Privacy Regulation Roundup: Top Stories of November 2024

Securiti has started a Privacy Regulation Roundup summarizing the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

North and South America Jurisdiction

1. Bermuda’s Minister Announces New Sections To PIPA Amendment Act Become Effective On January 1

Date: November 7, 2024
Summary: Bermuda's Minister for Information and Communication Technologies Policy and Innovation has announced that Sections 3-25, 30-34, and 37-50 of the Personal Information Protection Amendment Act (the PIPA Amendment Act) will become effective on January 1, 2025, in the Official Gazette. Read More.

2. CFPB’s New Report Highlights Need For Greater Protection For Consumers’ Financial Data In The US

Date: November 12, 2024
Summary: The Consumer Financial Protection Bureau (CFPB) has issued a report on state privacy laws and monetization of consumer financial data.

The report highlights the new rights and protections provided by these laws but singles out the exemption for financial institutions and data covered by the Gramm-Leach-Bliley Act (GLBA) and Fair Credit Reporting Act (FCRA) for allowing institutions such as banks and consumer reporting agencies to operate outside these state laws and limit consumer rights over their financial data.

The current federal financial data privacy protection frameworks consist mainly of the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA). The GLBA's regulatory framework is based mainly on disclosures and opt-out requirements that do not adequately address the challenges posed by modern data surveillance. This means that most data remains outside the scope of most new state-law protections, such as the right under state law for consumers to rectify or delete incorrect or outdated information or requirements related to opt-in consent models for sensitive data.

The CFPB encourages state policymakers to revisit and limit or remove these exemptions. The report highlights how only California restricts the GLBA exemption specifically to data governed by the GLBA, as opposed to other state privacy laws, such as Virginia, which exempts both the financial institutions and the data governed by the GLBA. Read More.

EMEA Jurisdiction

3 UK’s ICO And CMA Release Joint Paper On Harmful Online Designs

Date: 4 November, 2024
Summary: The ICO and CMA have released a joint paper. The paper "Harmful Design in Digital Markets" is meant for UX designers and firms that create online interfaces that may potentially influence consumer choice and control over their data. Among other things, the paper outlines how certain design choices may lead to data protection, consumer, and competition issues, potentially violating ICO and CMA regulations. Some examples of such practices include "harmful nudges," "confirmshaming," "biased framing," "bundled consent," and restrictive "default settings". Lastly, the paper advises all firms to avoid such practices to protect privacy, ensure compliance with data protection laws, and promote fair competition. Read More.

4. Administrative Court In Slovenia Issues Judgement Declaring GPS Tracking as Data Processing Under GDPR

Date: 5 November, 2024
Summary: On October 14, 2024, the Administrative Court issued judgment no. II U 197/2023-20, wherein it states that continuous GPS tracking of company vehicles amounts to data processing under the GDPR. As such, it requires a lawful basis. The judgment followed after a complaint was made to the Information Commissioner. The Commissioner ordered the controller to cease such collections, who made an appeal to the Court. The Court's ruling confirms that under Article 6(1)(f) of the GDPR, a legitimate interest can justify GPS tracking only if it meets three conditions:

• The interest must be real and legal;
• The data processing must be necessary and proportional;
• It must not infringe on individuals' rights. Read More.

5. Latvian DVI Issues Guidance On Proper Cookie Banner Practices

Date: 5 November, 2024
Summary: The Data State Inspectorate (DVI) has issued guidance on proper cookie banner practices. Some of the key points of the guidance include the following:

• Cookie banners should be simple, straightforward, and free from misleading information;
• Functional cookies that do not need consent should contain a brief description with an acknowledgment button, like "got it";
• Users must be able to opt out of non-essential cookies;
• All cookie banners must use clear language, avoid pre-selected options, and provide easy opt-out options.

Lastly, the guidance advises against bad practices like omitting opt-out options, providing inadequate information, or using pre-checked boxes. Read More.

6. “Online Safety Act Applicable To GenAI Chatbots That Allow Sharing Of AI-Generated Content”, UK’s Ofcom Clarifies

Date: November 8, 2024
Summary: Ofcom has clarified that the Online Safety Act applies to GenAI chatbot tools and platforms that allow sharing of AI-generated content among users, including group chat functions and services that host user-created chatbots. All AI-generated content shared to a user-to-user service is treated similarly to human-generated content, including deepfakes. AI tools that can search multiple websites and databases, modify search results, or generate pornographic content are also covered in the Act.

All organizations that fall under its scope, including user-to-user and search service providers, must prepare for compliance by conducting risk assessments to evaluate exposure to harmful content, implementing appropriate risk management measures, and ensuring the easy reporting of harmful or illegal content, particularly for children.

