Key Compliance Updates: Data Protection
The Data Protection and Digital Information Bill was introduced in 2022. The measure aims to foster innovation and change UK data laws. Increased penalties for nuisance calls, fewer cookie pop-ups, less business strain, and a modernised Information Commissioner's Office are among the suggested reforms. Businesses should closely monitor the bill's development through Parliament since the measures suggest the UK's determination to abandon the General Data Protection Regulation post-Brexit.
Data transfers internationally
In light of Russia's war against Ukraine, the European Data Protection Board (EDPB) said on 12 July 2022 that EU data protection authorities are evaluating the legality of data transfers to Russia. The EDPB noted that, after the Schrems II decision, data exporters must assess whether laws or practices limit the efficacy of data transfer measures, including access to personal data by Russian state agencies for national security purposes. EU businesses with operations in Russia should monitor changes that may restrict personal data transfers.
The Italian competition authority (AGCM) initiated abuse of dominance enquiry against Google on 14 July 2022. (Italian language only). Italian direct marketing platform Hoda complained, triggering the probe. The AGCM said Google hindered data subjects' access to data portability under Article 20 of the EU General Data Protection Regulation. The AGCM argues that by restricting data portability in a market where Google is dominant, the competition was hampered.
Foreign nationals can access their personal information maintained by federal government organisations from July 13, 2022. Foreign nationals will have the same privacy rights as Canadian citizens and permanent residents. Foreign nationals can request corrections to their data and file complaints with the Privacy Commissioner.
The EDPB adopted criteria on 14 July 2022 to determine if a cross-border case is "strategic" for tighter collaboration. The criteria will clarify when EU enforcement authorities will collaborate.
Hong Kong and Singapore extended their data protection MOU on 13 July 2022. Under the MOU, the authorities commit to collaborating on:
Information sharing on data protection policies and enforcement activities; coordination and mutual help in cross-border personal data incidents; and education and training.
The 57th Asia Pacific Privacy Authorities Forum was held 12-13 July 2022 at Hong Kong's PCPD. How authorities might address increasing technology privacy problems and cross-border data flows were examined.
Canada's Office of the Superintendent of Financial Institutions (OSFI) announced a new guideline on 13 July 2022 outlining how financial institutions should manage technology and cyber risks such as data breaches and outages. Financial institutions should create protocols for managing cyber incidents, including testing third-party incident response processes. OSFI expectations are mandatory starting in 2024.
The ICO has asked for a review of private email and chat apps in the UK government, citing data security concerns. In a study released on 11 July 2022, the ICO underlined the threats to government openness and data loss caused by the increased usage of WhatsApp for government operations.
The State Department's "Evolve" procurement strategy to modernise U.S. diplomatic technology. The State Department wants recommendations on emerging technologies, cybersecurity, and data analysis.
Three businesses in Singapore were fined between SG$67,000 (US$48,000) and SG$12,000 (US$7,100) for failing to implement sufficient data security procedures. Quione was fined the most after a data breach affecting 652,564 consumers.
The Hellenic Data Protection Authority (HDPA) fined facial recognition business Clearview AI €20 million (roughly US$20.12 million) on 14 July 2022 for processing biometric data without a legal basis. The HDPA has also banned Clearview from collecting and processing personal data of Greek subjects using facial recognition.
On 12 July 2022, the Australian Information Commissioner began investigating Bunnings and Kmart's usage of facial recognition technology. CHOICE's expose of shops' facial recognition use sparked the probe.
The European Data Protection Supervisor (EDPS) published its 2021 annual activity report, stressing its efforts to monitor data privacy concerning the EU's COVID-19 response and pushing for broader digital rights protection.
South Korea's Personal Data Protection Commission (PIPC) plans to protect children's data (South Korean language only). The plan compares South Korea's regime for protecting children and youth data to global frameworks and outlines important action items, such as building a set of personal information protection rules and procedures that reflect the unique characteristics of children and youth.
India's Central Consumer Protection Authority published recommendations to prohibit deceptive marketing and endorsements. The guidelines require ads to be honest and accurate and not highlight consumers' rights. The standards also restrict ads that imply youngsters would be mocked if they don't buy the products.
The UK's Advertising Standards Authority (ASA) provided recommendations on children's capacity to recognise online advertising to help firms determine when increased disclosure is needed. The ASA recommended using unique fonts and colours to highlight commercial information.
EU consumer protection and data privacy agencies adopted five advertising standards for minors. The guidelines caution against targeting children's weaknesses with advertising. EU businesses should consider the principles while planning internet advertising.
Meta achieved a settlement with the US Department of Justice (DOJ) to address discriminatory housing advertising claims. Meta will establish a new mechanism to address racial and other inequities generated by its customisation algorithms to satisfy the lawsuit.
As digital advertising grows, regulators scrutinise businesses' advertising and marketing. Regulators focus more on influencer advertising and ad transparency to ensure consumers are informed. These tips can help organisations stay compliant in a difficult regulatory environment:
Ensure influencers producing promotional content are aware of influencer advertising rules; consider the vulnerability of certain groups, especially children, when considering ad disclosures;
Stay vigilant to competition authority reports to identify significant areas of concern and follow suggestions to avoid future enforcement action. When using algorithms to target advertising, remove bias and monitor regularly to swiftly identify and address issues.
Lexology: Bethany Carpenter, Digital advertising: current and future risks for businesses (July 2022)