Privacy Regulation Roundup: Top Stories of July 2024

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. For each relevant regulatory activity, you can find a link to related resources at the bottom.

North and South America Jurisdiction

1. New Data Privacy Laws for Texas, Florida, and Oregon Effective From July 1, 2024

Date: 1st July, 2024
Summary: Data privacy acts will formally come into effect in Texas, Florida, and Oregon on July 1, 2024. Similar to most other data privacy laws, these regulations will impose strict obligations related to the protection of personal information, including various other requirements related to consent and privacy notices. Read more.

2. Act On Health and Social Service Information Comes Into Effect In Quebec

Date: 1st July, 2024
Summary: The Act relating to Health and Social Services Information (LRSSS) came into effect in Quebec on July 1, 2024. Health and Social Service Information refers to any information that enables a person to be identified, including their physical, mental health, and social services characteristics. The Act now requires health and social service organizations to protect all such information belonging to individuals.

Furthermore, the Act empowers individuals with several rights including the right to information, the right to access, and the right to rectification. In the case of minors, these rights can be exercised by their parents/legal guardians. Lastly, in the event of a confidentiality incident, organizations are required to notify the Access to Information Commission, the Minister, and affected individuals. Violations of these obligations per the Act will result in a fine ranging from $5,000 to $150,000. Read more.

3. OCR Reaches Settlement With Heritage Valley In HIPAA Violations’ Case

Date: 1st July, 2024
Summary: The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $950,000 settlement with Heritage Valley Health System following a ransomware attack for potential violations of the Health Insurance Portability and Accountability Act Security Rule (the HIPAA Security Rule).

The OCR had initiated a compliance review against Heritage Valley in October 2017 following reports that it had suffered a data security incident. The compliance review’s findings indicated that Heritage Valley had failed to undertake the following tasks immediately following the incident:

• Conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic protected health information (ePHI);
• Implement a contingency plan to respond to emergencies, such as a ransomware attack;
• Implement policies and procedures to allow only authorized users access to ePHI.

Now, in 2024, the Heritage Foundation has agreed to pay $950,000 to the OCR while also promising to implement the following corrective measures:

• An accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• A risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
• Regularly review, develop, maintain, and revise written policies and procedures in compliance with the HIPAA Security Rule;
• Appropriately train employees on their HIPAA policies and procedures. Read more.

4. Meta Found In Breach of LGPD, Suspended From Training Its AI On Users’ Personal Information

Date: 2nd July, 2024
Summary: The Brazilian Data Protection Authority (ANPD) announced that it had published Decision No. 20/2024/PR/ANPD. This decision bans Meta from processing personal data to train Meta’s AI following an ex officio investigation.

The ANPD notes that Meta’s privacy policy, which came into effect on June 26th, 2024, allows Meta to use any publicly available information posted by users on Facebook, Messenger, and Instagram to train its AI system. This led to an investigation into these practices. The investigation’s preliminary findings indicate violations of the General Personal Data Protection Law (LGPD), specifically the following:

• Use of an inadequate legal basis for the processing of personal data;
• Lack of disclosure of clear, precise, and easily accessible information about the change in the privacy policy and the processing being carried out;
• Excessive limitations on the exercise of the rights of the holders, specifically concerning the right to object;
• Processing of personal data of children and adolescents without appropriate safeguards.

As a result of this investigation, the ANPD has suspended Meta’s privacy policy and its use of personal information to train its AI. Any non-compliance will result in a BRL 50,000 (approx. $8,870) fine.

The suspension is likely to stay in effect until the ANPD makes a further decision. Read more.

5. Utah Department of Commerce (DoC) Launches New Body For AI-Related Policy Collaborations

Date: 8th July, 2024
Summary: The Utah Office of Artificial Intelligence Policy (OAIP) was launched by the Utah Department of Commerce (DoC) in line with Senate Bill 149 for the Utah Artificial Intelligence Policy Act. The OAIP will be responsible for studying various aspects related to the effective regulation of AI. Additionally, the OAIP will contain a Learning Lab tasked with assessing how AI-related policies can clear regulatory burdens for AI companies and protect the public from harm. Other responsibilities for the OAIP will include interactions with state leaders and companies to facilitate regulatory mitigation agreements related to product launches. Read more.

