-04-10 12:56:39
Global News Roundup: 28 March-3 April 2023 https://iapp.org/news/a/global-news-roundup-28-march-april-3-2023 https://iapp.org/news/a/global-news-roundup-28-march-april-3-2023 In this week’s Global News Roundup, the European Data Protection Board will continue its debate on the Ireland Data Protection Commission’s Meta data transfers case. France ratified the Council of Europe Convention 108+. Australian Information Commissioner Angelene Falk outlined her hopes for Privacy Act reforms. And, the Privacy Commissioner of Canada recommended including privacy protection to potential changes to the Competition Act.

Enforcement

The European Data Protection Board will continue its debate on the Ireland Data Protection Commission case regarding lawfulness of Meta's EU-U.S. data transfers at its plenary meeting 28 March.

The Office of the European Data Protection Supervisor announced its intention to join the European Data Protection Board in its coordinated enforcement of data protection officers.

France ratified the Council of Europe Convention 108+, modifying the original Convention 108 for the protection of individuals with regard to the automatic processing of personal data.

Italy's data protection authority, the Garante, ordered a "temporary limitation of the processing of data of Italian users" by ChatGPT developer OpenAI and opened an investigation into the artificial intelligence vendor.

U.K. Information Commissioner John Edwards said protecting the privacy rights of "people (who) may not even be aware those rights exist" was a core function of the Information Commissioner's Office following a U.K. High Court ruling that found the "immigration exemption" in the Data Protection Act 2018 illegal.

Asia-Pacific

Salinger Privacy Principal Anna Johnston, CIPP/E, CIPM, FIP, wrote a blog on the surprises she observed while analyzing the Australia Attorney-General Department's final report on the 116 proposed Privacy Act reforms.

In an interview with the Australian Financial Review, Australian Information Commissioner Angelene Falk discussed her office's hopes for pending Privacy Act reforms. 

Members of India's Parliament on the Parliamentary Standing Committee on Information Technology proposed 40 amendments to the draft Digital Data Protection Bill.

Japan’s Ministry of Internal Affairs and Communications seeks public opinions on the revised draft of the Telecommunications Business Act. 

Canada

Privacy Commissioner of Canada Philippe Dufresne submitted recommendations to include privacy considerations in potential reforms to Canada's Competition Act.

Europe

EU member states reached a common position on the proposed Data Act, enabling negotiations on the final version of the proposed legislation to begin among the Council of the European Union and European Parliament.

Both chambers of the French legislature approved draft legislation to temporarily utilize "intelligent surveillance systems" during the 2024 Paris Olympics and Paralympics.

The U.K. Regulatory Policy Committee, a government oversight entity, published its opinion on the proposed Data Protection and Digital Information Bill.

US

New York Attorney General Laetitia James imposed a USD200,000 fine on a law firm retained by several hospitals that sustained a ransomware attack in 2021.

Guidance

The European Commission announced the formation of a high-level group to advise companies on implementation of the Digital Markets Act.

Norway’s data protection authority, Datatilsynet, published guidance to help businesses identify potential cyberattacks that often spike during holidays, such as Easter.

Spain’s data protection authority, the Agencia Española de Protección de Datos, published guidance to help public administrations manage risks around data exchanges.

The U.K. Information Commissioner's Office Executive Director, Regulatory Risk, Stephen Almond published guidance for organizations developing or using generative artificial intelligence. 

ICYMI

IAPP Westin Research Fellow Amy Olivero parsed through the EU General Data Protection Regulation's data protection officer provisions, spelling out key considerations companies and DPOs should bear in mind as regulators begin their enforcement sweep. 

The role of EU data protection officers is under examination via coordinated enforcement among EU data protection authorities. In light of the upcoming assessments, the IAPP Research and Insights team produced an infographic to outline the requirements of the GDPR-mandated DPO.

The California Privacy Protection Agency announced the first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review. IAPP Staff Writer Joe Duball reported on the announcement the details.

Gov. Kim Reynolds, R-Iowa, signed Senate File 262 on consumer privacy into law. Reynolds touted the bill as giving consumers "a reasonable level of transparency and control over their personal data." IAPP Westin Research Fellow Anokhy Desai, CIPP/US, CIPT, analyzed the bill from top to bottom and provided key takeaways for privacy professionals.

]]>
2023-04-03 11:00:03
Global News Roundup: 21-27 March 2023 https://iapp.org/news/a/global-news-roundup-march-21-27-2023 https://iapp.org/news/a/global-news-roundup-march-21-27-2023 In this week’s Global News Roundup, China said it is investigating "cracked" mobile apps. Several U.S. state attorneys general reached a USD9 million settlement with Google over location tracking practices. Bangladesh outlined its enforcement regime under its proposed Data Protection Act. And, the European Parliament approved the eIDAS Regulation.

The Latest

The European Data Protection Board will continue its debate on the Irish Data Protection Commission's case regarding lawfulness of Meta's EU-U.S. data transfers at its plenary meeting 28 March.

The European Commission announced the formation of a high-level group to advise companies on implementation of the Digital Markets Act.

The European Consumer Organisation welcomed efforts in the EU to harmonize procedural rules on cross-border cases under the EU General Data Protection Regulation, while offering three recommendations in a published document.

The Office of the European Data Protection Supervisor announced intentions to join the European Data Protection Board in its coordinated enforcement of data protection officers.

Enforcement

China's Ministry of Industry and Information Technology announced investigations into alleged data protection violations concerning versions of mobile apps with broken protection or "cracked apps."

The General Court of the Court of Justice of the European Union expects legal challenges to the EU Digital Markets Act by the end of 2023.

Norway's data protection authority, the Datatilsynet, fined U.S.-based Argon Medical Devices 2.5 million kroner for failing to report a July 2021 data breach within the 72-hour deadline required by the GDPR.

Five state attorneys general in the U.S. reached a USD9 million settlement with Google over deceptive location tracking practices. 

Asia-Pacific

The draft document outlining the enforcement regime under Bangladesh’s proposed Data Protection Act was recently released.

Indian Minister of State for Electronics and Information Technology Rajeev Chandrasekhar confirmed the proposed Digital Data Protection Bill will contain a "blacklist" for cross-border data transfers.

