Privacy Regulation Roundup : Top Stories of January 2024

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website on a monthly basis. For each relevant regulatory activity, you can find a link to related resources at the bottom.

1. South Korea's Personal Information Protection Committee Published a Guide

Country: South Korea
Date: 2 January
Summary: South Korea's Personal Information Protection Committee published a guide for the new amendment to the Personal Information Protection Act (PIPA), as well as an enforcement decree. Revisions to the PIPA include the following: all personal information processors, including private companies, are now obligated to participate in dispute mediation.

Prior to the new amendment, only public bodies were compelled to respond to citizen data protection complaints. Operating standards have been established for fixed and mobile image information processing equipment, such as CCTV, drones, and autonomous vehicles. Guidelines specify reasonable usage purposes for video information, ensuring responsible and lawful filming. Online and offline dualized regulations now follow the 'Same Regulation Principles of Same Conduct,' reducing compliance costs for personal information processors.

The expiration date system for online services has been abolished, and an autonomous dormant policy has been introduced. Strengthened safety measures for institutions managing large-scale personal information.

Penalties can be imposed for the private use of personal information acquired during work, with potential fines or imprisonment. Severe sanctions are introduced for intentional and repeatable violations. Fines can range from '3% of total sales' to 'exemption' based on the severity of the violation. The Personal Information Commission plans to release additional guidelines for the rights of information subjects, including automated decisions. Read more.

2. PDPC in Thailand has Officially Released the Official Versions of the Draft Notifications

Country: Thailand
Date: 3 January
Summary: The Personal Data Protection Committee (PDPC) in Thailand has officially released the official versions of the Draft Notifications on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country according to Sections 28 and 29 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA), effective from March 24, 2024. Under Section 28, which governs cross-border data transfers, the official version maintains the same principles as the draft, with added definitions excluding certain data transfers.

Notably, it exempts the sending or transferring of personal data by intermediaries as data transit and data transfers between computer systems or data storages to which no third party has access. This exclusion benefits intermediary and cloud computing service providers, alleviating compliance burdens.

In connection with Section 29, addressing additional mechanisms for cross-border data transfers, the official version outlines essential elements for the use of Model Contractual Clauses. These elements include measures for notifying data subjects, limiting data transfers, specifying responsibilities in contracts, maintaining data security, and ensuring effective remedial measures. The Model Contractual Clauses can be revised, provided the changes align with the required elements. Read more.

3. Austrian data protection authority published FAQs on cookies

Country: Austria
Date: 5 January
Summary: The Austrian data protection authority (DSB) published frequently asked questions (FAQ) on cookies and data protection. In particular, the FAQ provides information regarding, among others:

1. The meaning of cookies and whether it is personal data;
2. The legal framework for the use of cookies;
3. Whether cookie banners are required for a website;
4. Clarification on technically necessary cookies;
5. Whether the consent button must be in a different color;
6. Whether the 'pay or okay' model is permitted;
7. How a cookie banner must be designed for effective consent;
8. Information to website users on the use of cookies;
9. Whether advertising industry standards or cookie consent tools can be used for the design of cookie banners; and
10. Who is responsible for data protection if cookies are on their website. Read more.

4. CJEU Issued a Judgment

Country: EU
Date: 8 January
Summary: In a significant judgment (Case C‑667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein), the Court of Justice of the European Union (CJEU) clarified key aspects of the General Data Protection Regulation (GDPR) related to sensitive employee data processing. The case involved an IT department employee seeking €20,000 in compensation from MDK Nordrhein, a medical service in Germany, for alleged unlawful data processing during incapacity assessments.

The CJEU emphasized that the GDPR's Article 9(2)(h) exclusion, addressing health data processing by medical control bodies, applies when assessing employee capacity. However, it underlined that such processing must adhere to the lawful conditions outlined in Article 6(1) of the GDPR. The judgment highlighted the compensatory nature of Article 82(1) of the GDPR, aiming to fully redress actual damages resulting from GDPR violations, rather than imposing punitive measures. Read more.

5. The Cybersecurity Administration of China has Finished the Consultation

Country: China
Date: 10 January
Summary: The Cybersecurity Administration of China has finished consultation on a new set of draft measures outlining requirements for companies to report network security incidents. The reporting requirement applies to organizations that either operate information networks in China or offer services through information networks in China. Operators need to follow the "Guidelines for Classification of Cybersecurity Incidents" when a cybersecurity incident occurs. The incidents are assigned grades 1, 2, 3, or 4, depending on the number of affected data subjects and the financial loss due to the incident.

