Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Privacy Regulation Roundup : Top Stories of January 2024

Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website on a monthly basis. For each relevant regulatory activity, you can find a link to related resources at the bottom.

1. South Korea's Personal Information Protection Committee Published a Guide

Country: South Korea
Date: 2 January
Summary: South Korea's Personal Information Protection Committee published a guide for the new amendment to the Personal Information Protection Act (PIPA), as well as an enforcement decree. Revisions to the PIPA include the following: all personal information processors, including private companies, are now obligated to participate in dispute mediation.

Prior to the new amendment, only public bodies were compelled to respond to citizen data protection complaints. Operating standards have been established for fixed and mobile image information processing equipment, such as CCTV, drones, and autonomous vehicles. Guidelines specify reasonable usage purposes for video information, ensuring responsible and lawful filming. Online and offline dualized regulations now follow the 'Same Regulation Principles of Same Conduct,' reducing compliance costs for personal information processors.

The expiration date system for online services has been abolished, and an autonomous dormant policy has been introduced. Strengthened safety measures for institutions managing large-scale personal information.

Penalties can be imposed for the private use of personal information acquired during work, with potential fines or imprisonment. Severe sanctions are introduced for intentional and repeatable violations. Fines can range from '3% of total sales' to 'exemption' based on the severity of the violation. The Personal Information Commission plans to release additional guidelines for the rights of information subjects, including automated decisions. Read more.

2. PDPC in Thailand has Officially Released the Official Versions of the Draft Notifications

Country: Thailand
Date: 3 January
Summary: The Personal Data Protection Committee (PDPC) in Thailand has officially released the official versions of the Draft Notifications on Criteria for Protection of Personal Data Sends or Transfers to a Foreign Country according to Sections 28 and 29 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA), effective from March 24, 2024. Under Section 28, which governs cross-border data transfers, the official version maintains the same principles as the draft, with added definitions excluding certain data transfers.

Notably, it exempts the sending or transferring of personal data by intermediaries as data transit and data transfers between computer systems or data storages to which no third party has access. This exclusion benefits intermediary and cloud computing service providers, alleviating compliance burdens.

In connection with Section 29, addressing additional mechanisms for cross-border data transfers, the official version outlines essential elements for the use of Model Contractual Clauses. These elements include measures for notifying data subjects, limiting data transfers, specifying responsibilities in contracts, maintaining data security, and ensuring effective remedial measures. The Model Contractual Clauses can be revised, provided the changes align with the required elements. Read more.

3. Austrian data protection authority published FAQs on cookies

Country: Austria
Date: 5 January
Summary: The Austrian data protection authority (DSB) published frequently asked questions (FAQ) on cookies and data protection. In particular, the FAQ provides information regarding, among others:

  1. The meaning of cookies and whether it is personal data;
  2. The legal framework for the use of cookies;
  3. Whether cookie banners are required for a website;
  4. Clarification on technically necessary cookies;
  5. Whether the consent button must be in a different color;
  6. Whether the 'pay or okay' model is permitted;
  7. How a cookie banner must be designed for effective consent;
  8. Information to website users on the use of cookies;
  9. Whether advertising industry standards or cookie consent tools can be used for the design of cookie banners; and
  10. Who is responsible for data protection if cookies are on their website. Read more.

4. CJEU Issued a Judgment

Country: EU
Date: 8 January
Summary: In a significant judgment (Case C‑667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein), the Court of Justice of the European Union (CJEU) clarified key aspects of the General Data Protection Regulation (GDPR) related to sensitive employee data processing. The case involved an IT department employee seeking €20,000 in compensation from MDK Nordrhein, a medical service in Germany, for alleged unlawful data processing during incapacity assessments.

The CJEU emphasized that the GDPR's Article 9(2)(h) exclusion, addressing health data processing by medical control bodies, applies when assessing employee capacity. However, it underlined that such processing must adhere to the lawful conditions outlined in Article 6(1) of the GDPR. The judgment highlighted the compensatory nature of Article 82(1) of the GDPR, aiming to fully redress actual damages resulting from GDPR violations, rather than imposing punitive measures. Read more.

5. The Cybersecurity Administration of China has Finished the Consultation

Country: China
Date: 10 January
Summary: The Cybersecurity Administration of China has finished consultation on a new set of draft measures outlining requirements for companies to report network security incidents. The reporting requirement applies to organizations that either operate information networks in China or offer services through information networks in China. Operators need to follow the "Guidelines for Classification of Cybersecurity Incidents" when a cybersecurity incident occurs. The incidents are assigned grades 1, 2, 3, or 4, depending on the number of affected data subjects and the financial loss due to the incident.

For major, significant, or particularly significant (grades 1-3) cybersecurity incidents, they should be reported within 1 hour. Operators shall report incidents through the "Cybersecurity Incident Information Reporting Form". Other information, such as the cause of the incident, how it evolved, impacts/damages the incident may lead to, and whether additional measures are to be taken, can be provided within 24 hours, if not possible to report within 1 hour. Read more.