Canada

The Canadian government published a companion document with key information about the proposed Artificial Intelligence and Data Act.

Europe

The EU is seeking recognition of the bloc's digital regulations globally via the United Nation’s Global Digital Compact.

The European Parliament approved the eIDAS Regulation, legislation creating a continent-wide digital identity framework.

US

Haverford College Shibulal Family associate professor of computer science Sorelle Friedler, Brown University Center for Tech Responsibility Director Suresh Venkatasubramanian and Center for Technology Innovation Governance Studies fellow Alex Engler, CIPP/E, CIPM, FIP, discussed questions around design and implementation of a "new wave" of U.S. state legislation on artificial intelligence.

Maryland House Bill 0901, a law that would require businesses offering "an online product likely to be accessed by children to complete a certain data protection impact assessment," was given its first reading in the state Senate.

The House Committee on Judiciary Finance and Civil Law supported the proposed Minnesota Age-Appropriate Design Code Act with amendments and referred it to the Commerce Finance and Policy Committee.

New Hampshire Senate Bill 255, which inserts a chapter "detailing a consumer expectation of privacy" was introduced during the state House of Representatives 16 March recess and referred to its Judiciary Committee.

The Tennessee Senate recommended passing the proposed state Information Protection Act, while the bill was placed on the Commerce Committee calendar in the House.

The state of Washington's Senate Committee on Law and Justice passed House Bill 1155, an act addressing the collection, sharing and selling of consumer health data.

Guidance

The Office of the Saskatchewan Information and Privacy Commissioner is welcoming responses to a survey on access and privacy.

Denmark's data protection authority, Datatilsynet, and several industry organizations will launch a 4 May webinar with new GDPR guidance for small businesses.

]]>
2023-03-27 10:48:19
Global News Roundup: March 14-20, 2023 https://iapp.org/news/a/global-news-roundup-march-14-20-2023 https://iapp.org/news/a/global-news-roundup-march-14-20-2023 In this week’s Global News Roundup, the European Parliament adopted its position on the proposed Data Act. The Amsterdam District Court ruled Facebook processed Dutch users’ data without legal basis for 10 years. And, the U.S. Federal Trade Commission finalized its USD520 million settlement with Epic Games over alleged Children's Online Privacy Protection Act violations.

The Latest

Trinidad and Tobago's Ministry of Digital Transformation Executive Legal Advisor Rudyard Davidson said work is ongoing to fully operationalize the country's Data Protection Act and Electronic Transaction Act.

China's Ministry of Industry and Information Technology announced investigations into alleged data protection violations concerning versions of mobile apps with broken protection or "cracked apps."

The constituent court of the Court of Justice of the European Union expects legal challenges to the EU Digital Markets Act by the end of 2023, Reuters reports.

The European Parliament approved the eIDAS Regulation, legislation creating a continent-wide digital identity framework.

In an op-ed for The New York Times, former U.S. National Security Council Senior Director Peter Harrell and Special Assistant to the President Tim Wu discussed the need for federal comprehensive privacy legislation.

In a blog post for The Information Accountability Foundation, Groman Consulting Group Principal and former U.S. Federal Trade Commission Chief Privacy Officer Marc Groman outlined his recent analysis and recommendations for a "clearer" version of the proposed American Data Privacy and Protection Act.

Enforcement

The Hong Kong Office of the Privacy Commissioner for Personal Data announced two detainments for alleged doxxing

Singapore's Personal Data Protection Commission announced a SGD62,400 fine against Eatigo International in relation to a 2020 data breach affecting 2.76 million individuals. 

The Amsterdam District Court ruled Facebook Ireland processed Dutch users' personal data for advertising purposes without a legal basis and provided users' data to third parties without proper notification from 2010-2020.

In response to a complaint by privacy advocacy group NOYB, Austria's Data Protection Authority found Facebook's tracking pixel in violation of the EU General Data Protection Regulation, however no penalty was issued by the DPA.

Advocate General of the Court of Justice of the European Union Priit Pikamäe ruled automated processing to determine an individual's probability of obtaining a loan constitutes profiling under the EU General Data Protection Regulation. 

France’s data protection authority, the Commission nationale de l'informatique et des libertés, published a guide to its "priority themes," which direct its investigations. 

Germany's Federal Commissioner for Data Protection and Freedom of Information published its 2022 activity report

The U.S. Federal Trade Commission finalized its USD520 million settlement with Epic Games over alleged Children's Online Privacy Protection Act violations. 

The U.S. FTC requested a 37% budget increase, approximately USD160 million, from U.S. Congress for the fiscal year 2024.

In a report outlining its needs, the U.S. FTC said it wants to hire 310 full-time employees, including 62 dedicated to consumer protection, with an eye toward helping the agency "investigate and litigate more and increasingly complex matters."

The U.S. FTC's new Office of Technology published analysis and subsequent guidance on third-party tracking pixels.

The Colorado attorney general's office announced finalization of the Colorado Privacy Act regulations.

Europe

European Parliament voted 500-23 with 110 abstentions to adopt its position on the proposed Data Act

US

In a joint statement, U.S. Reps. Pramila Jayapal, D-Wash., and Warren Davidson, R-Ohio, urged reform of the Foreign Intelligence Surveillance Act's Section 702

Guidance

The Czech Republic’s data protection authority, the Úřad pro ochranu osobních údajů, published guidance on cookie disclosures for web operators. 

The U.K. Information Commissioner's Office updated its guidance on data protection in artificial intelligence.

The U.K. ICO is launching a hotline for guidance on emerging technologies.

The U.K. ICO also released fresh guidance for product designers on embedding data protection into new products by default.

ICYMI

Amendments to Japan's Telecommunications Business Act, including the External Data Transmission Rule, take force June 16. Mori Hamada & Matsumoto Senior Associate Kaei Ro and Partner Hiroyuki Tanaka provide an overview of the new rule.

The European Data Protection Board announced its 2023 coordinated enforcement action will focus on the designation and position of data protection officers. IAPP Staff Writer Jennifer Bryant has initial details on the CEF and what to expect as the process unfolds.