6. New ANPD Resolution Provides Details on Data Controller & DPO Responsibilities

Date: 17th July, 2024
Summary: The Brazilian Data Protection Authority (ANPD) published Resolution CD/ANPD No. 18 on July 16, 2024. The Resolution provides details related to the responsibilities of data protection officers (DPOs) and data controllers. These are as follows:

Data Protection Officers

The regulation provides that DPOs must:

• Be able to communicate with data subjects and with the ANPD in a clear and precise manner and in Portuguese;
• Accept complaints and communications from data subjects, provide clarifications, and adopt appropriate measures;
• Receive communications from the ANPD and take action;
• Guide the controller's and the processor's employees and vendors regarding the practices to be adopted in relation to the protection of personal data;
• Perform other duties determined by the processing agent or established in supplementary standards;
• Act with ethics, integrity, and technical autonomy, avoiding situations that may constitute a conflict of interest.

Data Controllers

The regulation provides that data controllers must:

• Appoint a DPO through a formal act;
• Determine the necessary professional qualifications for the DPO role;
• Publish the appropriate contact details of the DPO on their website;
• Provide the necessary means for the performance of the DPO's duties, including human, technical, and administrative resources;
• Request assistance and guidance from the DPO when carrying out activities and making strategic decisions regarding the processing of personal data;
• Ensure the DPO has the technical autonomy necessary to carry out their activities, free from undue interference;
• Ensure that data subjects have fast, effective, and appropriate means to facilitate communication with the DPO and to exercise rights; and
• Ensure the DPO has direct access to higher management within the organization.

Processors are exempt from the appointment of a DPO.

The Resolution states that any conflict of interest related to a DPO’s responsibilities and duties can be configured:

• Between the duties performed internally with a controller or processor, in addition to the exercise of the activity of a person in charge in different controllers or processors; or
• With the accumulation of the activities of the DPO with others that involve making strategic decisions about the processing of personal data by the controller, except for operations with personal data inherent to the duties of the DPO.

7. Final Rule Amending The Florida Digital Bill of Rights Comes Into Effect

Date: 18th July, 2024
Summary: After its publication by the Florida Department of State on April 12, 2024, the final version of Rule 2-3.001 took effect on July 18, 2024. The rules amend the Florida Digital Bill of Rights (FDBR) to include the following:

• The concept of an “authorized person” entitled to act on a consumer's behalf to exercise all rights and protections conferred under the FDBR;
• A series of security practices, including establishing, implementing, and maintaining data security practices compliant with the risk management framework and standards adopted by the National Institute of Standards and Technology (NIST);
• Requirements related to consumer complaints lodged with the Department of Legal Affairs;
• Rules on the authentication of consumer requests. Read more.

EU Jurisdiction

8. Fine Imposed On Meta Ireland and Facebook Norway Overturned

Date: 3rd July, 2024
Summary: Meta Ireland and Facebook Norway received a favorable judgment from the Norwegian Privacy Appeals Board. The ruling overturns the data protection authority's (Datatilsynet) daily fine of NOK 1 million ($93,915) for non-compliance with a temporary ban on personal data processing for behavior-based marketing. Per the Board’s judgment, GDPR does not permit daily fines in cross-border matters, overruling Datatilsynet's imposition of daily fines for up to three months. Read more.

9. Polish Data Protection Authority Publishes Guide On Protecting Minors’ Images Online

Date: 9th July, 2024
Summary: The Polish data protection authority (UODO) published its guide to help institutions and organizations better protect children's privacy in the digital age, titled, “Children's Image on the Internet. Publish or not?”. The guide covers the protection of children’s images online, correct consent related to their distribution, potential risks of publishing such images, considerations before sharing content involving children, advice on how to appropriately publish photos and videos without identifying children, as well as debunking common myths. Read more.

10. Dutch Data Protection Authority (AP) Imposes Fine On A.S. Watson For GDPR Violation

Date: 16th July, 2024
Summary: The Dutch Data Protection Authority (AP) announced its decision to impose a fine of €600,000 on A.S. Watson Health and Beauty Continental Europe B.V. for violation of the General Data Protection Regulation (GDPR) following an investigation. The investigation conducted by AP on Kruidvat, a subsidiary of A.S. Watson, pertained to whether the use of cookies on investigated websites met the requirements relating to consumer consent. The investigation found that A.S. Watson followed visitors of Kruidvat.nl with tracking cookies, without their knowledge or consent.