6. Washington Revised FAQs on the My Health My Data Act

Country: United States (Washington)
Date: 11 January
Summary: The Washington State Attorney General has revised FAQs on the My Health My Data Act, focusing on privacy notice and effective date requirements. An important clarification addresses whether businesses covered by the Act must include a link to their Consumer Health Data Privacy Policy on their homepage. The AG emphasized that the privacy policy must be a separate, distinct link on the homepage, and it may include information beyond what is mandated by the Act. Read more.

7. Spanish Data Protection Authority (AEPD) Issued a Guide

Country: Spain
Date: 11 January
Summary: The Spanish Data Protection Authority (AEPD) issued a guide on using cookies for audience measurement tools. The guide emphasizes that certain audience measurement cookies may be exempt from consent if their sole purpose is anonymous audience measurement. Exempted cookies must not compare data with other processes, transmit data to third parties, or enable aggregate tracking across different applications or websites.

The guide lists specific exempted cookies for audience measurement purposes. However, even for exempt cookies, minimum guarantees are required, including user notification through privacy policies, limiting cookie duration for meaningful audience comparison, a maximum 25-month data retention period, and periodic reviews to ensure data retention aligns with strict necessity. Read more.

8. Danish Data Protection Authority (Datatilsynet) Guidance on Preventing Data Breaches

Country: Denmark
Date: 15 January
Summary: The Danish Data Protection Authority (Datatilsynet) has released guidance focused on preventing and mitigating data breaches. The identified common types of breaches include sending data to the wrong recipient, using auto-complete features incorrectly, exposing protected addresses during IT system changes, mishandling data in case processing, failing to delete data properly, and experiencing loss/theft of unencrypted portable devices.

Additionally, broad access to network drives, unauthorized access due to design errors, disclosure of template-stored data, and malicious software attacks (ransomware) are highlighted. The recommended measures to mitigate these risks encompass introducing technical delays in email delivery, controlling IT environment changes, employing Data Leak Prevention (DLP) tools, implementing security measures like multi-factor authentication, firewalls, antivirus, encryption, and network segmentation, as well as establishing need-based access rights. These technical and organizational measures aim to safeguard against various data breach scenarios and enhance overall data security.

9. New Jersey Governor Signed Senate Bill 332

Country: United States (New Jersey)
Date: 16 January
Summary: The New Jersey Governor signed Senate Bill 332, became the fourteenth US state to pass a consumer data privacy law. The newly passed law is similar to consumer privacy laws passed last year in other states, with some distinctions. The law would take effect 365 days following its enactment. Read more.

10. European Data Act is Now in Force

Country: EU
Date: 16 January
Summary: The European Data Act is now in force. It outlines the rights concerning access and reuse of data generated by connected devices within the EU. The Act delineates the rights associated with accessing and utilizing data generated within the EU across all economic sectors, facilitating the seamless sharing of data, especially industrial data. With a focus on promoting fairness in the digital realm, it brings clarity in determining who can derive value from data and the conditions governing such processes. Read more.

11. California Privacy Protection Agency has introduced a dedicated website

Country: United States (California)
Date: 18 January
Summary: The California Privacy Protection Agency has introduced a dedicated website, https://privacy.ca.gov, aimed at providing comprehensive information to Californians regarding their privacy rights. This central resource is designed to enhance understanding of rights conferred by the California Consumer Privacy Act (CCPA). The website encompasses details on CCPA rights and provides guidance on submitting complaints in case of suspected violations by businesses. Additionally, the platform offers resources to assist businesses in comprehending their obligations under the CCPA. Read more.

12. New Hampshire is on the cusp of becoming the latest US state

Country: United States (New Hampshire)
Date: 19 January
Summary: New Hampshire is on the cusp of becoming the latest US state, second to do so in 2024, to enact a comprehensive data privacy law after the Senate has granted final passage to Senate Bill 255. Notably, the bill provides for lower coverage thresholds (processing personal data of 35,000 consumers or processing personal data of 10,000 consumers and deriving 25% revenue from sale of personal data) as compared to most of the state privacy laws passed so far. Assuming Gov. Chris Sununu signs the bill into law, it shall become effective on January 1, 2025. Read more.

Conclusion

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to keeping you informed with timely updates and providing essential information to better understand the changing privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What Is Data Risk Assessment and How to Perform it? View More
What Is Data Risk Assessment and How to Perform it?
Get insights into what is a data risk assessment, its importance and how organizations can conduct data risk assessments.
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
View More
Key Amendments to Saudi Arabia PDPL Implementing Regulations
Download the infographic to gain insights into the key amendments to the Saudi Arabia PDPL Implementing Regulations. Learn about proposed changes and key takeaways...
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New