France's data protection authority, the Commission nationale de l'informatique et des libertés, has been among the most active EU privacy regulators in recent years and that trend won't stop in 2023. IAPP Managing Director, Europe, Isabelle Roccia offers highlights from the CNIL's strategy reveal at the IAPP Data Protection Intensive: France.

Interoperability among existing U.S. comprehensive state privacy legislation is growing, but key differences remain between each of the five laws. IAPP Westin Research Fellow Anokhy Desai, CIPP/US, CIPT, analyzed laws in California, Colorado, Connecticut, Utah and Virginia, comparing and contrasting relevant terms, applicability, exemptions, consumer rights, business obligations and enforcement duties. 

Iowa is on the verge of becoming the sixth U.S. state to pass comprehensive privacy legislation. IAPP Staff Writer Joe Duball reports on its recent passage and key aspects of the bill.

]]>
2023-03-20 12:10:06
California legislative wrap-up: CCPA amendments, children’s privacy and more https://iapp.org/news/a/californias-legislative-wrap-up-ccpa-amendments-childrens-privacy-and-more https://iapp.org/news/a/californias-legislative-wrap-up-ccpa-amendments-childrens-privacy-and-more Feb. 17 marked the deadline for California legislators to introduce bills for the current legislative session. Among more than 2700 bills introduced by state senators and assembly members, 10 proposed amendments to the California Consumer Privacy Act and the Information Practices Act of 1977, which imposes purpose limitations, consent requirements and other privacy protections over personal data held by the government. Other bills address topics like updating the Confidentiality of Medical Information Act, platform liability and student data privacy. While a significant majority of data privacy-related bills were introduced by elected representatives from the Democratic Party, Assemblymen Joe Patterson, Jim Patterson and Tri Ta offered a few bills from across the aisle.

Below is a summary of notable bill proposals from the most recent California legislative session. Although historically many of these bills die in committee and never pass, they provide insight into how elected California officials think about privacy issues and trends privacy professionals may see in other states. The CCPA-/CPRA-Related Legislation Tracker in the IAPP Resource Center provides a comprehensive look at these bills and others not detailed below.

California looks to fortify reproductive health data privacy

State houses continue to respond to the Supreme Court’s overturning of Roe v. Wade, and California is no exception. Assembly Bill 254 proposes an amendment to the CMIA that would broaden the definition of medical information to include data from reproductive or sexual health mobile apps and websites, and bring businesses that collect and manage this data into the scope of the act. Relatedly, businesses that process personal information related to services for contraception, pregnancy care and abortions, including consumer web searches for such services, would be brought within scope of the CCPA under proposed AB 1194.

These California bills reflect similar partisan efforts in other states to protect women’s reproductive health data. A Virginia bill that shields menstrual data stored in mobile apps from search warrants easily passed out of the Democrat-led Senate but was later stopped in a GOP-led House subcommittee vote. Comparatively, California passed a similar bill prohibiting companies from complying with data requests in out-of-state warrants for procedures deemed legal in California. The Washington state My Health, My Data Act appears to have a better chance at success than Virginia’s bill, with its proposed protections of consumer health data and special focus on reproductive or sexual health data.

Operational changes would support the attorney general and data brokers

Although the majority of substantive updates and clarifications to the CCPA this year will come via California’s regulatory rulemaking process, a few bills still aim to codify small operational updates to the comprehensive privacy bill. AB 1546 would clarify that the attorney general may commence an enforcement action under the CCPA up to five years after cause of action accrued. This is a significant departure from the existing general law, which imposes a one-year statute of limitations for statutory enforcement actions. Democratic legislators also signaled their commitment to consumer protection with the introduction of AB 947, which originally would have added consumer rights to the list of qualifications considered for the California Privacy Protection Agency’s governing five-member board. On March 6, the Committee on Privacy and Consumer Protection amended the bill to instead expand the definition of sensitive personal information to include a consumer’s citizenship or immigration status.

Data brokers and other privacy pros operating in California should also take note of AB 362, which would extend the annual deadline for data brokers to register with the attorney general from Jan. 31 to Feb. 15.

Platform liability and student privacy … sometimes in the same bill 

The wave of introduced legislation also addressed some platform liability and student privacy issues through several proposed bills. The hotly contested SB 287 would impose penalties on social media platforms using algorithms and other designs they know could promote the sale of fentanyl, illegal guns or other self-harming behaviors to minors. Advocates from both industry and civil protections groups are already weighing in on the bill. The “knowing actions” of social media platforms were also addressed in AB 1394, which targets the use of platforms for commercial sexual exploitation and would require platforms to comply with requests from minor victims to remove content relating to their exploitation.

The proposed Let Parents Choose Protection Act would require social media platforms to enable third-party software providers to manage a “child’s online interactions, content, and account settings,” if given permission by a parent, guardian or user of at least 13 years old. Although the act is less stringent than Utah’s recently enacted Social Media Regulation Act which requires platforms to allow parents or guardians access to minors’ account information, including messages, and prohibit all advertising to underage users  the California bill flows in the same recent wave of youth privacy regulation. AB 801, another youth privacy bill introduced this session, would mandate operators like online service providers to honor deletion requests for students’ covered information.

A potpourri of privacy for other sectors 

There are a few bills focused on context and use cases that may be important for privacy pros. Representatives took aim at the public sector through AB 1034 and AB 302. The former states the legislature’s intent to regulate the use of biometric surveillance by law enforcement. The latter requires the Department of Technology to inventory its high-risk, automated decision-making systems and submit a report to the legislature by Jan. 1, 2025. Finally, the EU’s calls for greater regulation of connected car data practices were reflected in SB 296, a bill introduced in the California Senate that would impose restrictions on the retention, use and sale of images and video recordings captured by in-vehicle cameras.

Looking ahead 

In addition to the potential for legislative amendments, the CCPA continues to evolve through the CPPA rulemaking process. The first set of proposed regulations, currently under review by the California Office of Administrative Law, is expected to take effect in April. The next set of regulations on the topics of Cybersecurity Audits, Risk Assessments and Automated Decision-making invite written public comments until March 27.  Legislators have until Sept. 14 to pass each bill described above. Until then, privacy pros should keep a close eye on the evolution of the U.S. policy conversation as California and other states continue to serve as testing grounds for new privacy ideas.