The investigation determined that A.S. Watson violated Articles 5(1)(a) and 6 of the GDPR as the website contained a cookie banner where the option to agree to the placement of tracking software was checked by default. This is not allowed, as the website visitors who still wanted to refuse the cookies had to go through many steps to achieve this. Hence, the AP’s investigation has concluded that the personal data of Kruidvat.nl visitors has been processed unlawfully as the visitors’ purchases, along with the personalized identifier assigned to users and the potential for geolocation through tracking of IP addresses, can create specific profiles of users. Read more.

11. Garante Announces Investigation of Google By Italian Competition Authority

Date: 19th July, 2024
Summary: The Italian Data Protection Authority (Garante) has published a press release providing details related to the Italian Competition Authority's investigation against Google LLC and Alphabet Inc., Google's parent company.

The Garante states that Google’s consent requests to users may represent a deceptive and aggressive commercial practice. Furthermore, Gerante states that users are provided with incomplete, imprecise, or irrelevant information related to Google’s use of personal data when users are asked to connect services offered by Google. According to the Competition Authority, problems caused by Google’s deceptive practices may include:

• combined and crossed use of personal data;
• the possibility of modulating (and therefore limiting) consent to only some services; and
• presentation of consent requests, which could influence the average consumer's freedom of choice.

Lastly, Garante states that some of Google’s techniques may lead to a user making a commercial decision that they may not have otherwise made by consenting to the use of their personal data among a large number of offered services. Read more.

12. IAB Europe Announces Submission of Position Paper to EDPB on 'Consent or Pay' Model

Date: 22nd July, 2024
Summary: The Interactive Advertising Bureau (IAB) Europe announced that it has sent to the European Data Protection Board (EDPB) a position paper detailing its concerns and recommendations related to its Opinion 08/2024 on the use of 'consent or pay' models and upcoming guidelines on the same topic.

In the paper, the IAB Europe highlighted the following concerns:

• The lack of consultation and disregard for stakeholders’ opinions on the topic leading to a flawed understanding of the digital advertising industry which will ultimately have a negative impact on the sustainability of some digital services as well as the users’ ability to access diverse sets of services and content online;
• A failure to balance the right to data protection with the freedom to conduct business, particularly the requirement of a provision of a ‘free alternative without behavioral advertising’ that is contrary to the Court of Justice of the European Union (CJEU) Case C-252/21, and may not be commercially viable for many online services;
• A misrepresentation of the “consent or pay” model that depicts data protection rights as being conditional on payment and the erroneous portrayal of personalized advertising as generally unlawful;
• Confusion owing to the lack of a definition and concept of “large online platforms” in the GDPR text and its lack of basis in objective and measurable factors.

Furthermore, the IAB Europe also makes several recommendations for the EDPB within the same paper, including:

• Alignment with the CJEU case law by limiting its assessment to companies in power imbalance with their users and recognizing the legality of providing a choice between consenting and paying a fee for access;
• Abstention from interference in business models adopted by organizations to finance their services, prohibiting the data protection authorities (DPAs)  from examining the pricing practices or factoring the provision of a free alternative to assess the validity of consent;
• Edits in its draft Guidelines on the DPA’s interpretative guidance and recommendations without conflating the GDPR data protection principles with concepts borrowed from other EU legal instruments established to ensure a fair and competitive digital economy. Read more.

13. FCCPC Fines Meta and WhatsApp $220M for FCCPA and NDPR Violations

Date: 22nd July, 2024
Summary: On July 18, 2024, the Federal Competition and Consumer Protection Commission (FCCPC) fined WhatsApp LLC and Meta Platforms, Inc. $220 million, plus a $35,000 reimbursement fee, for violating the Federal Competition and Consumer Protection Act (FCCPA) and the Nigeria Data Protection Regulation (NDPR). The investigation, triggered by complaints about WhatsApp's 2021 privacy policy, found unauthorized data transfers, denial of users' data rights, and other breaches. The order mandates compliance with Nigerian data laws, reinstates user control over data, and halts unauthorized data sharing with third parties. Read more.

14. Government Adopts Draft Law Implementing NIS 2 Directive

Date: 25th July, 2024
Summary: The German government adopted a draft law on July 24, 2024, implementing the requirements of the directive on measures for a high common level of cybersecurity in the Union (the NIS 2 Directive). This Directive imposes several new and enhanced cybersecurity-related obligations on companies and other public and private entities.

The draft law will now be examined by the 16 federal states, to be followed by a discussion in the German parliament (Bundestag). If approved by the parliament, the draft law will be signed into law by the President and become effective on the date of its publication in the Federal Law Gazette. Read more.

15. IAB Europe Publishes Key Considerations Regarding Google's New Privacy Sandbox Approach

Date: 26th July, 2024
Summary: The Interactive Advertising Bureau (IAB) Europe has published a list of considerations that ought to be addressed after Google announced its new approach to the Privacy Sandbox. These considerations include the following:

• Unclear value of the supplementary choice layer regarding the risk of a disjointed user experience owing to the setting of cookies and how personal data will be processed for advertising purposes that are already subject to various industry-wise standards following the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive);
• Current controls connect to the availability of third-party to end-users, and articulation with the existing Privacy Sandbox APIs is important when evaluating their impact on competition;
• Google ought to have closer collaboration with industry standard-setting organizations related to the development of Sandbox tools and carefully consider their feedback. Read more.

16. Higher Regional Court of Frankfurt Ordered Microsoft Corporation to Refrain from Using Cookies on End-user's Devices Without Consent

Date: 29th July, 2024
Summary: The Higher Regional Court of Frankfurt am Main (the Court), in Case Reference 6 U 192/23, ordered Microsoft to refrain from using cookies on the plaintiff’s device without appropriate consent.

Per the Court's proceedings, the plaintiff had objected to the storage and the reading of these cookies for advertising purposes without their consent.

Microsoft's ad service allows websites to place ads in the midst of search results on the Microsoft Search Network to measure their ad campaign's overall performance.

To do so, Microsoft provides websites with code that is integrated into the website or application. Once the page is accessed, the cookie is either stored on the user's device or an existing one is read.

The court found that though Microsoft relies on websites to attain the necessary consent, this does not relieve Microsoft of its liability. Microsoft remains responsible for demonstrating that its users had consented to having cookies stored on their websites. The court left it up to Microsoft to demonstrate this evidence. Read more.

17. The European Artificial Intelligence Office Opens Call for Expression of Interest for Drafting of Code of Practice for General Purpose AI Models

Date: 30th July, 2024
Summary: On July 30, 2024, the European Artificial Intelligence Office (the AI Office) invited general-purpose artificial intelligence (AI) model providers and other various stakeholders to participate in the development of the AI Code of Practice.

Per the AI Office, the Code of Practice outlines the AI Act’s rules for providers of GPAI models and those with systemic risks. The model will aid providers in demonstrating their compliance with the AI Act.

The Code of Practice will address transparency, copyright, systemic risk taxonomy, risk assessment, and mitigation measures, with the following entities being eligible to participate:

• GPAI model providers;
• Downstream providers;
• Other industry organizations;
• Other stakeholder organizations such as civil society organizations or rights holders organizations;
• Academia; and
• Other independent experts.

The AI Office will then verify eligibility and confirm the participation of respective stakeholders.

Between September 2024 and April 2025, the selected participants will engage in various working groups and dedicated workshops involving chairs and vice-chairs to inform each iterative drafting round. The final version is expected to be presented in April 2025.

Once the Code is published, the AI Office and AI Board will release statements of adequacy, followed by a European Commission decision on whether the Code is approved and given general validity across the EU via an implementing act. Read more.

18. European Supervisory Authorities (ESAs) Publish Final Report on Draft Regulatory Technical Standards (RTS) on Subcontracting Under DORA

Date: 31st July, 2024
Summary: The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), collectively known as the European Supervisory Authorities (ESAs), published a joint report on the draft Regulatory Technical Standards (RTS) on subcontracting under the Digital Operational Resilience Act (DORA).

