Privacy Regulation Roundup : Top Stories of December 2023

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website on a monthly basis. For each relevant regulatory activity, you can find a link to related resources at the bottom.

1. Notice and Consent Requirements in China

Country: China
Date: 1 Dec
Summary: China has released a national standard on notice and consent regarding the processing of personal information which took effect from 1 December 2023. Read more.

2. India Department of Consumer Affairs issued proposed guidelines

Country: India
Date: 6 Dec
Summary: The India Department of Consumer Affairs issued proposed guidelines to prevent deceptive marketing tactics or "dark patterns." The guidelines note marketing strategies such as forced actions, false urgency and disguised advertisements should be regulated to prevent consumers from being negatively targeted by companies. Read more

3. California Privacy Protection Agency (CPPA) and legislative initiative

Country: United States (California)
Date: 8 Dec
Summary: The California Privacy Protection Agency (CPPA) announced that its Board voted to move forward with a legislative initiative. This initiative aims to compel browser vendors to integrate a feature enabling users to assert their California privacy rights through opt-out preference signals. Currently, Californian consumers who wish to opt out must use a browser supporting such signals or go through extra steps to find and download a third-party plugin with this functionality. The CPPA's proposal seeks to streamline this process and make privacy rights more accessible for users. Read more

4. Saudi Data & Artificial Intelligence Authority (SDAIA) has launched the National Data Governance Forum

Country: Saudi Arabia
Date: 11 Dec
Summary: The Saudi Data & Artificial Intelligence Authority (SDAIA) has launched the National Data Governance Forum. The platform serves to register entities falling within the scope of the Personal Data Protection Law (PDPL). In this regard, SDAIA noted that the platform would form a unified national registry, and assist entities in fulfilling their obligations under the PDPL. The National Data Index (NDA) has also been launched. It is a results-based indicator that assesses and tracks the progress of government entities in the maturity of data management practices, among other things. Read more

5. Personal Data Protection Authority (KVKK) addressed concerns regarding personal data

Country: Turkey
Date: 13 Dec
Summary: The Personal Data Protection Authority (KVKK) addressed concerns regarding personal data processing in shopping transactions, specifically the issuance of verification codes via SMS by data controllers. Following complaints, the KVKK found instances where post-transaction SMS messages were sent for marketing purposes without proper information or explicit consent, violating the Law on Protection of Personal Data No. 6698. To ensure compliance, the KVKK mandated practices such as clearly stating SMS purposes during checkout, explaining verification code consequences, and providing information channels. The KVKK prohibited bundling processing activities and emphasized obtaining separate explicit consent for each activity. Additionally, it stressed that explicit consent for commercial messages should not be mandatory for purchases, preventing the perception that it is a shopping prerequisite. Read more

6. U.S. Department of Health and Human Services adopted finalized rules

Country: United States
Date: 13 Dec
Summary: The U.S. Department of Health and Human Services adopted finalized rules concerning algorithm transparency and information technology interoperability among health care providers. The algorithm transparency provisions aim to "promote responsible artificial intelligence" and allow for "a consistent, baseline set of information about the algorithms. Read more

7. European Parliament and Council reached a political agreement on the AI Act

Country: European Union
Date: 14 Dec
Summary: The European Parliament and Council reached a political agreement on the AI Act on December 9, 2023, which would be the world's first comprehensive regulation of AI. The agreement covers crucial aspects, including banned applications, obligations for high-risk systems, sanctions, and the date of entry into force. Key takeaways are:

1. Banned AI Applications:
   Co-legislators have agreed to prohibit specific AI applications, such as biometric categorization, untargeted scraping for facial recognition databases, emotion recognition in workplaces and educational institutions, social scoring, AI manipulation of human behavior, and the exploitation of vulnerabilities.
2. Obligations for High-Risk Systems:
   For high-risk AI systems, a mandatory fundamental rights impact assessment is established. Citizens have the right to launch complaints and receive explanations for decisions. Stricter requirements for high-impact general-purpose AI systems include model evaluations, risk assessments, adversarial testing, and reporting to the European Commission.
3. Sanctions: Non-compliance with the rules will result in fines:
   • €35 million or 7% of global annual turnover for banned AI applications.
   • €15 million or 3% for violations of other obligations.
   • €7.5 million or 1.5% for supplying incorrect information.