]]>
2023-03-17 12:30:40
What does Japan's External Data Transmission Rule mean? https://iapp.org/news/a/japan-to-enact-external-data-transmission-rule-of-amended-telecommunications-business-act https://iapp.org/news/a/japan-to-enact-external-data-transmission-rule-of-amended-telecommunications-business-act On June 16, Japan will enact the amended Telecommunications Business Act, including the External Data Transmission Rule. This new rule, regarding the use of user information, shares some fundamental ideas with the cookie consent requirements of the EU ePrivacy Directive and applies to various online services provided through web browsers and apps. Businesses offering online services should confirm whether the rule applies to their services, and consider whether to amend existing policies or even establish new ones.

Data protection scope of the APPI

In Japan, the general privacy law is set out in the Act on the Protection of Personal Information, which provides rules for the handling of personal information and data. Under the APPI, "personal information" is defined as information about an individual that can be used or combined with other data to identify the specific individual. Personal data means personal information constituting part of a personal information database. Personal information and personal data are subject to various rules within the APPI, including the requirement of notification at the time of collection and the obligation to obtain consent of the data subject when personal data is provided to a third party.

It should be noted if certain information cannot be used to identify a specific individual, it does not fall into either personal information or personal data, even if such information relates to a natural person. However, the amended APPI, which came into effect April 2022, imposes a new obligation on data providers when they provide third parties with "personally referable information." Not falling under personal information, this data type includes a person's website browsing history collected through cookies and other online identifiers, as well as information indicating their product purchase history, service usage history and interests. Personally referable information also concerns, for the purpose of confirming a data subject's consent, whether the recipient will receive the information as personal data. That is to say, the recipient is able to identify the specific individual by combining the personally referable information with other information they have, thereby making the combined information personal data. In previous articles, we provided an overview of the new regulation and practical guidance on it by the guidelines.

Introduction of the External Data Transmission Rule

To ensure comprehensive transparency about the use of data concerning users of telecom services, the External Data Transmission Rule requires covered telecom businesses directing the transmission of user information (e.g., identifiers such as IDs recorded in cookies, advertising IDs, users' behavioral information such as webpage history, usernames, contact information of friends, etc.) recorded in the user's device to anyone other than the user themselves to do one of the following:

  1. Notify users of this transmission.
  2. Publicly announce this transmission.
  3. Obtain the consent of users for this transmission.
  4. Enable users to opt out of this transmission and publicly announce the existence of this option.

This applies when the business is offering telecom services specified in the applicable Ministry of Internal Affairs and Communications ordinance.

This rule covers broader situations on the use of user information than the APPI does, and is also conceptually similar to the cookie consent requirements of the EU ePrivacy Directive. However, in a sense, this rule is milder than the APPI and the ePrivacy Directive, because it does not require covered businesses to obtain the user consent. Instead, it merely requires a notice or public announcement that the transmission will suffice.

What is covered by the External Data Transmission Rule?

The scope of the rule is, in fact, very broad. Pursuant to the applicable MIC ordinance and the draft commentary to the rule released by the MIC in December 2022, the specific telecom services subject to the rule are:

  1. Telecom services intermediating communications between other persons, e.g., email services, direct messaging services and closed online meeting services.
  2. Telecom services that
    1. Record and store information received from users in servers and send such information at the request of unspecified users, e.g., social media services, online bulletin board services, video sharing services, online shopping malls, sharing services and matching services.
    2.  Simultaneously send information received from users at the request of unspecified users, e.g., live streaming services, online gaming services.
  3. Online searching services.
  4. Services offering various types of information, including news, weather forecasts, videos, maps, transfer guides and job searches.

This rule can also apply to telecommunication services not required to be registered with the MIC under the TBA, and the above fourth category in particular covers a wide range of online services. However, if a business simply posts information about itself on its website, or sells its own products on its retail website, the business is then providing telecom services for its own purposes and is therefore not subject to the rule.

What must be done when the External Data Transmission Rule applies?

When the External Data Transmission Rule applies and businesses notify or publicly announce the required information, they are obligated to provide certain information in a prescribed manner. Specifically, business must inform users of:

  1. The items of user information to be transmitted.
  2. Which entity operates the destination (external) server.
  3. The purpose for which the user information is to be transmitted.

Businesses must provide this information in the following prescribed manner:

  1. Writing the information in Japanese, avoiding the use of technical terms and using plain language.
  2. Displaying text in an appropriate size without the need for additional user manipulation.
  3. Ensuring users can easily check this information in other respects, such as adopting easy-to-read font colors in consideration of websites or app backgrounds, and layering the webpage so users can see the entirety of the notification without scrolling.

In addition to the above, when businesses notify users of the information, the businesses must display either the information or the location of the page containing such information, like a URL, on the user's telecom device just in time, such as in a pop-up. If only some parts of the information are displayed in the notification, it is necessary to ensure users can easily reach the rest of the information. Alternatively, businesses must ensure users can recognize the information as easily as or more easily than the above.

Also, when businesses publicly announce the information, the businesses must:

  1. In the case of a website, display the information on a webpage the users access or a webpage easily locatable by users from such webpage.
  2. In the case of mobile apps, display the information on the first page of the app, or on a page easily locatable by users from the first page.
  3. Ensure users can recognize the information as easily as or more easily than in the above points.

Exemptions to the obligations of the External Data Transmission Rule

There are some exceptional cases where covered telecom businesses are not required to implement either of the above-mentioned measures.

One exception is for information that must be transmitted to use the telecom service, including:

  1. Information necessary for providing the telecom service, such as information necessary to properly display codes, sounds or images on the screen of users' telecom device, including operating systems, display settings, language settings and web browsers. In the draft commentary the MIC says information sent to the provider of the telecom service that the user actually and intentionally uses (as opposed to information transmitted automatically or without the user’s direct intention) falls within this exemption. This is fairly different from the EU ePrivacy Directive idea concerning a "strictly necessary" exemption, decided mainly on the purpose of the cookies.
  2. Information necessary for redisplaying information on the user's screen that the user previously input when using the telecommunication service. This includes information necessary for redisplaying goods in a shopping basket, when a user accessed an online shopping mall, put such goods in the their basket and later returned to the online shopping mall.
  3. Information necessary for redisplaying information concerning the user's authorization that they entered when using the telecom service.
  4. Information necessary for detecting abusive or improper acts against the telecom service, or for mitigating the damage of such unfair acts. In the draft commentary to the rule, the MIC says this exemption only applies to information transmission necessary for security measurements for the telecom services which the user uses.
  5. Information for appropriate operation of the telecom service, such as information necessary for load reduction or load balancing of the telecom facilities.

