Privacy News Roundup — July 2023

New EU-US Data Privacy Framework now in place

This month saw the implementation of a new data sharing agreement between the EU and the US. The EU-US Data Privacy Framework replaces the Safe Harbor agreement that was slammed by the European Court of Justice in 2015, and the failed Privacy Shield agreement.

The European Commission adopted its adequacy decision for the new framework on July 10. The decision came after the US signed an Executive Order bringing into force binding obligations to protect Europeans’ data. The agreement means that personal data can again flow freely from the European Economic Area to US companies participating in the Framework.

Israel takes a stand on biometrics in the workplace

Israel’s Privacy Protection Authority (PPA) published their policy paper on the “Collection and Use of Biometric Data at the Workplace” for public comment on July 17. The paper clarifies the privacy risks and potential legal consequences for businesses using such information to monitor employee attendance and behavior.

The PPA maintains their position, previously explained in a 2012 paper, that organizations should refrain from the use of biometrics and suggests alternatives, including issuing personnel with company cards or installing cameras at entrances.

The paper emphasized that collecting and storing employee biometrics is permissible only where alternatives are unfeasible or where there is a special justification for their use.

Oregon, Delaware Pass New Privacy Laws

Two more states have published local privacy laws in recent months. On June 22, the Oregon House of Representatives passed the Oregon Consumer Privacy Rights Act (OCPA). The bill was signed into law on July 18 by Governor Tina Kotek.

The Delaware Personal Data Privacy Act was passed by the state legislature on June 30, 2023. The bill is expected to be signed into law in the coming weeks.

The Oregon and Delware privacy laws are similar to those passed in Colorado and Connecticut, both of which came into force from July 1, 2023. Neither the OCPA nor Delaware Act provide exemptions for covered entities and business associates regulated under HIPAA. Such organizations will need to comply with the relevant state law as well as HIPAA. Both acts disallow exceptions for nonprofits too.

New Zealand’s new regulatory framework for consumer data rights

The New Zealand government released an exposure draft of the proposed Customer and Product Data Bill on July 3. The bill provides a regulatory framework for consumer data rights (CDR) and aims to give customers “more control over their data, allowing them to safely and securely access, manage, and share this data with others.”

The NZ Ministry of Business, Innovation and Employment is seeking feedback on the draft law and accompanying discussion document. The new CDR framework will be complementary to the Privacy Act 2020 but will also cover CDR data that is not personal data.

Understanding the data you have is the foundation of any compliance or regulatory obligation. Data discovery can give you the insight you need for global privacy compliance. Find out more.