For major, significant, or particularly significant (grades 1-3) cybersecurity incidents, they should be reported within 1 hour. Operators shall report incidents through the "Cybersecurity Incident Information Reporting Form". Other information, such as the cause of the incident, how it evolved, impacts/damages the incident may lead to, and whether additional measures are to be taken, can be provided within 24 hours, if not possible to report within 1 hour. Read more.

6. Washington Revised FAQs on the My Health My Data Act

Country: United States (Washington)
Date: 11 January
Summary: The Washington State Attorney General has revised FAQs on the My Health My Data Act, focusing on privacy notice and effective date requirements. An important clarification addresses whether businesses covered by the Act must include a link to their Consumer Health Data Privacy Policy on their homepage. The AG emphasized that the privacy policy must be a separate, distinct link on the homepage, and it may include information beyond what is mandated by the Act. Read more.

7. Spanish Data Protection Authority (AEPD) Issued a Guide

Country: Spain
Date: 11 January
Summary: The Spanish Data Protection Authority (AEPD) issued a guide on using cookies for audience measurement tools. The guide emphasizes that certain audience measurement cookies may be exempt from consent if their sole purpose is anonymous audience measurement. Exempted cookies must not compare data with other processes, transmit data to third parties, or enable aggregate tracking across different applications or websites.

The guide lists specific exempted cookies for audience measurement purposes. However, even for exempt cookies, minimum guarantees are required, including user notification through privacy policies, limiting cookie duration for meaningful audience comparison, a maximum 25-month data retention period, and periodic reviews to ensure data retention aligns with strict necessity. Read more.

8. Danish Data Protection Authority (Datatilsynet) Guidance on Preventing Data Breaches

Country: Denmark
Date: 15 January
Summary: The Danish Data Protection Authority (Datatilsynet) has released guidance focused on preventing and mitigating data breaches. The identified common types of breaches include sending data to the wrong recipient, using auto-complete features incorrectly, exposing protected addresses during IT system changes, mishandling data in case processing, failing to delete data properly, and experiencing loss/theft of unencrypted portable devices.

Additionally, broad access to network drives, unauthorized access due to design errors, disclosure of template-stored data, and malicious software attacks (ransomware) are highlighted. The recommended measures to mitigate these risks encompass introducing technical delays in email delivery, controlling IT environment changes, employing Data Leak Prevention (DLP) tools, implementing security measures like multi-factor authentication, firewalls, antivirus, encryption, and network segmentation, as well as establishing need-based access rights. These technical and organizational measures aim to safeguard against various data breach scenarios and enhance overall data security. Read more.

9. New Jersey Governor Signed Senate Bill 332

Country: United States (New Jersey)
Date: 16 January
Summary: The New Jersey Governor signed Senate Bill 332, became the fourteenth US state to pass a consumer data privacy law. The newly passed law is similar to consumer privacy laws passed last year in other states, with some distinctions. The law would take effect 365 days following its enactment. Read more.

10. European Data Act is Now in Force

Country: EU
Date: 16 January
Summary: The European Data Act is now in force. It outlines the rights concerning access and reuse of data generated by connected devices within the EU. The Act delineates the rights associated with accessing and utilizing data generated within the EU across all economic sectors, facilitating the seamless sharing of data, especially industrial data. With a focus on promoting fairness in the digital realm, it brings clarity in determining who can derive value from data and the conditions governing such processes. Read more.

11. California Privacy Protection Agency has introduced a dedicated website

Country: United States (California)
Date: 18 January
Summary: The California Privacy Protection Agency has introduced a dedicated website, https://privacy.ca.gov, aimed at providing comprehensive information to Californians regarding their privacy rights. This central resource is designed to enhance understanding of rights conferred by the California Consumer Privacy Act (CCPA). The website encompasses details on CCPA rights and provides guidance on submitting complaints in case of suspected violations by businesses. Additionally, the platform offers resources to assist businesses in comprehending their obligations under the CCPA. Read more.

12. New Hampshire is on the cusp of becoming the latest US state

Country: United States (New Hampshire)
Date: 19 January
Summary: New Hampshire is on the cusp of becoming the latest US state, second to do so in 2024, to enact a comprehensive data privacy law after the Senate has granted final passage to Senate Bill 255. Notably, the bill provides for lower coverage thresholds (processing personal data of 35,000 consumers or processing personal data of 10,000 consumers and deriving 25% revenue from sale of personal data) as compared to most of the state privacy laws passed so far. Assuming Gov. Chris Sununu signs the bill into law, it shall become effective on January 1, 2025. Read more.

Conclusion

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to keeping you informed with timely updates and providing essential information to better understand the changing privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.