Here are key highlights from January 2024 detailing global news and regulatory updates.
US & Canada
- Canada’s Office of the Privacy Commissioner (OPC) releases a strategic plan detailing three key priorities of focus for the next three years
- New Hampshire passes Senate Bill 255, paving the way for this comprehensive privacy bill to pass the legislature and take effect on January 1, 2025
- New Jersey’s comprehensive privacy bill is signed into law and is set to take effect one year after its signing date in January 2025
- US Federal Trade Commission (FTC) bans data aggregator from selling consumer location data because it failed to fully inform consumers and obtain consent
- US FTC health breach rule examined, including the rule’s history and the FTC’s proposed changes to the rule
- US FTC publishes guidance for securing DNA data and outlines areas where it may investigate
- US FTC publishes a blog post calling on AI companies to uphold their privacy and confidentiality commitments, with failure to do so making these companies liable under laws enforced by the FTC
- US FTC signs on to a multilateral arrangement to bolster cooperation on privacy and data security enforcement
- US National Institute of Standards and Technology (NIST) identifies types of cyberattacks that manipulate the behavior of AI systems
- US NIST begins updating its Privacy Framework and is developing a joint Profile for data governance as a way to effectively demonstrate complementary use of NIST frameworks and resources
EMEA
- EU Court of Justice of the European Union clarifies the conditions under which a controller can be liable for processing carried out by a processor
- EU Data Act comes into force to facilitate and promote the exchange and use of data within the European Economic Area
- EU’s European Commission upholds 11 of 16 existing data protection adequacy decisions, including Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay, and more
- Finland makes changes to their Data Protection Act, accounting for changes to EU privacy laws
- France’s Commission nationale de l’informatique et des libertés (CNIL) publishes a draft guide for conducting transfer impact assessments for data transfers outside the European Economic Area
- France’s CNIL releases health data storage guidance, including measures to protect health data that go beyond the GDPR
- Polish security and privacy researcher argues that ChatGPT ignores the provisions of the GDPR regarding the processing of data
- Spanish Data Protection Agency (AEPD) releases guidelines for treating analytics and cookies
Gain confidence to use and share sensitive data
Find out how our advisory services can help you safely leverage data derived from information about people. Watch this 15-minute webinar.
APAC
- Malaysia’s government to develop seven guidelines under the Personal Data Protection Act 2010, including those for data breach, cross-border data transfer, data protection impact assessment, privacy by design, and more
- Thailand updates its Personal Data Protection Act (PDPA), as the country intensifies its efforts to protect the safety and security of personal data
LATAM
- Argentina implements new model contractual clauses for international data transfer (article in Spanish)
Global
- Global companies release new proposed data provenance standards to enhance trustworthiness of AI training data