Another exception is for identification codes sent to the user by the telecom service provider that are sent back, such as first-party cookie identifiers.

What will happen next?

The MIC is now finalizing the draft commentary to the rule. It is expected to solicit public comments in March and April to finalize the rule and publicly announce it before the rule comes into force June 16.

]]>
2023-03-16 12:25:05
Global News Roundup: March 7-13, 2023 https://iapp.org/news/a/global-news-roundup-march-7-13-2023 https://iapp.org/news/a/global-news-roundup-march-7-13-2023 In this week’s Global News Roundup, the Privacy Commissioner of New Zealand responded to a public survey calling for increased privacy protections. EU companies found to have mishandled health data following a cyberattack are subject to fines following a recent ruling by the Ireland’s Data Protection Commission. U.S. lawmakers introduced a bill to ban the government’s use of facial recognition technology. And the U.K. Information Commissioner’s Office introduced a new U.K. General Data Protection Regulation certification scheme.

The Latest

In an interview with Radio Waatea, New Zealand Privacy Commissioner Michael Webster discussed the costs of privacy breaches, data minimization, biometrics regulation and more.

The U.S. Securities and Exchange Commission fined data management platform Blackbaud USD3 million for improper disclosures to individuals affected by a 2020 ransomware attack.

In a 5-0 vote, New Hampshire's State Senate Judiciary Committee recommended Senate Bill 255, relative to the expectation of privacy, should pass with amendments.

The Oklahoma House advanced House Bill 1030, the Oklahoma Computer Data Privacy Act.

Enforcement

The High Court of Australia ruled against Facebook’s appeal for special leave in a 2020 case the Office of Australian Information Commissioner brought against the company.

Privacy Commissioner of New Zealand Michael Webster issued a statement responding to a recent survey showing public desires for increased privacy and data protection.

The Office of the Privacy Commissioner of Canada published its 2023-2024 departmental plan

The European Commission announced Meta's WhatsApp agreed to improve user transparency for its EU terms of service and privacy notice.

EU-based companies that mishandle personal data following a cyberattack are subject to penalties following a ruling by Ireland’s Data Protection Commission.

Finnish consumer credit company Suomen Asiakastieto was fined 440,000 euros by Finland’s Office of the Data Protection Ombudsman.

Ireland's Data Protection Commission released its 2022 annual report.

The U.S. Federal Trade Commission wants an interview with Twitter CEO Elon Musk in its investigation into privacy and data security allegations against the platform

Asia-Pacific

New Zealand’s Privacy Commissioner Michael Webster spoke out against the proposed expansion of the Search and Surveillance Act.

India's government plans to amend draft provisions on data transfers in the proposed Digital Personal Data Protection Bill.

Europe

European Data Protection Supervisor Wojciech Wiewiórowski criticized EU policymakers for shortcomings in proposed legislation to combat child sexual abuse materials.

European Parliament's ePrivacy Regulation rapporteur Birgit Sippel called on the Swedish Presidency of the Council of the European Union to give attention to the long-stalled proposal. 

The Swedish Presidency of the Council of the European Union is making progress toward its final text for the proposed Data Act.

WhatsApp Head Will Cathcart said its parent company, Meta, would not adhere to the proposed U.K. Online Safety Bill and break its end-to-end encryption.

US

A group of U.S. lawmakers reintroduced the Facial Recognition and Biometric Technology Moratorium Act in both houses of Congress. 

U.S. Sens. Mark Warner, D-Va., and John Thune, R-S.D., joined a group of bipartisan senators to introduce the Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act.

The Iowa Senate voted 47-0 to advance Senate File 262, an act relating to consumer data protection, to House consideration. 

Guidance

The Office of the Privacy Commissioner of Canada announced updates to its guidelines for faxing personal data. 

The U.K. Information Commissioner’s Office approved the fourth set of U.K. General Data Protection Regulation certification scheme criteria for training and qualifying service providers.

ICYMI

The adoption of the Digital Markets Act and the Digital Services Act show the EU is focused on reeling in the online advertising industry. Journalist Luca Bertuzzi considers the data protection-related themes that could be looked at with increased adtech rules.

The first annual coordinated action under the European Data Protection Board's Coordinated Enforcement Framework, on the use of cloud-based services by the public sector, concluded in January. IAPP Managing Director, Europe, Isabelle Roccia described the process behind the CEF, the role of DPAs in coordinated enforcement actions and possible outcomes.

The U.K. released draft data protection reform of its General Data Protection Regulation. IAPP Editorial Director Jedidiah Bracy, CIPP, has the details.

The introduction of the proposed U.K. Data Protection and Digital Information Bill served as the perfect talking point to kick off the IAPP Data Protection Intensive: UK 2023 in London. IAPP Staff Writer Jennifer Bryant also reported on the first impressions of the legislation from U.K. Information Commissioner John Edwards and Liberal Democrat House of Lords spokesperson for Science, Innovation and Technology Tim Clement-Jones during IAPP Data Protection Intensive: UK 2023 in London.

During IAPP Data Protection Intensive: UK 2023, U.K. Secretary of State for the Department of Science, Innovation and Technology Michelle Donelan shared her perspective on proposed U.K. data reforms and their impacts, while Bryant also reported on highlights from a panel that explored the state of play and future of both EU data protection enforcement and international data transfers.

The second iteration of proposed reforms to the U.K. General Data Protection Regulation is available for public consumption. IAPP Research and Insights Director Joe Jones parsed through the 212-page Data Protection and Digital Information Bill and offers his initial thoughts, along with the top 10 takeaways for privacy professionals.

Across the U.S., state legislatures are again pushing for the adoption of comprehensive privacy legislation during their 2023 legislative sessions. IAPP Staff Writer Joe Duball looks at where commonality originated from and whether additional trends that could disrupt compliance are on the horizon.

