Privacy Regulation Roundup: Top Stories of March 2024

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website on a monthly basis. For each relevant regulatory activity, you can find a link to related resources at the bottom.

1. Georgia's Data Protection Act of 2023 Came into Effect on 1st March

Country: Georgia
Date: 1 March
Summary: The Data Protection Act of 2023 in Georgia, which came into force on March 1, 2024, introduces significant guidelines covering various aspects of data handling. This includes principles for processing data, rights of individuals regarding their data, responsibilities of those who control data, protocols for handling data breaches, and rules governing the international transfer of data.

Importantly, certain sections of this Act were implemented immediately upon its announcement. Individuals are empowered with rights to be informed about, access, correct, halt, erase, or restrict the processing of their data. They also have the ability to transfer their data and revoke consent. The Act requires that data controllers for particular organizations appoint a Data Protection Officer (DPO), carry out assessments on the impact of data protection for processing activities considered high risk, and report any data breaches to both the affected individuals and the Personal Data Protection Service (PDPS).

Furthermore, it outlines specific conditions under which data can be processed for direct marketing and introduces steeper fines ranging from 1,000 to 10,000 GEL, indicating a more rigorous enforcement approach than past regulations.

2. Bangladesh Enacts Cybersecurity Act 2023 to Strengthen Digital Security

Country: Bangladesh
Date: 4 March
Summary: On September 18, 2023, the Government of Bangladesh's Legislative and Parliamentary Affairs Division unveiled the Cybersecurity Act, 2023. This new legislation revokes the previous Digital Security Act of 2018, aiming to bolster cybersecurity measures. It introduces comprehensive strategies for identifying, preventing, and combating cybercrimes, along with facilitating their prosecution.

The Cyber Security Bill 2023 received parliamentary approval, designating offenses in four specific areas as non-bailable. These areas include unauthorized access to crucial information infrastructure, computer damage, cyber terrorism, and offenses related to hacking.

The Act permits police inspectors and above to conduct searches and make arrests without requiring a warrant, including measures for punishing those who initiate baseless legal actions. Moreover, it tackles potential threats stemming from the misuse of training data and generated content, establishing penalties for lodging fraudulent cases and complaints. A dedicated tribunal has been empowered to adjudicate such matters, reinforcing the legal framework against cyber misconduct. Read more.

3. AEPD's Guidance on Human Intervention in Automated Decision-Making

Country: Spain
Date: 5 March
Summary: The Spanish Data Protection Authority (AEPD) recently shared insights through a blog on the critical role of human intervention in automated decision-making processes. The AEPD highlights the importance of carefully evaluating the extent of human participation in such processes. This evaluation should consider various factors, including the individual's authority, skills, capabilities, thoroughness, and autonomy. According to Article 22 of the GDPR, individuals have the right to avoid being subject to decisions made purely based on automated processing.

The AEPD strongly condemns any attempts to feign human involvement merely to bypass these regulations. Genuine human intervention requires significant oversight by an individual who possesses both the authority and the expertise to modify decisions. This scrutiny should be an integral component of a Data Protection Impact Assessment (DPIA), taking into account all pertinent data. The AEPD advises an objective assessment of human engagement in decision-making, focusing on the individual's competence, readiness, education, independence, attentiveness, and the resources available to apply their skills and knowledge effectively. Read more.

4. South Korea's PIPC Announces 2024 Amendments to Data Protection Regulations

Country: South Korea
Date: 6 March
Summary: On March 6, 2024, the Personal Information Protection Commission (PIPC) unveiled updates to the Enforcement Decree of the Personal Information Protection Act (PIPA Enforcement Act), slated to take effect on March 15, 2024. Here are the main highlights:

• Enhanced Rights for Individuals: Data subjects are now empowered to seek explanations or reviews of decisions made entirely by automated means that affect their rights. The amendments mandate transparency in the criteria and procedures of automated processing, with a provision for providing explanations to data subjects upon request. Data controllers are required to elucidate the reasoning behind their decisions. Although data subjects have the right to challenge automated decisions, such objections may be overruled if subjects were previously informed or if legal provisions justify the decision. Personal information processors have the authority to dismiss objections for valid reasons but are obligated to inform data subjects promptly.
• Stricter Chief Privacy Officer (CPO) Qualifications: Businesses handling substantial amounts of personal information are now subject to more stringent requirements for Chief Privacy Officers (CPOs). By March 14, 2026, CPOs are expected to possess a minimum of four years of experience in personal information protection.
• Regulations on Cross-border Data Transfer: The PIPC has introduced a new requirement for disclosing the legal basis of cross-border data transfers in privacy policies. This includes specifying the countries where the personal information of South Korean data subjects is being collected and processed.
• Further Amendments: Online businesses generating annual sales of over KRW 1 billion and managing personal data of more than 10,000 subjects are now required to secure insurance and reserve funds to cover liabilities for damages. This updates the prior requirements. The PIPC plans to release a draft guide detailing standards and examples in March 2024. Read more.

