LISTEN NOW: Evolution of Data Controls in the Era of Generative AI

View

Privacy Regulation Roundup: Top Stories of April 2024

Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. For each relevant regulatory activity, you can find a link to related resources at the bottom.

Asia Jurisdiction

1. Philippines' National Privacy Commission Issues New Circulars

Date: 1st April, 2024
Summary: The National Privacy Commission (NPC) issued two separate circulars related to the protection of personal data in the Philippines. The first, NPC Circular 2023-05, provides useful information for subject organizations and certification bodies (CBs) in the Philippine Privacy Mark (PPM) Certification Program, such as the requirement for information controllers (PICs) or processors (PIPs) to attain ISO/IEC 27001 and ISO/IEC 27701 certifications. Similarly, CBs must meet ISO/IEC 17021-1 standards for accreditation. The second, NPC Circular 2023-06, necessitates updated security standards for all personal data being handled in the public and private sectors. These standards are related to obligations such as the appointment of a data protection officer, regular privacy impact assessments, and privacy management programs. Other provisions include storage protocols, access controls, and the deployment of a reliable Business Continuity Plan to counter any issues arising from disruptions. Read more.

2. Singaporean Cybersecurity Bill Read For The First Time

Date: 4th April, 2024
Summary: The Cybersecurity Amendment Bill was read for the first time in Singapore. The bill proposes several amendments to the Cybersecurity Act of 2018, which include requirements for foundational digital infrastructure services providers to uphold cybersecurity standards, reporting of cybersecurity incidents to the Cyber Security Agency of Singapore (CSA), requirements for Critical Information Infrastructure (CII) owners to maintain responsibility for cybersecurity and cyber resilience, the introduction of two new regulated entity classes, i.e., Entities of Special Cybersecurity Interest (ESCI) & Foundational Digital Infrastructure (FDI), and oversight expansion to cover Systems of Temporary Cybersecurity Concern (STCCs). Read more.

3. Office Of The Privacy Commissioner Of New Zealand Announces New Draft Rules

Date: 11th April, 2024
Summary: The Office of the Privacy Commissioner of New Zealand (OPC) has announced new draft rules related to the use of biometric technologies. These draft rules have been opened for consultation. The OPC has stated that these new rules will be targeted at organizations within New Zealand that use biometric technologies. Read more.

EU jurisdiction

4. Amazon Loses Appeal In EU Court

Date: 1st April, 2024
Summary: Amazon Services Europe, a subsidiary of Amazon, was designated as a very large online platform per the Regulation on a Single Market for Digital Services. Consequently, Amazon was required to make its online advertising practices public. Amazon approached the General Court of the European Union, seeking a suspension of the obligation which was granted. However, this decision was overturned despite Amazon’s claims that it would seriously jeopardize Amazon’s fundamental rights related to respect for private life and the freedom to conduct business as an organization. Read more.

5. New Ukrainian Data Law Comes Into Effect

Date: 2nd April, 2024
Summary: The Law of 10 August 2023 No. 3321-IX came into effect in March 2024. The law provides critical information related to the relationship between consumers and digital content/service providers. Particularly, the law addresses situations where the digital content/service providers offer their product/service to consumers and consumers agree to provide their personal data without intending for such data to be used for any other purpose. However, aspects related to electronic communication, medical, and financial services, among others, are not covered. Read more.

6. Ethiopian Parliament Announces The Passage Of The Personal Data Protection Bill

Date: 8th April, 2024
Summary: Per the Ethiopian Parliament’s Facebook announcement, the Personal Data Protection Bill has been passed in Ethiopia. The Bill establishes critical data privacy principles such as the data rights of data subjects, principles for personal data processing, obligations when processing the personal data of minors, and a supervisory authority that regulates data protection across the country. The bill will apply to all data controllers and processors operating in Ethiopia as well as the data processing of devices located in Ethiopia, even if the data is not intended to leave the country’s jurisdiction. Read more.