]]>
2023-03-13 10:50:52
Global News Roundup: Feb. 28-March 6, 2023 https://iapp.org/news/a/global-news-roundup-feb-28-march-6-2023 https://iapp.org/news/a/global-news-roundup-feb-28-march-6-2023 In this week’s Global News Roundup, Turkey’s data protection authority fined TikTok 1.75 million liralar. U.S. Federal Trade Commissioner Christine Wilson announced she will resign at the end of the month. Reforms to the Australian Privacy Act are poised to have significant impacts on small and medium-sized businesses. And new compromise texts of the EU Artificial Intelligence Act were circulated by its co-rapporteurs.

The Latest

The National People’s Congress of China is expected to approve the creation of a data authority during March's annual session.

The House of Commons of Canada plans to re-open debate on the proposed Digital Charter Implementation Act, Bill C-27, at second reading.

U.S. Sens. Mazie Hirono, D-Hawaii, Amy Klobuchar, D-Minn., and Elizabeth Warren, D-Mass. introduced legislation to protect citizens’ personal health data.

The Washington state House of Representatives passed legislation protecting consumer health care data.

Enforcement

New Zealand’s Office of the Privacy Commissioner issued a statement on the value of court injunctions to secure individuals’ data following a data breach.

Turkey’s data protection authority, the Kişisel Verileri Koruma Kurumu, fined TikTok 1.75 million liralar for insufficiently protecting users from unlawful data processing.

Following its investigation into the use of Google Analytics, Norway's data protection authority, Datatilsynet, issued a preliminary conclusion finding the tool breaches the EU General Data Protection Regulation's data transfer rules.

U.S. Federal Trade Commissioner Christine Wilson will resign from her post March 31.

The U.S. Federal Trade Commission announced a proposed order against online counseling service BetterHelp over alleged improper data sharing for advertising purposes.

The U.S. Federal Trade Commission warned Amazon and its newly acquired health care chain One Medical that patients' personal health information should not be used for advertising or marketing purposes.

Asia-Pacific

Conflicting reports emerged over Indian Parliament's Standing Committee on Communications and Information Technology's approval of the proposed Digital Personal Data Protection Bill.

Potential reforms of Australia’s Privacy Act 1988 are poised to make significant changes and could require entities to devote significant resources to compliance.

Other major provisions of the proposed Privacy Act changes include defining data controllers and processers in Australian law, removing the small business exemption, tightening employee information collection and increased standards to demonstrate “valid consent.”

Under proposed reforms of Australia's Privacy Act, certain small and medium-sized businesses could have their data protection programs regulated.

Europe

The Swedish Presidency of the EU Council circulated new compromise text of the Cyber Resilience Act, detailing its interplay with the Artificial Intelligence Act, and enforcement and penalties.

Proposed Artificial Intelligence Act co-rapporteurs Brando Benifei and Dragoș Tudorache offered a new set of compromise texts concerning a range of disputed topics in the EU proposal.

The U.K. government reportedly won't act on the proposed Data Protection and Digital Information Bill during the current parliamentary session.

U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan refuted a reported pause on consideration of the proposed Data Protection and Digital Information Bill. 

US

The reauthorization of Section 702 of the Foreign Intelligence Surveillance Act is a "top priority" for U.S. President Joe Biden's administration, National Security Advisor Jake Sullivan said in a statement.

Hawaii Senate Bill 974 advanced out of the Senate Committee on Ways and Means on a 13-0 vote.

Kentucky's proposed Senate Bill 15 was moved to a second reading in the Senate Rules Committee.

The Montana Senate voted 50-0 to advance Senate Bill 384 to House consideration.

Utah Senate Bill 152 on social media regulation amendments earned final passage following Senate concurrence on House amendments.

Guidance

The Hong Kong Office of the Privacy Commissioner for Personal Data published a review of its 2022 activities, during which it responded to 105 data breach notifications.

The Office of the Privacy Commissioner of Canada issued guidance to employers on the use of virtual staffing platforms. 

Spain’s data protection authority, the Agencia Española de Protección de Datos, published guidance for anonymizing data.

The Spanish autonomous region of Catalonia’s data protection authority, the Autoritat Catalana de Proteccio de Dades, published the "Privacy by design and privacy by default" guide for developers, allowing them "to develop applications, to identify the different important elements for personal data protection, and (to identify) steps that can be taken to deal with it right from the moment of design."

ICYMI

The European Data Protection Board released its nonbinding opinion on the draft adequacy decision related to the EU-U.S. Data Privacy Framework. The IAPP's Jennifer Bryant and Jedidiah Bracy, CIPP, have the details.

Across the U.S., state legislatures are pushing for the adoption of comprehensive privacy legislation during their 2023 legislative sessions. IAPP Staff Writer Joe Duball looks at where commonality originated from and whether additional trends that could disrupt compliance are on the horizon.

]]>
2023-03-06 11:50:28
Global News Roundup: Feb. 22-27, 2023 https://iapp.org/news/a/global-news-roundup-feb-22-27-2023 https://iapp.org/news/a/global-news-roundup-feb-22-27-2023 In this week’s Global News Roundup, the Office of the Privacy Commissioner of Canada and several provincial data protection authorities launched an investigation into TikTok. The European Commission will push for legislation to align EU General Data Protection Regulation enforcement among member states’ data protection authorities. The Australian Attorney-General said the government will commit to reforming the Mandatory Data Retention Regime. And a pair of privacy bills were introduced in the U.S. House of Representatives.

The Latest

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, released regulations for application of administrative fines under the General Data Protection Law.

The U.K. government won't act on the proposed Data Protection and Digital Information Bill during the current parliamentary session.

Kentucky's proposed Senate Bill 15 was moved to a second reading in the Senate Rules Committee.

Montana's Business, Labor, and Economic Affairs Committee unanimously passed Senate Bill 384, "An act establishing the Consumer Data Privacy Act." 

Enforcement

The Office of the Privacy Commissioner of Canada and provincial privacy authorities announced an investigation into TikTok's data practices.

The European Commission announced its intention to propose legislation to better align EU General Data Protection Regulation enforcement approaches among national data protection authorities.