5. New Hampshire's Groundbreaking Data Privacy Bill Set to Take Effect in 2025

Country: New Hampshire
Date: 6 March
Summary: The governor has enacted the New Hampshire Data Privacy Bill, which stands out for its relatively lower operational thresholds. Specifically, the legislation applies to entities that process the personal data of either 35,000 consumers or 10,000 consumers while earning 25% of their revenue from selling personal data. This is in contrast to the broader coverage criteria found in most other state privacy laws. The law is set to take effect on January 1, 2025. Read more.

6. CJEU Clarifies Personal Data Definitions and Joint Controllership in IAB Europe Case

Country: EU
Date: 7 March
Summary: In the case of C-604/22 IAB Europe v Gegevensbeschermingsautoriteit, the Court of Justice of the European Union (CJEU) provided crucial clarifications on what constitutes personal data and the criteria for identifying joint controllers within sectoral entities. This ruling stemmed from a decision by the Belgian Data Protection Authority (Belgian DPA) concerning the compatibility of IAB Europe's Transparency & Consent Framework with GDPR standards. The CJEU concluded that the data within the Transparency & Consent String (TC String) qualifies as personal data when it enables user identification, especially for profiling purposes.

Furthermore, IAB Europe was designated as a joint controller due to its role in overseeing consent-related data processing activities linked to the TC String. Nonetheless, IAB Europe is not considered a controller for further data processing activities unless it plays a part in deciding the objectives and methods of those activities. This distinction does not apply to instances of civil liability under national legislation. Read more.

7. Turkey's KVKK Updates Data Protection Law with New Amendments for 2024

Country: Turkey
Date: 12 March
Summary: The Personal Data Protection Authority (KVKK) has introduced revisions to the Personal Data Protection Law via the Law on Amendments to the Criminal Procedure Code and Certain Laws. These updates, set to take effect on June 1, 2024, introduce several significant changes:

• Restrictions on Special Category Personal Data: The processing of special category personal data will now be largely prohibited, except under specific conditions such as explicit consent, relevant legal mandates, the protection of critical interests, instances of public data disclosure, the safeguarding of rights, and responsibilities related to public health.
• International Data Transfers: Data controllers and processors are permitted to transfer personal data internationally, provided they comply with certain criteria outlined in the Law. This includes conformity with adequacy decisions regarding the recipient country or entity, which are regularly evaluated by the Personal Data Protection Board (the Board).
• Criteria for Transferring Data Without Adequacy Decisions: In the absence of an adequacy decision, data can still be transferred internationally under certain conditions, including non-international agreements, Binding Corporate Rules (BCRs), standard contractual clauses, or written assurances of sufficient protection, subject to the Board's approval.
• Penalties for Non-compliance: Failing to fulfill the notification requirements for international data transfers may lead to penalties ranging from TRY 50,000 to 1,000,000 (approximately $1,560 to $31,210).
• Implementation Timeline: While the amendments will officially become effective on June 1, 2024, the existing regulations on international data transfers will continue to apply until September 1, 2024, at which point the revised article will take full effect. Read more.

8. CJEU Affirms Data Protection Authority Powers to Erase Unlawfully Processed Data

Country: EU
Date: 14 March
Summary: The Court of Justice of the European Union (CJEU) has determined that data protection authorities in Member States have the authority to mandate the deletion of personal data that has been processed unlawfully, regardless of whether the data subject has made a formal request. This action can be taken as part of their duty to enforce the General Data Protection Regulation (GDPR), specifically under Articles 58(2)(d) and 58(2)(g).

On March 14, 2024, in the case of C-46/23 Újpesti Polgármesteri Hivatal, the CJEU clarified the powers of data protection authorities, ruling that the Hungarian data protection authority (NAIH) possesses the right to demand the removal of illegally processed personal data without needing a direct request from the individual concerned. This ruling came from an investigation where NAIH identified violations of GDPR regulations by various municipal governments and other bodies that were distributing financial aid during the COVID-19 pandemic in Hungary. The CJEU's decision underscores the proactive role that data protection authorities are expected to play in upholding the provisions of the GDPR. Read more.

