Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Privacy Regulation Roundup: Top Stories of February 2024

Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website on a monthly basis. For each relevant regulatory activity, you can find a link to related resources at the bottom.

1. Amsterdam Court of Appeal against the Paris-based Online Advertising Company

Country: Netherland
Date: 8 January
Summary: The Amsterdam Court of Appeal, in a judgment issued on December 5, 2023, ruled against the Paris-based online advertising company Criteo, directing them to stop placing cookies on individuals' devices without consent. This decision follows Criteo's appeal after a previous ruling on October 18, 2023, where the Court of Amsterdam found Criteo in violation of placing cookies without user consent.

The Court of Appeal affirmed the prior ruling, noting Criteo's failure to explain why it couldn't simply offer the option of placing a cookie only to third parties with required consent. Ad tech providers are responsible for failing to obtain a website user’s consent to the processing of his personal data collected by placing so-called ‘tracking’ cookies on the user’s device via third-party online publishers it partnered with. As a result, Criteo S.A. is ordered to cease placing cookies without valid consent, with a daily penalty of €250, up to a maximum of €25,000, for non-compliance. Read more.

2. Sri Lanka Confirming the Enforcement Dates of PDPA

Country: Srilanka
Date: 15 January
Summary: On January 8, 2024, in Sri Lanka, an Order was issued confirming the enforcement dates of Parts I, II, III, VII, and Part V of the Personal Data Protection Act (PDPA), No. 9 Of 2022.

The enforcement date of Parts I, II, III, and VII of PDPA is March 18, 2025. These parts include provisions related to the following:

  1. Situations exempted from the scope of  PDPA
  2. General processing of data
  3. Privacy notification requirements
  4. Data breach requirements
  5. Data protection officer requirements
  6. Data protection impact assessment requirements
  7. The rules of Accountability in the processing of data
  8. Requirements related to processors engaged in processing activities on behalf of a controller
  9. Requirements related to cross-border transfer of data
  10. Data subject rights
  11. Penalties for non-compliance with PDPA

The retrospective enforcement date of Part V of PDPA is July 17, 2023. It establishes the Data Protection Authority of Sri Lanka (referred to as the Authority in PDPA). This Authority will exercise, perform, and discharge the powers, duties, and functions prescribed by the PDPA. Read more.

3. Royal Decree Outlining Exceptions to Data Controller Obligations under Thailand PDPA

Country: Thailand
Date: 15 January
Summary: In Thailand, on 14 January 2024, the Royal Decree outlining exceptions to data controller obligations under the Personal Data Protection Act (PDPA) came into force.

This decree stipulates that data controllers are not bound to adhere to Chapters 2 and Chapter 3 of PDPA when responding to personal data requests from specific government entities, including the National Anti-Corruption Commission, Revenue Department, Customs Department, Excise Department, recognized local government organizations responsible for tax collection, Secretary of the Cabinet carrying out royal prerogatives, and state agencies acting under laws of public interest.

Chapter 2 of PDPA constitutes obligations such as consent for data processing, consent for minors and incapacitated individuals, and purpose limitation.

Chapter 3 of PDPA constitutes obligations such as limitation on data collection, informing data subject during data collection, conditions for data collection without consent, notification to data subject if data is collected from a different source and explicit consent for obtaining sensitive personal data. Read more.

4. Andorran has Revised its Guidelines on the Use of Cookies

Country: Andorran
Date: 26 January
Summary: The Andorran Data Protection Authority (APDA) has revised its guidelines on the 'Use of cookies, privacy policy, and legal notice,' incorporating guidance from the European Data Protection Board (EDPB) on deceptive design patterns in social media interfaces and the technical scope of Article 5(3) of the ePrivacy Directive.

Aligned with the EDPB, the updated guidelines emphasize limitations on cookie storage time, recommending a maximum of 25 months, and assert the permissibility of denying access to the website for non-acceptance of cookies. The guidelines also outline conditions for obtaining consent from minors under 16 and offer recommendations for designing cookie banners. Additionally, they specify that the absence of a reject button constitutes a breach, and pre-marked boxes in customizable sections do not qualify as valid consent.

The APDA underscores that the legal framework for privacy policies and web tracker policies lies in the conditions for consent outlined in Articles 7 and 8 of the Law of Personal Data Protection, with potential financial administrative fines ranging from €30,001 to €100,000 for non-compliance. Read more.

5. Executive Regulation of Oman Personal Data Protection Law (PDPL)

Country: Oman
Date: 5 February
Summary: The Executive Regulation of the Personal Data Protection Law (PDPL) was issued on 4th February in Oman.

