Spring 2023 Data Privacy Updates
- Information governance
- 4 Mins
There is no indication this will slow down anytime soon, so understanding relevant laws is crucial to maintain proper compliance. When conflicting responsibilities surface, it can be difficult to manage. Having a team dedicated to compliance and tapping into outside resources to help manage these obligations is becoming increasingly necessary.
Keeping tabs on the changes is half the battle, so here are a few privacy happenings so far this year to understand and monitor.
The data privacy landscape continues to grow in the U.S. with the State of Iowa being the sixth state to pass comprehensive legislation in March. The Iowa Consumer Data Protection Act will become effective Jan. 1, 2025. Iowa protections align most closely to Utah’s privacy law, placing it in the more business-friendly category. The law lacks the following: a monetary threshold to apply, private right of action, a data minimisation requirement, and data protection assessment mandate. Allotted penalties are US$7,500 for each violation, which means liability can be high depending on the nature of the breach.
Three other state legislatures also recently passed laws and are awaiting governor approval: Indiana, Montana, and Tennessee.
If approved, the Indiana law will become effective Jan. 1, 2026. It aligns more with Virginia’s privacy protection, which is middle of the road between being consumer or business friendly. Distinguishing features include lack of a private right of action; exemption for facial recognition collection on riverboats when there is prior approval from the Indiana gaming commission; and, a requirement that organisations perform impact assessments for some processing activities, such as those involving sensitive data. Indiana also allows penalties up to $7,500 for each violation.
If approved, the Montana law will become effective Oct. 1, 2024. It tracks the Connecticut privacy law closely, which also takes a more neutral approach. The Montana law has stricter privacy requirements for children, requires data protection assessments, lacks a private right of action, and grants universal opt-out options to consumers.
If approved, the Tennessee law will become effective July 1, 2025. This law leans a bit more business-friendly than the bills proposed in Indiana and Montana. While it has typical requirements such as data protection assessment requirements and the right to cure, it is the first state to mention the U.S. National Institute of Standards and Technology (NIST) privacy framework. To remain compliant under Tennessee law, covered organisations may need to adopt and follow NIST standards.
Several other states have introduced – or will introduce – bills to get their own privacy laws on the books. Analysts have pondered whether states would start to follow a trend modelled off one style of law, but as more pass, it is becoming apparent that this is not happening. Instead, the patchwork of privacy legislation is becoming messier. Even when modelling off another state law, each has distinguishing features or have integrated features from several laws.
There is still debate over passing the American Data Privacy and Protection Act at the federal level, so until then, state directives will continue to control compliance.
Global UpdateTwo countries that have made significant strides in 2023 to enhance their data privacy landscapes include Brazil and Australia.
Brazil’s General Data Protection Law (referred to as the “LGPD”) went into effect in August 2020, but the criteria for issuing sanctions was not released until earlier this year. The LGPD applies when an organisation processes personal data that is in Brazil or collected in Brazil. The LGPD has expanded consumer rights, including the ability to access information about anyone who has given their personal data and the right to request whether an organisation stores certain data.
The Brazilian Data Protection Authority has received a large amount of violation complaints and data breach notices, finding the presence of inadequate safeguards in eight matters as of March 2023. Enforcement is expected to pick up now that there is clarity around sanctions. Warnings, partial or total bans on data processing activities in Brazil, and financial penalties are available. Fines can be up to two percent of an organisation’s revenue with a cap of 50 million Brazilian reals (which is just below one million USD) for each breach under the law.
The Brazilian Data Protection Authority has expressed it will start with warnings and small fines before issuing severe penalties. Regulators will also take various factors into fine calculation, including how serious the violation was, what type of data is at issue, whether the party made any good faith efforts to appropriately protect the data, and how quickly a party corrects infringements. This illustrates that the regulators understand compliance will take time as the landscape evolves, they will work with organisations to get their compliance programs up to par, and more leniencies will be afforded when there is evidence of good faith efforts to protect personal data.
Over the last five years, major reform to the Australian Privacy Act of 1988 has been in the works. Last December, amendments were quickly approved after Australia experienced a wave of harmful data breaches. Increased fines are now available and can be the greater of AUD$50 million (which is about USD$33), three times the value of the benefit derived from a breach, or 30 percent of adjusted turnover. The Office of the Australian Information Commissioner also now has expanded enforcement powers to tackle breaches more expediently and efficiently.
In February 2023, more progress was made after the Attorney General’s office completed a long-awaited review of the law and offered 116 new proposals. Overall, the goal is to keep the law intact but greatly expand consumer protections to be closer to the GDPR. Proposals include adding a right to be forgotten, availability of private actions for certain breaches, more regulation over targeted advertising, public transparency requirements, strengthening the definition of personal information, and security enhancements for international data transfers.
The public comment period on these proposals closed at the end of March, so more movement on this front is expected at some point this year.
Other Significant Data Privacy Developments
Other countries across the globe continue to make privacy enhancements each year, so it is crucial to know which global laws apply and watch for any changes. In addition to Brazil and Australia, here are two other global events to note:
The Italian Data Protection Authority banned the use of the generative AI tool ChatGPT. It is currently investigating whether this tool violates the GDPR for failing to notify individuals that it collects and processes personal data for training purposes. What comes out of this investigation could influence other regulators’ stances on this popular tool.
A pending privacy bill in India has received 40 proposed amendments, which will likely present further delay to passing this legislation. Major concerns included lack of protection over child data, broadly written exemptions, and insufficient powers granted to the proposed regulatory body.