Americas news
Brazil – resolution on breach notification
On 26 April 2024, the Brazilian data protection authority (the ANPD) published a resolution on the reporting of security incidents. The resolution (which took effect immediately):
- clarifies what constitutes a notifiable breach
- makes it mandatory to notify the ANPD and affected individuals within three business days and
- introduces a requirement for controllers to maintain a record of security incidents
Read Resolution No.15 on reporting of security incidents (in Portuguese)
USA – Minnesota Consumer Data Privacy Act (MCDPA)
On 24 May 2024, the MCDPA was signed into law by the Governor of Minnesota.
The Act - which will come into effect on 31 July 2025 – largely tracks previous US state consumer privacy laws. It applies to businesses operating in Minnesota that either handle the personal data of 100,000 or more consumers (with payment data excluded) or derive more than 25% of revenue from personal data sales (and process the data of at least 25,000 consumers). Small business are exempt, as is data covered by the Gramm-Leach-Bliley Act (among other exemptions).
USA – Vermont Data Privacy Act (VDPA)
On 10 May 2024, the VDPA was passed by the Vermont legislature. Based broadly on the laws in Connecticut and Maryland, the VDPA includes a private right of action, data minimisation obligations, and provisions regarding age-appropriate design. The VDPA still needs to be signed by the Governor of Vermont before it will become law.
Asia news
Indonesia – government consultation on online child protection
On 16 May 2024, the Ministry of Communication and Information (Kominfo) issued a draft Government Regulation for public consultation concerning online child protection. The consultation closed on 31 May 2024.
Read the Kominfo press release (in Indonesian)
Japan – new guidelines on AI
On 19 April 2024, Japan’s Ministry of Economy, Trade and Industry (METI) published new and updated AI Guidelines for Business which provide unified guiding principles for AI governance in Japan. The guidelines apply to organisations using AI in all use-cases, across the entire AI lifecycle, and set out a number of measures to be taken by companies adopting a risk-based approach to AI governance and compliance.
Read the guidelines (in English)
China – consultation on generative AI security requirements
On 23 May 2024, China's National Information Security Standardization Technical Committee (TC-260) issued a consultation on Basic Security Requirements for Generative Artificial Intelligence Services. The consultation closes on 22 July 2024.
Read the announcement and draft requirements (in Chinese)
South Korea – proposal on data portability
On 1 May 2024, the Personal Information Protection Commission (PIPC) published a notice proposing partial amendments of the Enforcement Decree of the Personal Information Protection Act (the PIPA), to create a data portability right. Comments are invited up until 10 June 2024.
Australasia news
New Zealand - consultation on Privacy Amendment Bill
On 6 May 2024, the Office of the Privacy Commissioner in New Zealand published a consultation on the Privacy Amendment Bill which is open until 14 June 2024.
The Bill has two parts:
- Part 1 contains substantive amends to the law that will improve transparency for individuals
- Part 2 contains other amendments to update and clarify the law
New Zealand - Customer and Product Data Bill
On 15 May 2024, the New Zealand Government introduced a Bill to establish an economy-wide framework to enable greater access to, and sharing of, customer and product data between businesses (a 'Consumer Data Right').
The Bill is intended to:
- give customers (including both individuals and entities) in designated sectors greater control over how their customer data is accessed and used
- promote innovation
- facilitate competition
- facilitate secure, standardised, and efficient data services
Europe news
Spain – updated guidance on cookies
On 14 May 2024, the Spanish data protection authority (the AEPD) updated its cookies guidance following the European Data Protection Board’s opinion on “consent or pay” advertising models used by large online platforms.
The guidance acknowledges the multiple complexities imposed by cookies and aims to help organisations assess them in order to implement their use. It also highlights the challenges set out in the EDPB’s opinion and reiterates its commitment to developing guidelines on “consent or pay” models with a broader scope.
View the updated guidance (in Spanish)
Denmark - two DPIA templates issued
Denmark’s data protection authority (Datatilsynet) has issued two templates for conducting data protection impact assessments (DPIAs). One template relates specifically to Artificial Intelligence (AI) solutions whereas the other is of a more generic nature.
View the AI template (in Danish)
View the generic template (in Danish)
EU Member States - EDPB publishes 2023 Annual Report
On 23 April 2024, the European Data Protection Board (EDPB) published its Annual Report for 2023. The report provides an overview of its work in 2023, including in relation to:
• binding decisions
• general guidance
• legislative and stakeholder consultations
• enforcement and cooperation
• activities taken by the EDPB to support enforcement
Netherlands - guidance on data scraping
On 1 May 2024, the Dutch data protection authority (the AP) published guidelines on data scraping (i.e. the automated collection and recording of information from the internet). The guidelines warn private organisations that data scraping will almost always be unlawful. They list specific examples of unlawful data scraping, as well as exceptional cases where it may be permitted.
Read the guidelines (in Dutch)
United Kingdom - strategic approach to regulating AI
On 30 April 2024, the Information Commissioner’s Office (ICO) published its strategic approach to regulating AI, which includes a useful summary of the current law and guidance in this area, as well as providing insights on the ICO’s enforcement activities and upcoming developments.
Read the ICO’s strategic approach
United Kingdom - UK Data Protection and Digital Information (No. 2) Bill
On 22 May 2024, the UK Prime Minister called a general election for 4 July 2024. The Bill (which proposed significant changes to the UK’s data protection regime) was not passed into law before Parliament was dissolved in advance of the election and it has therefore been dropped. It will be for the next government (after the election) to decide on the future of UK data protection law.
Middle East news
Israel – PPA issues position on conducting risk surveys and penetration tests
On 9 May 2024, the Privacy Protection Authority (PPA) issued a document setting out its position regarding the conduct of risk surveys and penetration tests under the Privacy Protection Regulations (Information Security) 5777-2017.
Read the PPA’s position document (in Hebrew)
Israel - privacy class actions
Israel's Ministry of Justice is consulting on amendments to the Class Action Law to, among other things, introduce the possibility of filing a class action for invasion of privacy.
Sanctions. We're keeping count.
304. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2024. It amounts to over 430 million US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.