Known as “The Report”, it states that ESAs are mandated under DORA to develop draft RTS to specify when and under which conditions subcontracting ICT services supporting critical or important functions or material parts is permitted. Financial entities will also be subject to similar requirements under DORA to specify conditions for all such subcontracting in contractual agreements with third parties.

The main provisions of the report include the following:

• Overall risk profile and complexity - financial entities must take into account their size and the overall risk profile and the nature, scale, and elements of increased or reduced complexity of its services, activities, and operations, including other elements;
• Group application on the responsibilities of parent undertaking;
• Due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions;
• Description and conditions under which ICT services supporting a critical or important function may be subcontracted;
• Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity;
• Material changes to subcontracting arrangements of ICT service supporting critical or important functions; and
• Termination of the contractual arrangement.

The Report states that ESAs will submit the draft RTS to the European Commission for adoption. Read more.

Asia Jurisdiction

19. New Hong Kong Bill, “Protection of Critical Infrastructure (Computer System) Bill,” Regulates Large Organizations Handling Critical Services & Infrastructure

Date: 5th July, 2024
Summary: The Hong Kong government introduced the Protection of Critical Infrastructure (Computer System) Bill on June 25, 2024. The Bill aims to regulate large organizations responsible for critical services, requiring them to secure their critical computer systems appropriately. Likely to be introduced in the Legislative Council by the end of 2024, some of the salient points of the Bill include the following:

• A new Commissioner’s Office will be established under the Security Bureau.
• The Commissioner’s Office will designate critical infrastructure operators (CIOs).

The bill aims to impose new short incident reporting timelines on CIOs and substantial penalties for non-compliance. Additionally, it elaborates that CIOs will be held accountable for non-compliance caused by their third-party service providers. Read more.

20. Amendments to Malaysia’s Personal Data Protection Act Forwarded to House of Representatives

Date: 5th July, 2024
Summary: The Minister of Digital announced that the Cabinet has approved the proposed amendments to the Personal Data Protection Act 2010 (PDPA). These will now be forwarded to the House of Representatives. The main points of the amendments include mandatory notification of personal data breaches, additional compliance responsibilities for data processors, the appointment of data protection officers, the introduction of the right to data portability, and the removal of the white-list regime for cross-border transfers. Read more.

21. New Saudi Draft Rules On DPO Appointments Open To Public Comments

Date: 15th July, 2024
Summary: The Saudi Data & Artificial Intelligence Authority (SDAIA) has announced that the new draft Rules for the Appointment of a Personal Data Protection Officer are open for public comment. These new rules outline all major requirements related to appointing Data Protection Officers (DPOs) under the Personal Data Protection Law (PDPL) and other implementing regulations:

• The DPO must have:
  • Appropriate academic qualifications and experience in personal data protection.
  • Knowledge of personal data breach risks and regulatory measures.
  • Integrity and no prior convictions for dishonesty.
  • DPOs can be internal executives, employees, or external contractors, subject to competence review by SDAIA.
• The DPO’s appointment will be mandatory if:
• The controller is a public entity processing personal data on a large scale.
• Core activities involve regular monitoring of data subjects or sensitive data processing.

DPOs may also be involved in advising on data protection policies, conducting training, overseeing breach response plans, as well as ensuring compliance with PDPL and ethical AI standards.

22. Malaysia’s Parliament Passed Amendments to PDPA Enhancing It   With Stricter Regulations

Date: 16th July, 2024
Summary: Malaysia's PDPA made significant amendments, with Bill D.R. 21/2024 passing its second reading in Parliament on July 16, 2024. The Key changes include:

• Mandatory DPO Appointment: Data controllers and processors must appoint a Data Protection Officer.
• Data Breach Notifications: Immediate reporting to the Personal Data Protection Commissioner is required, with fines up to MYR 250,000 or imprisonment for non-compliance.
• Data Portability: Data subjects gain the right to request data portability, subject to technical feasibility.
• Security Obligations: Data processors must ensure robust security measures for personal data.
• Increased Penalties: The maximum fine for PDPA breaches is now MYR 1 million, with a potential imprisonment of up to three years.
• Cross-Border Data Transfers: New rules permit data transfers to countries with comparable data protection laws.

These amendments strengthen Malaysia's data protection framework significantly. Read more.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.