Privacy Regulation Roundup: Top Stories of August 2024

Contributors

Anas Baig

Product Marketing Manager at Securiti

Syed Tatheer Kazmi

Associate Data Privacy Analyst, Securiti

Muhammad Ismail

Assoc. Data Privacy Analyst at Securiti

Semra Islam

Sr. Data Privacy Analyst

CIPM, CIPP/Europe

Rohma Fatima Qayyum

Assoc. Data Privacy Analyst

Usman Tariq

Data Privacy Analyst at Securiti

CIPP/US

Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

North and South America Jurisdiction

1. Amendment to Illinois' Biometric Information Privacy Act Signed by Governor

Date: 2nd August, 2024
Summary: The Governor of Illinois, JB Pritzker, approved Senate Bill 2979, amending the Biometric Information Privacy Act (BIPA).

The new amendment adds several new provisions to the law, such as the concept of “electronic signature,” which is defined as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record” and is considered an appropriate method for providing written consent.

Furthermore, following this amendment, if a private organization violates multiple requirements for collecting, capturing, purchasing, receiving through trade, or otherwise obtaining the same biometric identifier or biometric information from the same person using the same method of collection in more than one instance, it will be considered a single violation which would entitle the aggrieved person to just one recovery. Read more.

2. Pennsylvania Attorney General & Titan Gas Reach Settlement in DNC Registry Violation Case

Date: 5th August, 2024
Summary: The Office of Attorney General Michelle Henry (AG) has announced that it has settled with Titan Gas, LLC (also known under CleanSky Energy), regarding alleged violations of a previous settlement prohibiting contact with individuals on the 'Do-Not-Call' (DNC) registry.

This follows an initial settlement agreement between the two parties in 2019. However, the AG alleges 2.7 million more telemarketing calls were made to Pennsylvania residents via deceptive and unlawful lead-generation practices.

Per the new settlement agreement, Titan Gas will pay $160,000 in civil penalties and $35,000 in costs in addition to producing a written report outlining its compliance with the original settlement and consumer protection laws.

Lastly, the press release clarified that the settlement was filed in the Dauphin County Court of Common Pleas and will become effective upon approval by the Court. Read more.

3. Bermuda's Privacy Commissioner Releases New Workplace Privacy Guidance

Date: 14th August, 2024
Summary: The Office of the Privacy Commissioner for Bermuda (PrivCom) has issued new guidance on privacy in the workplace under the Personal Information Protection Act 2011, as amended in 2023. The guidance aims to help employers understand their responsibilities when handling employees' personal information. It covers key principles such as fairness, purpose limitation, proportionality, and security safeguards. Additionally, it addresses the lawful use of personal data, including special considerations for occupational health, employee monitoring, and the rights of employees to access and control their personal information. Read more.

4. Bermuda’s Privacy Commissioner Releases Medical Data Protection Guidelines

Date: 19th August, 2024
Summary: The Office of the Privacy Commissioner for Bermuda (PrivCom) published its new guidelines on protecting personal information within the medical field. Developed as a series of question-and-answer scenarios, it addressed several privacy-related issues relevant to medical professionals and organizations handling personal information in Bermuda.

Patient Contact Information

PrivCom clarifies that patient contact information is considered personal information under the Personal Information Protection Act (PIPA), with healthcare organizations and practitioners deemed as stewards of this data. While users have the right to access their personal information and medical records and request corrections or deletions, these rights are not absolute.

Medical Records Compliance

An organization's compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulations (GDPR) can be considered good practice. It must take proactive measures to comply with the PIPA's specific requirements while managing personal information and implementing a privacy program that aligns with these obligations.

Security Safeguards

Organizations must take appropriate measures to protect personal information. While specific security measures are not prescribed, the guidelines do recommend encryption as one of the best practices to mitigate risks of unauthorized access or potential data breaches.