Key features of the new Regulation include the following:

  • Article 5 of PDPL requires entities processing sensitive data to obtain a permit from the Ministry of Transport Communication and Information Technology (MTCIT). The Regulation now outlines application requirements to obtain permits for processing sensitive data and sets a 45-day decision period for the MTCIT.
  • Article 11 of PDPL recognizes data subject rights, such as the right to erasure, retrieval, or transfer of personal data. The Regulation now mandates controllers to respond to such requests within 45 days. Furthermore, it allows controllers to refuse requests if they are deemed vexatious or require extraordinary effort.
  • The Regulation mandates controllers to designate a personal data protection officer. While the regulation does not specify limitations, it allows for existing employees to be designated for this role.
  • The regulation clarifies that no approval from the MTCIT is required for transferring personal data outside Oman. Instead, it mandates an adequate level of protection, with general requirements to safeguard national security and state interests. Exceptions include transfers required by treaties and transfers after anonymizing data. Read more.

6. Guidance on the Somali Data Protection Act

Country: Somalia
Date: 6 February
Summary: The Somali Data Protection Authority has released guidance on the Data Protection Act, outlining its personal, territorial, and material scope of application. It clarifies that the Act applies to entities domiciled, resident, or operating in Somalia, where processing occurs within Somalia, or where data subjects in Somalia are affected by processing activities. Additionally, the guidance covers the Authority's powers and duties, definitions provided by the Act, legal bases for consent, principles of data processing, obligations of controllers and processors, and the rights of data subjects. Read more.

7. Third District Court of Appeal in California

Country: United States (California)
Date: 9 February
Summary: The Third District Court of Appeal in California, in the case CPPA v California Chamber of Commerce, has overturned the lower court's June 30 ruling, which has stated that any implementing regulation required by the CPRA is not enforceable on the date specified by the CPRA but instead enforceable one year after the regulations become final.

The Appeal Court ruled that the trial court erred in its conclusion, as "there is no explicit and forceful language mandating that CPPA is prohibited from enforcing the CPRA until (at least) one year after the CPPA approves final regulations." Consequently, the Chamber was not entitled to the relief granted by the trial court. The Appeal Court directed the trial court to annul its order and judgment, including the partial stay on CPPA's regulation for a 12-month period from the finalization date of each individual regulation.

Therefore, in accordance with the court ruling:

  1. Enforcement of initial CPRA implementing regulations can begin now (rather than in late March).
  2. Enforcement of future regulations can begin upon finalization rather than being subject to a 1-year delay. Read more.

8. Nebraska Governor has signed the Genetic Information Privacy Act

Country: Nebraska
Date: 13 February
Summary: The Nebraska Governor has signed the Genetic Information Privacy Act, which applies to direct-to-consumer genetic testing companies. This law mandates that covered entities must provide consumers with clear and comprehensive information regarding the company's policies and procedures for the collection and disclosure of genetic data, among other obligations. Read more.

Conclusion

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to keeping you informed with timely updates and providing essential information to better understand the changing privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 13:38

Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines

Sanofi Thumbnail
Watch Now View
Spotlight 10:35

There’s Been a Material Shift in the Data Center of Gravity

Watch Now View
Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View

Latest

Securiti Powers Sovereign AI in the EU with NVIDIA View More

Securiti Powers Sovereign AI in the EU with NVIDIA

The EU has taken the lead globally in ensuring that the power of AI systems is harnessed for the overall wellbeing of human citizens...

The Risks of Legacy DLP: Why Cloud Security Needs DSPM View More

The Risks of Legacy DLP: Why Cloud Security Needs DSPM

82% of 2024 data breaches involved cloud data, raising concerns about the effectiveness of legacy data loss prevention (DLP) solutions in today's cloud-centric data...

Data Classification: A Core Component of DSPM View More

Data Classification: A Core Component of DSPM

Data classification is a core component of DSPM, enabling teams to categorize data based on sensitivity and allocate resources accordingly to prioritize security, governance,...

9 Key Components of a Strong Data Security Strategy View More

9 Key Components of a Strong Data Security Strategy

Securiti’s latest blog breaks down the 9 key components of a robust data security strategy and explains how it helps protect your business, ensure...

Beyond DLP: Guide to Modern Data Protection with DSPM View More

Beyond DLP: Guide to Modern Data Protection with DSPM

Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.

Mastering Cookie Consent: Global Compliance & Customer Trust View More

Mastering Cookie Consent: Global Compliance & Customer Trust

Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now View More

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now

Discover why shifting focus from AI risk to AI readiness is critical for enterprises. Learn how Data Security Posture Management (DSPM) empowers organizations to...

The European Health Data Space Regulation View More

The European Health Data Space Regulation: A Legislative Timeline and Implementation Roadmap

Download the infographic on the European Health Data Space Regulation, which features a clear timeline and roadmap highlighting key legislative milestones, implementation phases, and...

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New