Roundup of recent international data protection and privacy developments
A substantial overhaul of the Privacy Act 1988 (Privacy Act) is proposed, some of which will bring Australia’s privacy laws in closer alignment with the GDPR – and an increased regulatory burden of compliance.
The government intends to enact the Consumer Privacy Protection Act (CCPA) to replace its current federal private-sector privacy law—the Personal Information Protection and Electronic Documents Act—with a modernized and strengthened privacy and data protection legal framework. The envisioned regime includes reinforced accountability rules and consent requirements, new enforcement tools and powers, and new individual rights.
The long-awaited Standard Contractual Clauses of China (‘China SCCs’), as referred to in the Personal Information Protection Law (‘PIPL’), were finally endorsed on 24 February 2023. These will take effect on 1 June 2023, with a six-month grace period. This means that, by 30 November 2023 all companies which need to share personal information with foreign recipients, like its head office, affiliates, or other service providers, must have in place the China SCCs and file them with the People’s Republic of China regulators.
India’s long-delayed new data protection law has been resurrected again (for the fourth time). The Digital Personal Data Protection features concepts that are common to the GDPR at its core. However, it differs in several significant ways. For instance, it shrinks the ambit of ‘personal data’ and dispenses with segregating and protecting personal data based on how sensitive it is.
Also, the Indian Government has begun the consultation process for the Digital India Act (DIA), toreplace the Information Technology Act, 2000 (IT Act). This is likely to considerably change how businesses reliant on the internet operate in India. The DIA is expected to focus on:
- ensuring an open internet
- online safety and trust
- accountability and quality of service
- an adjudicatory mechanism for timely grievance redressal, and
- a framework to address harms that may be caused by new technologies (such as, artificial intelligence).
The government introduced the Data Protection & Digital Information (No.2) Bill on 8 March 2023. This, in some respects, waters-down (but does not scrap) the EU GDPR.
Virginia’s law became effective 1 January 2023, and at the same time significant modifications to California’s law also went into effect. Two more states have similar laws that will become effective 1 July 2023 (Colorado and Connecticut), and more are following, including Utah and Iowa.
The common theme with all of these is that they are similar (but not identical) to the GDPR.
Meta fined €1.2 billion, ordered to cease transferring personal data to the US
The Irish Data Protection Commission (“the DPC”) has today announced the conclusion of its inquiry into Meta Platforms Ireland Limited (“Meta Ireland”), examining the basis upon which Meta Ireland transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service. Its decision is:
- Meta (Facebook) to pay a fine of €1.2 billion); and
- Meta to suspend any future transfer of personal data to the US within five months; and
- Meta to bring its processing operations into compliance with the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within 6 months.
This is (by far) a record GDPR fine and could lead Facebook ceasing providing a service in the EU.
Get norm.’s data protection bulletin direct to your inbox
norm. tracks and monitors the latest data protection developments and collates these into a monthly data protection bulletin.
You can receive this bulletin for free, every month, by entering your business email address below: