NormCyber data protection bulletin: 05th June 2023
Roundup of recent international data protection and privacy developments
Roundup of recent international data protection and privacy developments
Australia
A substantial overhaul of the Privacy Act 1988 (Privacy Act) is proposed, some of which will bring Australia’s privacy laws in closer alignment with the GDPR – and an increased regulatory burden of compliance.
Canada
The government intends to enact the Consumer Privacy Protection Act (CCPA) to replace its current federal private-sector privacy law—the Personal Information Protection and Electronic Documents Act—with a modernized and strengthened privacy and data protection legal framework. The envisioned regime includes reinforced accountability rules and consent requirements, new enforcement tools and powers, and new individual rights.
China
The long-awaited Standard Contractual Clauses of China (‘China SCCs’), as referred to in the Personal Information Protection Law (‘PIPL’), were finally endorsed on 24 February 2023. These will take effect on 1 June 2023, with a six-month grace period. This means that, by 30 November 2023 all companies which need to share personal information with foreign recipients, like its head office, affiliates, or other service providers, must have in place the China SCCs and file them with the People’s Republic of China regulators.
India
India’s long-delayed new data protection law has been resurrected again (for the fourth time). The Digital Personal Data Protection features concepts that are common to the GDPR at its core. However, it differs in several significant ways. For instance, it shrinks the ambit of ‘personal data’ and dispenses with segregating and protecting personal data based on how sensitive it is.
Also, the Indian Government has begun the consultation process for the Digital India Act (DIA), toreplace the Information Technology Act, 2000 (IT Act). This is likely to considerably change how businesses reliant on the internet operate in India. The DIA is expected to focus on:
UK
The government introduced the Data Protection & Digital Information (No.2) Bill on 8 March 2023. This, in some respects, waters-down (but does not scrap) the EU GDPR.
US
Virginia’s law became effective 1 January 2023, and at the same time significant modifications to California’s law also went into effect. Two more states have similar laws that will become effective 1 July 2023 (Colorado and Connecticut), and more are following, including Utah and Iowa.
The common theme with all of these is that they are similar (but not identical) to the GDPR.
Meta fined €1.2 billion, ordered to cease transferring personal data to the US
The Irish Data Protection Commission (“the DPC”) has today announced the conclusion of its inquiry into Meta Platforms Ireland Limited (“Meta Ireland”), examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service. Its decision is:
This is (by far) a record GDPR fine and could lead Facebook ceasing providing a service in the EU.