Data Protection News Update 03 July 2023

United States

The comprehensive privacy bill covers all entities controlling or processing personal data on 100,000 customers or deriving 50% of revenue from selling the data of more than 25,000 customers.

The bill contains unique definitions for biometric and personal data, required data protection assessments and a 30 day right to cure.

Meta has now launched new parental control tools on all its social media apps.

One such feature allows parents to see how their teen “uses Messenger” with regards to time usage and includes updates with new contacts.

Another feature allows parents to block any unwanted direct messages.

There are no features allowing parents to read the content of the messages.

Europe

The Irish government is discussing amending a bill that will allow all matters coming before the DPC to be labelled as confidential.

Rasha Abdul-Rahim of Amnesty International describes this as a “blatant attempt” by the government to “shield BigTech scrutiny” and “silence” those that stand up for the right to privacy and data protection.

The Council of Europe has released its model contractual clauses agreed upon by members of the Convention 108.

The initial models have “the potential to bride similar transfer tools… and to contribute to the convergence towards appropriate data protection standards globally.”

Ireland’s DPC has extended Meta’s interim stay on the order for the tech giant to suspend its EU-US data transfers.

The stay will remain in place until the end of July.

Political agreement has been reached between the European Council and Parliament on the European Data Act.

This forms part of the European Strategy for Data, which includes the Data Governance Act (to apply from 24^th September 2023).

The EU Data Act will come into force twenty days after publication, which translates into roughly mid-2025.

International

The Bill will appear on the 17^{th of} July monsoon session agenda.

Under this revamped legislation, the maximum penalty for data breaches will become IN45 billion, equivalent to just over 47 million pounds.

In previous iterations the penalty was just 2-4% of a firm’s global turnover.

Brazil’s Data Protection Authority has published guidance on data processing activities related to research.

The guidelines seek to clarify doubts about “the legal hypotheses that authorize the processing of personal data” in research activities.

The guidelines also outline the “need for the processing agent to follow ethical standards” as well as the principle of good faith.

United Kingdom

The UK shows the most growth in use of the technology by private businesses.

UK businesses use facial recognition technology to combat minor crimes and create watchlists unbeknownst to the individuals being watched.

The updates to the toolkit include an eight-step cybersecurity risk management framework.

They also include a refined toolkit concept to cover practices across sectors and all-sized entities, and an introductory risk management and assessment methodology.