9. Garante Introduces Code of Conduct to Curb Telemarketing Intrusions

Country: Italy
Date: 19 March
Summary: Garante Introduces Code of Conduct for Telemarketing. The aim is to regulate teleselling and telemarketing activities, safeguarding users from unwanted calls. Companies following the Code must take specific steps to ensure the accuracy and legitimacy of data processing during telemarketing. Requirements include:

1. Obtaining specific consent for each purpose.
2. Providing clear information to contacts about data usage.
3. Conducting impact assessments for automated processing.
4. Guaranteeing full exercise of privacy rights.

Non-compliance may result in penalties for contracts initiated without proper consent. Read more.

10. Utah Enhances Data Protection Laws with Focus on Breach Notification

Country: Utah
Date: 19 March
Summary: Utah Updates Personal Information and Technology Laws. Notably, changes have been made to data breach notification requirements. Section 13-44-202 now mandates that when reporting a security breach to the Office of the Attorney General or the Utah Cyber Center, the notification must include:

1. Date of the security breach.
2. Date when the breach was discovered.
3. Total number of affected individuals, including Utah residents.
4. Types of personal information compromised.
5. Brief description of the breach. Read more.

11. Lower Saxony Data Protection Authority Issues Ruling on Date of Birth in Online Shops

Country: Germany
Date: 21 March
Summary: The Lower Saxony data protection authority (LfD Niedersachsen) issued a press release regarding a recent court ruling on the mandatory inclusion of date of birth in online shops. The court's decision came after LfD Niedersachsen issued a cease and desist order against an online pharmacy, stressing that collecting dates of birth can't be justified except in cases of payment default. The ruling also states that if consent is the only legal basis, the input field must be clearly marked 'voluntary,' allowing customers to proceed with their order without providing this data. The press release emphasizes that online pharmacies are still bound by these rules, as drug prescription regulations' exceptions don't cover all pharmacy products. Read more.

12. China Introduces New Regulations to Ease Cross-Border Data Transfers

Country: China
Date: 22 March
Summary: China Implements New Regulations for Cross-Border Data Transfers to Ease Compliance for MNCs. Here are the key points:

Exempt Transfer Scenarios: Certain transfers for contract execution, emergencies, and cross-border HR management are exempt from security assessments and certifications.

Data Volume Thresholds:

• Under 100,000 Individuals: Transfers involving fewer than 100,000 individuals' non-sensitive personal information are exempt from CBDT legal mechanisms.
• 100,000 to 1 Million Individuals: Transfers of personal information of 100,000 to 1 million individuals, or sensitive information of fewer than 10,000 individuals, require SCC filing or certification, easing compliance for smaller transfers.
• Over 1 Million Individuals or 10,000 for Sensitive Data: Transfers exceeding these numbers require a security assessment with high regulatory scrutiny.

Exclusions for CII Operators: Critical Information Infrastructure operators face stricter regulations. Non-CII operators are subject to relaxed rules, reducing compliance burdens.

These changes aim to ease compliance for companies engaged in cross-border data transfers, particularly regarding HR data. Read more.

13. Malaysian Parliament Passes Cybersecurity Bill 2024 with Unique Industry Focus

Country: Malaysia
Date: 28 March
Summary: The Parliament of Malaysia passed the Cybersecurity Bill 2024 on March 27, 2024, following its initial reading on March 25, 2024. While similar to cyber security laws in other Commonwealth jurisdictions like the Singapore Cybersecurity Act 2018, the Bill aims to strengthen the cyber security of critical national information infrastructure and regulate cyber security service providers. Notably, it introduces new roles such as the Chief Executive and the NCII Sector Lead to enhance industry-specific cyber security governance in Malaysia. Read more.

14. PDPC Releases Advisory Guidelines on Children's Personal Data Protection

Country: Singapore
Date: 28 March
Summary: On March 28, 2024, the Personal Data Protection Commission (PDPC) released Advisory Guidelines on Children's Personal Data in the Digital Environment under the PDPA. These guidelines aim to clarify obligations concerning children's personal data outlined in the Personal Data Protection Act (No. 28 of 2012) (PDPA). Read more.

Conclusion

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to keeping you informed with timely updates and providing essential information to better understand the changing privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.