Key compliance measures outlined in Ofcom's draft Codes of Practice include appointing a compliance officer, implementing a content moderation function for swift takedowns of illegal content, ensuring effective age assurance, and providing accessible reporting and complaints mechanisms.

The Act will initially come into effect in December 2024, when Ofcom issues its final guide and codes. Read More.

7. Finnish DPA Updates Its FAQs Related To Healthcare Data Protection

Date: November 12, 2024
Summary: The Finnish Data Protection Authority has updated its FAQs on healthcare data protection. The updates include instructions for patients on how to check, correct, and delete their health information and remind them of their right to access health records and imaging results free of charge. Any changes to patient records must consider whether such information is still required for their care, planning, monitoring, or supervision. Original entries in patient documents may be retained for oversight and monitoring reasons.

The update clarifies rules related to patient data disclosures, stating that all such disclosures must be based on legal grounds or the patients' explicit consent. Several specific scenarios are also addressed, such as correcting incorrect diagnoses, reporting suspected unauthorized access to patient records, and denying contact with healthcare providers based on scientific research findings. Read More.

8. Meta Announces Changes To Its Personalized Advertising Model In The EU

Date: November 12, 2024
Summary: Meta has announced several changes to its personalized advertising model for Facebook and Instagram users in Europe due to regulatory pressure from the EU. These updates address privacy concerns while providing users with a greater degree of control over how their data is used for advertising purposes.

One of the major updates is the introduction of "less personalized ads" for users who opt not to pay for an ad-free subscription. These ads will be based on minimal personal information and recent activity rather than extensive historical data, reducing the level of data-driven profiling involved in ad targeting.

Furthermore, Meta has revised its entire ad-free subscription model, which had been criticized for being potentially misleading since it did not adequately address privacy concerns. The new changes have lowered the subscription costs, making them more affordable and accessible.

Commenting on the new changes, Max Schrems said, "Overall, this just looks like another attempt to ignore EU law by annoying people into consent with huge unskippable ads". He added, "Users must have an equal choice between ads that use their personal data and ads that do not. We doubt that Meta's fourth iteration of trying to bypass EU law will be accepted". Read More.

9. Danish Digital Agency Publishes Whitepaper On The Development, Implementation & Use Of AI Assistants In Denmark

Date: November 14, 2024
Summary: The Danish Digital Agency (Digitaliseringsstyrelsen) has published a whitepaper titled "Responsible Use of AI Assistants in the Public and Private Sector". Created in tandem with various public and private organizations, the whitepaper provides a framework for developing, implementing, and using AI assistants in Denmark.

The whitepaper contains key procedural steps defining the AI assistant's use case. It stresses the importance of ensuring all relevant data processing activities comply with legal frameworks such as the EU Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR). To ensure responsible usage, it advocates for limiting the AI assistant's abilities while implementing structured quality assurance processes and measuring and storing all relevant storage data.

Organizational implementation measures, such as staff training, follow-up, and support structures to monitor and address issues, are also emphasized. With this comprehensive approach, the paper aims to enable the ethical and effective integration of AI assistants in both the public and private sectors while ensuring alignment with legal and ethical standards. Read More.

10. European Commission Releases The First Draft Of The General-Purpose AI Code of Practice

Date: November 14. 2024
Summary: The European Commission has released the First Draft General-Purpose AI Code of Practice after the September plenary meeting on the General-Purpose Artificial Intelligence (GPAI) Code of Practice. The draft comes at the end of the first of the planned four drafting phases. The first draft will serve as the foundational document, inviting shareholder feedback to refine the content of the final code.

The draft contains key guiding principles and objectives such as transparency and copyright rules for GPAI providers, a taxonomy of systemic risks, and specific rules for providers managing systemic risks. These rules will cover various safety and security frameworks, risk assessment, technical risk mitigation, and governance measures. Systemic risks associated with GPAI are also identified such as dangerous model capabilities, dangerous propensities, and contextual elements. There's additional guidance for providers on risk identification, evidence collection, and implementing safety and mitigation measures.

A dedicated plenary week will begin on November 18, 2024. Stakeholders, including representatives from EU member states and international observers, will participate in working group meetings to review the draft and provide feedback. Different working groups will focus on different aspects. Insights from these meetings will be presented to the full plenary on November 22, 2024, for further consideration. Read More.

Explore Securiti's Privacy Regulation roundup for the latest updates on global privacy developments. We're committed to providing you with timely updates and essential information to help you understand the evolving privacy regulatory landscape. You can also visit our dedicated page, offering an overview of global data privacy laws.