Email Communications in Healthcare

The organizations may send general email announcements and other relevant communications via email but must make such decisions on a strict need-to-know basis.

Privacy Considerations with Email Marketing Tools

Several privacy concerns exist when using email marketing tools, such as data sharing, behavioral tracking, data security, and data collection. Hence, an appropriate level of protection for the international transfers of personal information, comparable to that required under PIPA, should exist. Read more.

EU Jurisdiction

5. Higher Regional Court of Frankfurt Rules on the Issue Of Placing Cookies on User’s Device Without Obtaining Consent

Date: 9th August, 2024
Summary: The Higher Regional Court of Frankfurt ruled in case No. 6 U192/23 that a company violated the Telecommunications Digital Services Data Protection Act (TDDDG) by placing cookies on a user's device through third-party websites without obtaining prior consent.

The company in question provided advertising and analytics services to website operators who embedded the company’s code on their sites, which led to cookies being set whenever users accessed the page despite contractual obligations that required operators to obtain users’ prior consent.

The court referenced Article 25 of the TDDDG, which prohibits storing and accessing the information on a user’s device without their consent. Consequently, an injunction has been issued against the company, preventing it from placing cookies without consent, and a potential fine of €250,000 has been imposed for any future violations. Read more.

6. Senegalese Data Protection Authority Issues Press Release on Protecting Minors’ Personal Data

Date: 9th August, 2024
Summary: The Senegalese Data Protection Authority (CDP) has issued a press release stating the urgent need to protect minors’ data, especially the widespread sharing of videos involving children on social media. Furthermore, the press release reiterated the following key legal points to the public:

  • Collection and sharing of minors’ images without consent from their legal representatives is prohibited;
  • The Senegalese Penal Code penalizes the sharing of images that may violate an individual’s privacy and dignity;
  • Exposure of children to social media may lead to risks such as cyberbullying. Read more.

7. AEPD Imposes a Fine of €450,000 On UNIQLO EUROPE LTD on Account of Violation of the GDPR

Date: 16th August, 2024
Summary: On August 12, 2024, the Spanish Data Protection Authority (AEPD) fined UNIQLO EUROPE LTD's Spain branch €450,000, later reduced to €270,000, for violating the General Data Protection Regulation (GDPR). The breach occurred when a UNIQLO employee mistakenly sent payroll information for the entire workforce to an unauthorized third party.

The AEPD found that UNIQLO failed to ensure the confidentiality and integrity of the personal data of its workers and to adopt appropriate technical and organizational measures, which allowed an unauthorized third party to access the personal data of its employees, violating Articles 5(1)(f) and 32 of the GDPR. The AEPD held UNIQLO accountable and required them to implement stronger technical and organizational measures to protect the personal data of its workers. Read more.

8. CNIL Publishes Details On BCR Monitoring Tool

Date: 27th August, 2024
Summary: The French Data Protection Authority (CNIL) has announced the publication of a monitoring tool for Binding Corporate Rules (BCRs). The tool consists of three stages utilizing two questionnaires. The three stages will include the following:

  • The designation by a data protection officer (DPO) or a personnel in charge of a group of entities that will be subject to the monitoring;
  • The designated organizations must complete the “local entity” questionnaire and forward it to the group’s DPO or personnel in charge;
  • The DPO must complete a second “group questionnaire” based on the feedback from the local entity questionnaire.

The CNIL states that the local entity can ensure a harmonized deployment of the BCRs by providing feedback, while the group questionnaire will allow the DPO to gain an overall picture of the group’s compliance. These questionnaires will contain questions to assess the BCRs’ bindingness, transparency, and data protection safeguards, including any Data Protection Impact Assessments (DPIAs) conducted, history of data breaches, and how data subjects may subject requests.

