Here are key highlights from March 2024 detailing global news and regulatory updates.

US & Canada

• Canada’s Supreme Court rules that IP addresses attract a reasonable expectation of privacy, with practical implications for generative AI providers and online advertising companies
• New Hampshire signs privacy bill into law, becoming the 14th US state to do so
• US Federal Trade Commission (FTC) cracks down on mass data collectors for unfairly selling re-identifiable consumer browsing information
• US FTC is hiring additional staff for its enforcement actions, including 10 people dedicated to privacy issues and artificial intelligence in advertising industries
• US Office for Civil Rights (OCR) issues updated guidance on online tracking technologies, with legal experts claiming the updates offer little relief for healthcare organizations
• US sensitive data concept explored across states, including commonalities and differences in what counts as sensitive data
• Utah governor signs privacy amendments to limit data collection and to establish Utah’s Office of Data Privacy

EMEA

• EU European Parliament approves the EU AI Act, a landmark in the development of AI regulation, with the Act likely to enter into force around May
• EU Council of the European Union and the European Parliament reach provisional agreement on a proposed regulation for a European Health Data Space, a framework for sharing health data within the EU
• EU’s Court of Justice of the European Union (CJEU) finds that Transparency and Consent Framework strings contain personal data, making them subject to the GDPR
• EU and Brazil agree to continue working together on data protection and on regulatory frameworks for AI (also in LATAM)
• Europe’s Council of Europe completes the Artificial Intelligence, Human Rights, Democracy and the Rule of Law Framework Convention, setting out “a legal framework that covers AI systems throughout their lifecycles”
• Saudi Arabia’s data protection authority proposes draft rules for transfers of personal data outside the kingdom, with the draft regulation open for consultation until April 18
• Spain’s data protection authority releases updated guidance on automated decision making under the GDPR
• Turkey’s data protection authority announces amendments to the Personal Data Protection Law (PDPL), including updates related to international data transfers and special categories of personal data
• UK government committee launches an inquiry into data adequacy and its implications for the UK-EU relationship, with public evidence sessions expected to take place between March and June
• UK Information Commissioner’s Office (ICO) publishes new guidance explaining how it issues penalties and calculates fines
• UK private members’ bill on AI regulation—which includes establishing an AI authority and calls for the use of sandboxes—receives second reading in the House of Lords

APAC

• New Zealand’s privacy commissioner calls for greater penalties for data breaches to ensure the Privacy Act keeps up with global privacy standards

LATAM

• Brazil and EU agree to continue working together on data protection and on regulatory frameworks for AI (also in EMEA)

Global

• OECD (Organisation for Economic Cooperation and Development) publishes a blog on data scraping, including controversies around the practice and possible solutions
• OECD working group formed to discuss challenges in regulating AI issues and to strive for solutions