Newsletter

Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't) - December 2023

Author: aosphere

18 December 2023

|

Area: Data privacy

Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't) - December 2023

Africa news

Ivory Coast – ARTCI opens public consultation on advanced technologies

The Ivory Coast Data Protection Authority (ARTCI) is conducting a study on the impact of advanced technologies on personal data protection. The public can actively participate by completing questionnaires on biometrics, video surveillance, drones, and AI.

Read the press release and questionnaires (in French) 

Americas news

Canada – privacy regulators launch AI principles


The Canadian privacy authorities have developed a set of principles to advance the responsible, trustworthy, and privacy-protective development and use of generative artificial intelligence (AI) technologies in Canada. Their joint statement sets out the principles and provides examples of best practice.

Read the joint statement 

 
Uruguay – updated list of adequate jurisdictions

Uruguay has updated its list of adequate jurisdictions and recipients to include recipients in South Korea (that are subject to the Korean Personal Data Protection Law), and entities included on the USA Department of Commerce's Data Privacy Framework Listing.

Read the supporting resolution (in Spanish) 
 

Brazil – ANPD sets out priority topics for 2024/2025

The Brazilian data protection authority (ANPD) has published its areas of focus for 2024-2025, in terms of both regulatory research and inspection activities. Those areas are: individual rights; children’s personal data in the digital environment; processing in the context of artificial intelligence for facial recognition; and data scraping and data aggregators.

View the resolution (in Portuguese)

 

United States – FCC launches privacy enforcement partnerships

The Federal Communications Commission (FCC) has announced that it will formally work in partnership with the attorneys general of Connecticut, Illinois, New York, and Pennsylvania to investigate consumer-related privacy, data protection and cybersecurity issues (with a particular focus on data breaches, telephone scams and other fraudulent activity). 

View the press release 

Asia news

South Korea – second amendment proposed to Enforcement Decree

The Personal Information Protection Commission (the PIPC) has published notice of a second amendment to the Enforcement Decree of the Personal Information Protection Act. The notice sets out certain proposed standards and procedures for the law due to take effect on 15 March 2024, covering areas such as automated decision-making, requirements for DPOs, and compensation for individuals.

View the PIPC’s announcement (in Korean)

 

Indonesia – government increases online child protection

The Indonesian government has passed the second amendment to Law No.11/2008 on Electronic Information and Transactions (the ITE law), aiming to increase child protection in the digital space. Of particular note are obligations relating to age verification, to detect if children are using a particular service.

View the press release (in Indonesian) 
 

China – measures for the management of cybersecurity incident reporting proposed

The Cyberspace Administration of China has issued a consultation on proposed ‘Cybersecurity Incident Reporting Management Measures.’ The measures aim to standardise the reporting of network security incidents, reduce the losses and harm caused by network security incidents, and maintain national network security.

View the consultation (in Chinese) 

Australasia news

New Zealand – consultation on biometrics announced

The New Zealand Privacy Commissioner has announced that a consultation will take place on a proposed code for the processing of biometric information. The draft code will be issued in 2024.

View the Commissioner’s press release 

Europe news

EU Member States – CJEU issues numerous decisions

The Court of Justice of the European Union (CJEU) has issued several significant decisions on the application of the GDPR, including:

  • Case – C683/21 – regarding the liability of controllers/joint controllers
  • Case – C807/21 – regarding breaches of the GDPR without the knowledge of management
  • Case – C-634/21 – regarding data processing by credit information agencies 

View the CJEU’s press release about these decisions
 

Switzerland – digital strategy adopted

On 8 December 2023, the Federal Council adopted the Digital Switzerland Strategy which sets out guidelines for Switzerland’s digital transformation and gives those involved in digitalisation, public and private, a framework on which to rely.

View the digital strategy 
 

Spain – AEPD issues guidance on the use of biometric technologies

The Spanish Data Protection Authority (AEPD) has published guidance on the use of biometric technologies to collect and process biometric data, for both work and non-work purposes. The guide also sets out a list of organisational, technical and security measures to protect such data.

View the AEPD’s guidance (in Spanish) 

 
European Union – Artificial Intelligence Act provisionally agreed

On 9 December 2023, EU policymakers reached a provisional political agreement on the EU AI act. The text of the act will now need to be finalised and formally adopted by the European Parliament and Council to become EU law. 

View the EU Council press release 
View the EU Parliament press release 
 

UK – ICO issues cookies warning

The Information Commissioner’s Office (ICO) has contacted several (unnamed) organisations operating some of the UK’s most visited websites warning them that they face enforcement action if they do not comply with data protection law regarding cookies. In particular, the ICO emphasises that it must be as easy for site users to “Reject all” advertising cookies as it is to “Accept all.”

View the ICO’s press release about these warnings 

Middle East news

Israel – government issues emergency cyber regulations

The Saudi Data and Artificial Intelligence Authority (SDAIA) has published a consultation on proposed rules for the appointment of a Data Protection Officer (DPO).

View the regulations (in Hebrew)

 

Qatar – privacy by design assessment tool launched

The Qatari privacy regulator has launched a new privacy by design assessment tool for organisations to evaluate their systems and applications that handle personal data (but not to assess their compliance with Qatari data privacy law).

View the press release about the tool

Sanctions. We're keeping count.

42. That's the number of regulatory sanctions Rulefinder Data Privacy has tracked since last month's newsletter. It amounts to over 4 million US dollars in penalties and numerous other reprimands and corrective actions.

Want to find out more?

Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.

Request a free trial
Want to find out more?

Related know-how

Data retention – solving records retention challenges

article

Wanne Pemmelaar from filerskeepers explains why every organisation needs a data retention policy and highlights the challenges involved in implementing an effective data retention policy.

Global privacy laws for employee personal data

article

Data privacy issues have an impact on HR activities throughout the entire employment cycle.