9. German BaFin Publishes Guide For DORA Implementation

Date: 28th August, 2024
Summary: The Federal Financial Supervisory Authority (BaFin) has published a technical implementation guide for the Digital Operational Resilience Act (DORA). Financial organizations will be subject to it from January 1, 2025 onwards. The Act places the following responsibilities on subject organizations:

  • Report serious ICT-related incidents;
  • Voluntarily report significant cyberthreats;
  • Submit the information register containing all contractual agreements on the use of ICT services provided by ICT third-party service providers.

The submission of the aforementioned report must take place via the MVP portal.

BaFin provided further details on the MVP portal, stating that after registering, the reporters must apply for activation for the special DORA specialist procedure. Read more.

Asia Jurisdiction

10. New Circular In Philippines Updates Guidelines For CCTV Usage

Date: 19th August, 2024
Summary: The National Privacy Commission (NPC) issued NPC Circular No. 2024-02 on August 12. The circular updates guidelines for CCTV use by personal information controllers and processors under the Data Privacy Act of 2012. Furthermore, the circular mandates prominent CCTV notices, security measures, and procedures for handling access requests and data breaches, ensuring a balance between security and privacy. It will become effective on August 27, 2024. Read more.

11. Malaysia's Cybersecurity Act 2024 to Take Effect on August 26

Date: 22nd August, 2024
Summary: Malaysia’s Prime Minister announced that the Cybersecurity Act 2024 will be effective from August 26, 2024, following its Royal Assent on June 18, 2024. The Act establishes the National Cyber Security Committee and defines the roles of the Chief Executive of the National Cyber Security Agency and CII sector leads. It also covers cybersecurity threat management, incident response for national critical infrastructure, and regulates and licenses cybersecurity service providers.

12. SEBI Issues New Framework For Regulated Entities

Date: 26th August, 2024
Summary: The SEBI issued its Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) to strengthen cybersecurity on August 20, 2024. It replaces the preexisting SEBI guidelines. The key aspects of the new guidelines include:

  • REs must ensure appropriate data protection measures, including encryption and data localization within India;
  • All organizations must appropriately document and implement an authentication and access policy with log collection and a clear data retention policy;
  • REs must conduct regular risk assessments to identify potential vulnerabilities, third-party risks, and the state of their data security. Read more.

13. Saudi Arabia Introduces New Rules for Appointing Data Protection Officers

Date: 27th August, 2024
Summary: On August 27, 2024, the Saudi Data & Artificial Intelligence Authority (SDAIA) issued rules for appointing Personal Data Protection Officers (DPOs) under the Personal Data Protection Law (PDPL). The rules mandate DPO appointments for entities processing large-scale personal data, engaging in data monitoring, or handling sensitive data. DPOs must have relevant qualifications, experience, and a clean legal record. Their role includes advising on data protection, aiding policy development, training, and overseeing data breach responses. Read more.

14. Saudi Arabia Launches National Register For Data Controllers

Date: 30th August, 2024
Summary: Saudi Arabia's Saudi Data & AI Authority (SDAIA) has published rules establishing the National Register of Controllers, now available on the National Data Governance Platform. All entities processing personal data beyond personal use must register. The platform offers services such as breach notifications, privacy impact assessments, and compliance support. Registration is valid for up to 5 years, with public access available to verify registered controllers. Read more.

15. Saudi Arabia Overhauls Data Transfer Regulations with New Safeguards

Date: 31st August, 2024
Summary: Saudi Arabia's SDAIA has updated its Data Transfer Regulations. Under the regulations, the SDAIA will publish a list of countries or organizations with data protection standards equal to those in Saudi Arabia. The new regulation outlines cases where data transfers can occur, even if the receiving country lacks adequate data protection. Transfers are permissible with safeguards/derogations such as Binding Common Rules (BCR), Standard Contractual Clauses (SCC), or Certifications of Accreditation. The regulation also details certain exceptions from these requirements and highlights that the criteria for appropriate safeguards may be changed by SDAIA every two years. Risk assessments are needed for derogations or large-scale sensitive data transfers.

Read more.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

What's
New