Privacy Regulation Roundup: Top Stories of May 2024

Securiti has started a Privacy Regulation Roundup that summarizes the latest major global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. For each relevant regulatory activity, you can find a link to related resources at the bottom.

North and South America Jurisdiction

1. Office of the Information and Privacy Commissioner for British Columbia (OIPC) has passed order against Lululemon Athletica Canada

Date: 6th May, 2024
Summary: The Office of the Information and Privacy Commissioner for British Columbia (OIPC) recently passed an order related to a company, Lululemon Athletica Canada’s, refusal to grant an access request by a consumer. Lululemon Athletica Canada provided users with some information but withheld other details, citing exceptions per the Personal Information Protection Act (PIPA). The consumer challenged this decision. The OIPC has ruled that Lululemon Athletica Canada was within its rights to refuse the access request per the exceptions provided by PIPA. The exceptions cited include legal advice, litigation privilege, and employee communications, among others. Read more.

2. Maryland Online Data Privacy Act Signed By Governor

Date: 9th May, 2024
Summary: The Maryland Online Data Privacy Bill was signed into law by the Governor. Consequently, the Maryland Online Data Privacy Act will apply to any entity that conducts business in Maryland or, produces a product/service catering to residents of Maryland, or has been involved in controlling or processing the personal data of at least 35,000 consumers or at least 10,000 consumers and derived more than 20% of its revenue from the sale of this data in the previous calendar year. The law  would come into effect on October 01, 2025.  Read more.

3. Vermont Legislature Approved Vermont Data Privacy Bill

Date: 12th May, 2024
Summary: The Vermont legislature approved the Vermont Data Privacy Bill. The bill will be followed by the establishment of the Vermont Data Privacy Act, which will apply to any entity that conducts business in Vermont or produces a product/service catering to Vermont residents, has been involved in controlling or processing the personal data of at least 25,000 consumers, or derived more than 50% of its revenue from the sale of this data in the previous calendar year.If enacted, the bill will enter into effect on July 01, 2025. Read more.

4. FTC Highlights Data Violations By Connected Cars in Latest Blog

Date: 14th May, 2024
Summary: The Federal Trade Commission (FTC) has published a blog related to the unlawful collection of consumer data by connected cars. The blog highlights violations by such cars, including collection of biometrics, geolocation, and other forms of data prohibited under the FTC Act. Access to such data can only be gained based on legitimate reasons while organizations must ensure that such data is strictly used for the purposes it was collected for. Read more.

5. Minnesota Data Privacy Act Passed, Moves To Governor For Final Signature

Date: 19th May, 2024
Summary: The Minnesota legislature passed the Minnesota Data Privacy Act on May 19, 2024. The Bill now passes on to Governor Tim Walz for his consideration and signature. The proposed Bill covers all entities that control or process the personal data of at least 100,000 Minnesota residents or derive at least 25% of their annual revenue from selling the data of more than 25,000 Minnesota residents.

The Bill contains all the necessary provisions that have become a fundamental part of most major data privacy regulations, such as the following:

CPO: There is an implied obligation to appoint a chief privacy officer (CPO) with primary responsibility for directing the policies and procedures. ;
Consumer Rights: All consumers are guaranteed certain rights related to their personal data that they may exercise per their needs;
Profiling: Consumers have the right to inquire about the result of profiling carried out against them, including the mechanisms behind a particular profiling decision and data used to make this decision;
Privacy Program Documentation: Covered organizations must thoroughly maintain detailed records and documentation of all policies and procedures adopted to comply with this regulation.

The Bill, if signed by the Governor, will come into effect on July 31, 2025. Read more.

EU Jurisdiction

6. France CNIL Publishes Guidance on Personal Data Retention By Public Internet Access Providers

Date: 14th May, 2024
Summary: The CNIL recently published its guidance for organizations providing public internet access, outlining their obligations regarding personal data retention. The guidance emphasizes that personal data collection must be limited to only the strictly necessary information. Specifically, the following retention periods apply:

- Data related to users' identity: up to five years
- Account information and technical data: up to one year
- Communications-related data: only three months

Users retain the right to access and rectify their personal data, but these rights do not extend to employees of the organization. Read more.

7. Garante Publishes Guidelines On Processing of Personal Data In Medical Research

Date: 21st May, 2024
Summary: The Italian Data Protection Authority (Garante) has issued guidelines on processing personal data in medical research, especially in cases where consent cannot be obtained due to the subject being deceased or otherwise uncontactable. Data controllers are instructed to conduct and publish the results of a Data Protection Impact Assessment (DPIA) and inform the Garante about this exercise including the reasons why obtaining consent was not possible or would jeopardize the research objectives. Read more.

8. Council of the European Union Approves AI Act

Date: 21st May, 2024
Summary: The Council of the European Union approved  the proposed AI Act on May 21, 2024, paving the way for harmonized rules on AI across the EU. The regulation is expected to be published in the Official Journal in the next few days and will come into force 20 days after its publication. The Act will become applicable two years after coming into force, with some exceptions in specific provisions. Read more.

Asia Jurisdiction

9. Singaporean Parliament Passes Bill Adding Major Amendments To The Cybersecurity Act of 2018

Date: 7th May, 2024
Summary: Cybersecurity (Amendment) Bill No. 15/2024 was passed in the Singaporean parliament. It introduces vital changes and modifications to the Cybersecurity Act of 2018. These include greater authority for the Cyber Security Agency of Singapore (CSA) to cover Systems of Temporary Cybersecurity Concern (STCCs), the addition of two new regulated entity classes, and new responsibilities and obligations for Critical Information Infrastructure (CII) owners as well as Digital Infrastructure Service Providers. Read more.

10. China’s Tianjin Free Trade Zone released a Negative List for International Data Transfers

Date: 14th May, 2024
Summary: The Tianjin Free Trade Zone released a “Negative List” for international data transfers. It provides guidelines on cross-border data transfer compliance requirements for organizations in the free trade zones operating in various industries. It divides all data into two distinct categories, i.e., one that requires a security assessment by the CAC and the other that requires a standard third-party certification. Data other than the one identified in the list can flow freely across borders. Read more.

11. New Zealand Introduces Customer and Product Bill

Date:16th May, 2024
Summary: New Zealand introduced the Customer and Product Data Bill. It aims to create a framework for businesses to share customer and product data. It requires businesses to provide customer data to individuals and authorized third parties and respond to electronic requests for actions like opening accounts or processing payments. Additionally, product data should also be made electronically available under the bill. It also includes privacy safeguards, complementing the existing Privacy Act 2020. Read more.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.