The European Data Protection Board published a report outlining "a selection of examples of final One-Stop-Shop decisions" taken under Articles 17 and 21 of the GDPR.

The European Data Protection Board released its 2023-2024 Work Programme, which takes from the priorities laid out in its 2021–2022 strategy.

The Netherlands' data protection authority, the Autoriteit Persoonsgegevens, said it will not fine Tesla over potential violations related to their cars' built-in security cameras.

The Netherlands' Autoriteit Persoonsgegevens ordered the Ministry of Justice and Security to immediately stop large-scale processing of airline passenger travel data saying the "necessity and proportionality" of the processing "cannot be justified."

The First-Tier Tribunal overturned portions of a 2020 enforcement notice by the U.K. Information Commissioner's Office against Experian, confirming the company's reliance on legitimate interests as a legal basis for processing credit reference agency information for direct marketing purposes.

The California Privacy Protection Agency announced its board will next meet March 3.

Asia-Pacific

Australian Attorney-General Mark Dreyfus said the government was committed to reforming the Mandatory Data Retention Regime.

India's Ministry of Electronics and Information Technology defined a child as someone under 18 years old in the proposed Digital Personal Data Protection Bill. 

US

Privacy advocates are urging U.S. state-level privacy proposals that closely align with the American Data Privacy and Protection Act, which died in Congress last year.

The U.S. House of Representatives is scheduled to deliberate two privacy-related bills Feb. 27; H.R. 538, the Informing Consumers about Smart Devices Act, and H.R. 1123, the Understanding Cybersecurity of Mobile Networks Act.

Bipartisan leaders of the U.S. House Committee on Energy and Commerce announced the Subcommittee on Innovation, Data, and Commerce will hold a March 1 hearing titled "Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy."

The U.S. Securities and Exchange Commission proposed a rule altering the commission’s regulations under the U.S. Privacy Act, which governs “the handling of personal information in the federal government.”

Gov. Gavin Newsom, D-Calif., issued a statement supporting the California Age-Appropriate Design Code Act.

Guidance

Denmark's data protection authority, Datatilsynet, published guidance on cookie wall deployment in the wake of two relevant decisions.

The European Data Protection Board adopted three sets of guidelines following public consultation.

Spain’s data protection authority, the Agencia Española de Protección de Datos, published guidance for anonymizing data.

The U.K. Information Commissioner’s Office is urging accountants to recognize their “crucial role” in helping small to medium-sized clients implement data protection practices.

ICYMI

The Cyberspace Administration of China published standard contractual clauses for transfers of personal data and their implementing regulation Feb. 24. Reed Smith Partner Barbara Li, CIPP/E, outlines the scope and requirements while providing key takeaways for privacy professionals.

The European Data Protection Board issued three enforcement actions against Meta in January, each of which arose as binding decisions from the one-stop-shop dispute resolution mechanism. Following the decisions, IAPP Research and Insights Director Joe Jones offered an in-depth legal analysis of the practical takeaways concerning legal bases and transparency.

]]>
2023-02-27 12:01:06
Global News Roundup: Feb. 14-21, 2023 https://iapp.org/news/a/global-news-roundup-feb-14-21-2023 https://iapp.org/news/a/global-news-roundup-feb-14-21-2023 In this week’s Global News Roundup, Taiwan’s Ministry of Transportation and Communications fined a rental car company following a data breach. A U.S. Federal Trade Commissioner was renominated for a new term. New compromise text of the EU Cyber Resilience Act was circulated in the EU Council of Ministers. And the U.K. Information Commissioner’s office published advice to help game developers comply with the Age-Appropriate Design Code.

The Latest

The First-Tier Tribunal overturned portions of a 2020 enforcement notice by the U.K. Information Commissioner's Office against Experian, confirming the company's reliance on legitimate interests as a legal basis for processing credit reference agency information for direct marketing purposes.

The European Commission announced its intention to propose legislation to better align national data protection authorities' EU General Data Protection Regulation enforcement approaches.

Enforcement

Taiwan’s Ministry of Transportation and Communications issued a 90,000 yuan fine to a car rental company that experienced a data breach. 

The German Federal Constitutional Court ruled the use of Palantir surveillance software by police in Hesse and Hamburg unconstitutional.

The Baden-Württemberg Commissioner for Data Protection and Freedom of Information released its data protection activity report for 2022.

The U.S. Federal Trade Commission announced the creation of the Office of Technology to be led by Chief Technology Officer Stephanie Nguyen.

U.S. President Joe Biden renominated U.S. Federal Trade Commissioner Rebecca Kelly Slaughter to a new term.

U.S. Federal Trade Commissioner Christine Wilson announced her resignation from the agency in an op-ed.

Europe

The Swedish presidency of the EU Council of Ministers shared new compromise text of the draft Cyber Resilience Act with changes to the categorization of "critical" and "highly critical" connected devices.

Proposed Artificial Intelligence Act co-rapporteurs Brando Benifei and Dragoș Tudorache circulated updated compromise texts of the legislation to fellow members of European Parliament.

US

The California Privacy Protection Agency sent its first set of proposed final California Privacy Rights Act regulations to the state's Office of Administrative Law.

A subcommittee of the Virginia House Committee on Courts of Justice halted a bill to protect women's menstrual tracking data from search warrants.

The Washington state Legislature will hold a public hearing on a bill to protect minors from being exploited in for-profit vlogs.

Guidance

The Nova Scotia Office of the Information and Privacy Commissioner published guidance for public agencies on limiting improper data access by their employees.

The U.K. Information Commissioner's Office published guidance aimed to assist children's online game developers and their U.K. Age-Appropriate Design Code compliance efforts.

ICYMI

The Australian Attorney-General's Department released its highly anticipated review of the Privacy Act, a significant step in the reform of the nation's privacy law. IAPP Editorial Director Jedidiah Bracy, CIPP, reports on the reforms and shares reaction from Salinger's Anna Johnston, CIPP/E, CIPM, FIP, and Privcore's Annelies Moens, CIPP/E, CIPT, FIP.