7. CJEU Decision Offers Clarification On Compensation For GDPR Infringements

Date: 11th April, 2024
Summary: The CJEU’s decision in case C‑741/21 addresses the issue of compensation for non-material damages occurring as a result of a GDPR infringement. The case involves an individual who had withdrawn their consent to receiving advertisement-related communications but kept on receiving such materials. In the ruling, the court clarified that three conditions must be met for a GDPR infringement to lead to non-material damage compensation. These include the existence of damage, a GDPR infringement, and a causal link between the two. Additionally, the court stated that the criteria for setting administrative fines under the GDPR do not directly apply when determining compensation, which each instance of infringement subject to separate assessments. Moreover, the controller cannot avoid liability in such instances by blaming an individual who may have acted under their authority. Read more.

8. German Federal Court Rules On Right Of Access Case

Date: 16th April, 2024
Summary: The Federal Court of Germany announced its verdict in case number VI ZR 330/21, providing clarification on the interpretation of “copies of personal data” under the GDPR.

The plaintiff in the case had requested copies of their personal data held by the defendants, including emails, letters, telephone notes, and minutes. Per the court’s decision, data subjects have the right of access to copies of letters and emails they authored. However, letters, emails, telephone notes, and minutes from data controllers may not qualify as personal data even if they contain the data subject’s information. The data subject may request copies of the entire document if it is necessary for comprehension through contextualization and the exercise of rights. The plaintiff, in this instance, failed to explain the necessity of contextualization. Read more.

Date: 17th April, 2024
Summary: The EDPB has finally adopted its opinion on the highly debated pay-or-consent model approach. The EDPB has determined that it will not be possible for large online platforms to comply with the relevant valid consent requirements if the only choice they’re allowed to present to users is between consenting to the processing of their personal data or paying a fee. The EDPB recommends large online platforms develop alternatives to the consent or pay model with an equivalent alternative that does not require users to pay. Additional recommendations include possible advertising models that rely on minimal or no personal data processing, allowing for appropriate privacy rights protection and seamless access to online services. Read more.

10. Paderborn Court Rules On Unsolicited Advertising Communications

Date: 15th April, 2024
Summary: The Paderborn Regional Court passed its judgment in case number 2 O 325/23, where the defendant was found to have violated both the Act Against Unfair Competition (UWG) and the General Data Protection Regulation (GDPR) owing to their unsolicited advertising communications with the plaintiff. The defendant violated the UWG by continuing to send marketing emails despite the plaintiff’s objection. The Court added that the GDPR provides for a period of up to one month for the provision of information but not for the implementation of the objection as the defendant had claimed. Read more.

North and South America Jurisdiction

11. New Cybersecurity Act Provides Relief For Companies That Suffer A Data Breach

Date: 2nd April, 2024
Summary: The Cybersecurity Incident Liability Act was passed in Florida, ensuring immunity for covered entities that suffer a data breach. However, this immunity will depend on a range of factors, including compliance with the relevant data breach notification requirements per the Florida Information Protection Act, adoption and consistent updates of relevant cybersecurity programs per industry standards, and the burden of proof being on the defendant to prove their compliance. Read more.

12. Maryland Gets Its Data Privacy Regulation

Date: 6th April, 2024
Summary: The Maryland Online Data Privacy Act (MODPA) has been passed by the legislature, ensuring Maryland will become either the sixteenth or seventeenth state to pass a comprehensive data privacy act, owing to a similar bill awaiting the Governor’s signature in Nebraska. The Act will come into effect in October 2025, providing consumers with a greater degree of protection in comparison to similar regulations in other states, such as Connecticut, Colorado, Oregon, and Delaware, due to data minimization and other such requirements. Read more.

13. Nebraska Latest US State To Get Data Privacy Regulation

Date: 17th April, 2024
Summary: The Nebraska Data Privacy Act was formally signed into law after Governor Jim Pillen formally signed Legislative Bill 1074. As a result, Nebraska became the seventeenth state to adopt such a comprehensive data privacy regulation within the United States. The Nebraska Data Privacy Act, which will come into effect in January 2025, has been mirrored closely around the Texas Data Privacy and Security Act. It applies to all entities that conduct business or provide services in Nebraska, engage in the processing or sale of personal data, and do not qualify as small businesses. Read more.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.

SuscrĂ­base a nuestro boletĂ­n

Obtenga toda la información más reciente, actualizaciones de leyes y más en su bandeja de entrada


Compartir

What's
New