Next Steps:
The political agreement awaits formal approval by the Parliament and the Council. Upon publication in the Official Journal, it will enter into force 20 days later, becoming applicable two years after. Notably, prohibitions will be in effect after six months, with General Purpose AI rules applied after 12 months. Read more

8. CJEU issued judgments in cases regarding GDPR penalties

Country: European Union
Date: 5 Dec
Summary: The Court of Justice of the European Union (CJEU) issued judgments in cases regarding GDPR penalties. The CJEU ruled that a national data protection authority (DPA) cannot fine a data controller unless the GDPR infringement was committed intentionally or negligently. Wrongful infringement occurs when the controller should have been aware of the infringing nature, regardless of actual awareness. The CJEU also clarified that fines can apply to legal persons, and liability extends to a controller for operations performed by a processor.

Regarding fine calculation, the CJEU determined that when an undertaking is fined, the DPA should consider the concept of an 'undertaking' under EU competition law. For fine calculation, the DPA must consider the total worldwide turnover of the entire group in the preceding business year. Read more

9. CJEU issued a ruling on cases involving SCHUFA Holding's credit information practices

Country: European Union
Date: 7 Dec
Summary: The Court of Justice of the European Union (CJEU) issued a ruling on cases involving SCHUFA Holding's credit information practices. In its first decision on the right to avoid automated decision-making, the CJEU deemed 'scoring' (method used by credit bureaus to evaluate the creditworthiness of an individual or a company) as such a decision and, if attributed a determining role in credit approval, would be generally prohibited by Article 22 of the GDPR. The CJEU emphasized the responsibility of the Administrative Court to assess whether exceptions in the Federal Data Protection Act are valid. Additionally, the CJEU found it against the GDPR for private agencies to retain data on debt discharge longer than the mandated period, prioritizing the data subject's rights over public access. Unlawful data retention requires prompt deletion. The CJEU also reminded that national courts should fully review decisions by national supervisory authorities. Read more

10. PDPC Re: Appointment of Data Protection Officers

Country: Thailand
Date: 7 Dec
Summary: The Notification of the Personal Data Protection Committee (PDPC) Re: Appointment of Data Protection Officers dated 31st August 2023 comes into force on and effect from 13th December 2023. Some businesses that are data controllers or data processors (DC/DP) must appoint a DPO. Read more

11. OPC has released a set of principles

Country: Canada
Date: 7 Dec
Summary: The Office of the Privacy Commissioner (OPC) has released a set of principles aimed at guiding the responsible, trustworthy, and privacy-protective development and use of generative artificial intelligence (AI) technologies. These principles, totaling nine in number, are designed to assist organizations involved in the creation, provision, or utilization of generative AI. These principles include:

1. legal authority and consent;
2. appropriate purposes;
3. necessity and proportionality;
4. openness;
5. accountability;
6. individual access;
7. limiting collection, use, and disclosure;
8. accuracy; and
9. safeguards.

Read more

12. Registration of data brokers with CPPA

Country: United States (California)
Date: 18 Dec
Summary: Registration of data brokers with California Privacy Protection Agency (CPPA) had been started from 1st January 2024. Business that meets the definition of a “data broker” to register annually with the CPPA and pay the registration fee (Civ. Code § 1798.99.80).

To register as a data broker, you must be on the CPPA's mailing list. Please email databrokers@cppa.ca.gov to be added to that list, which will provide further instructions on how to register and where to send the annual fee.

A data broker that fails to register by January 31 may be liable for administrative fines and costs in an administrative action or investigation brought by the CPPA. Read more

13. Indian government plans to release draft rules for the DPDP Law

Country: India
Date: 20 Dec
Summary: The Indian government plans to release draft rules for the Digital Personal Data Protection Law (DPDP Law) and aims to notify them in January 2024. Following a consultation meeting chaired by Minister of State for Electronics and Information Technology Rajeev Chandrasekhar on December 20, the industry will have a week to provide feedback after the release of the draft rules.

Representatives from US-based companies, including Meta, Google, and Snap, requested an extension citing the holiday season. The meeting covered key topics such as data principals' rights, children's data, consent, notice mechanisms, and provisions of the DPDP Law enacted in August. Discussions also focused on reporting data breaches, emphasizing notification to the yet-to-be-constituted Data Protection Board within 72 hours. Read more