The European Parliament Committee on Civil Liberties, Justice and Home Affairs urged the European Commission to deny the U.S. adequacy status based on the proposed EU-U.S. Data Privacy Framework. IAPP Staff Writer Joe Duball reports on the key points stressed in the draft opinion.

]]>
2023-02-21 11:30:40
Global News Roundup: Feb. 7-13, 2023 https://iapp.org/news/a/global-news-roundup-feb-7-13-2023 https://iapp.org/news/a/global-news-roundup-feb-7-13-2023 In this week’s Global News Roundup, South Korea’s data protection authority fined Meta for reportedly requiring customers to give up personal information to use certain platforms. Italy’s data protection authority, the Garante, banned U.S.-based artificial intelligence chatbot company Replika from processing Italian citizens’ personal data. Compromise amendments for the draft EU AI Act were introduced in European Parliament. And several U.S. states advanced various pieces of privacy legislation.

The Latest

The European Data Protection Board published the agenda for its 75th plenary session Feb. 14, which includes leadership elections and discussion on its nonbinding opinion regarding the proposed EU-U.S. Data Privacy Framework.

European Parliament's Industry, Research and Energy Committee adopted the draft Data Act.

Enforcement

South Korea’s data protection authority, the Personal Information Protection Commission, fined Meta 6.6 million won “for allegedly disadvantaging its customers refusing to provide personal information.”

The Office of the Privacy Commissioner of Canada is investigating the federal government invoking the Emergencies Act to compel banks to provide security services with the financial information of COVID-19 lockdown protestors last year.

France's data protection authority, the Commission nationale de l'informatique et des libertés, published a study on the economic stakes of the Data Governance Act, set to enter into force Sept. 24.

Italy's data protection authority, the Garante, banned U.S.-based artificial intelligence chatbot company Replika from processing the personal data of Italian users.

The Netherlands' data protection authority, Autoriteit Persoonsgegevens, fined the municipality of Rotterdam and police 50,000 euros for using two cars equipped with cameras to monitor compliance with COVID-19 measures “without first assessing the privacy risks this might entail.”  

Norway’s data protection authority, Datatilsynet, maintained a fine of 10 million kroner issued against fitness center chain Sats for alleged breaches of the Personal Data Protection Regulation.

Canada

Officials from Quebec’s data protection authority, the Commission d’acces a L’information du Quebec, presented a brief on Bill 3 to the National Assembly.

Europe

The European Parliament supported a proposal for complementary rules to the Digital Services Act and Digital Markets Act targeting online political advertising.

European Parliament co-rapporteurs Brando Benifei and Dragoș Tudorache proposed compromise amendments to the Artificial Intelligence Act.

US

A subcommittee of the U.S. House Financial Services Committee reviewed a draft financial data privacy bill Feb. 8.

U.S. President Joe Biden discussed children’s safety online, as well as the need to strengthen data privacy for citizens, among other topics during his State of the Union address Feb. 7.

U.S. Sens. Bob Casey, D-Pa., Cory Booker, D-N.J., and Brian Schatz, D-Hawaii, introduced the Stop Spying Bosses Act to protect employees against "invasive and exploitative surveillance technologies."

A bill introduced in the California Legislature would establish an office of artificial intelligence within the Department of Technology.

The Illinois state House of Representatives adjourned its 2023 session without passing HB 3910, the Consumer Privacy Act.

The Indiana state Senate passed SB 5, which proposes to amend state law governing trade regulation to set data protection requirements for private entities controlling personal data.

New York Assembly Bill A01362, the Biometric Privacy Act, was introduced in the state Senate as Bill S04457 and assigned to the Consumer Protection Committee. 

After passing the Virginia state Senate, SB 1087, which would establish requirements for medical testing companies to safeguard genetic data, had its first reading in the House of Delegates.

The Virginia Consumer Data Protection Act; protections for children, HB 1688, unanimously passed in the state Senate’s General Laws and Technology Committee.

Guidance

Digital advertising agencies in the EU and U.S. are seeking to grow their levels of privacy expertise as new privacy regulations around the world are set to go into effect in 2023.

New York City’s Office of Information Privacy updated its “Citywide Privacy Protection Policies and Protocols” to enhance collaboration between cybersecurity and privacy efforts.

ICYMI

Australia is well-positioned to restore balance in the “Faustian bargain” citizens must accept to enjoy the conveniences technology offers, while forsaking their digital privacy, Data Compliance Executive Advisor David Mesman, CIPP/E, CIPM, CIPT, FIP, writes.

The Court of Justice of the European Union issued a significant ruling for data protection officers, which centered around Article 38 of the EU General Data Protection Regulation. The decision will be an important consideration for privacy pros and organizations as they “grapple with the challenging confluence of regulatory compliance and business practice,” IAPP Director of Research and Insights Joe Jones said.

U.K. Prime Minister Rishi Sunak announced the creation of four new government departments, including a dedicated Department for Science, Innovation and Technology focused on technical innovations. The IAPP's Joe Jones said the changes “could pave the way for advances to the U.K. government’s work to reform the (General Data Protection Regulation), to secure new international ‘data bridges,’ and more.”

The U.S. Federal Trade Commission's enforcement action against telehealth and discount prescription provider GoodRx has important takeaways for privacy programs that handle health-related data. It also signals an increase in the FTC's use of its unfairness authority in privacy cases, IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, and Westin Research Fellow Amy Olivero write.

In early February, the U.S. FTC published a proposed order that fines GoodRX $1.5 million. To help better understand the novel and complex issues embedded in the case, IAPP Editorial Director Jedidiah Bracy, CIPP, interviewed WilmerHale Partner Kirk Nahra, CIPP/US, to discuss some of the takeaways privacy pros should consider.

The California Privacy Protection Agency adopted its first set of proposed final California Privacy Rights Act regulations. IAPP Staff Writer Joe Duball reports on the finalization with reactions from the privacy community.

The Supreme Court of Ohio recently ruled software breaches weren't applicable under general insurance policies. Thompson Hine Partner Steven Stransky, CIPP/G, CIPP/US, and Oswald Companies Vice President and Cyber Strategic Leader Lacy Rex analyze the decision and its reinforcement of important principles organizations must consider when reviewing the scope of their cybersecurity frameworks and insurance needs.

]]>
2023-02-13 11:30:23