Privacy News Roundup — October 2023

UK GDPR Amendments and Clearview AI Appeal

The UK’s Department for Science, Innovation and Technology (DSIT) published its draft amendments to the UK GDPR and Data Protection Act 2018. The changes update the legislation to refer to rights recognized under UK law, rather than those of the EU, which will be repealed by the UK at the end of the year.

Among other changes, the UK GDPR will be updates to remove reference to “respect the essence of the right to data protection.” Instead, foundational privacy rights will fall under the right to respect for private and family life under Article 8 of the European Convention on Human Rights.

Clearview AI successfully appealed against a fine issued by the ICO for its alleged unlawful collection of facial images from the internet. The company won its case because its customers are limited to law enforcement bodies outside the UK, having ceased its commercial customer services in 2020.

Meanwhile, two thirds of organizations across the UK, France and Germany are unable to comply with the EU’s Network and Information Security Directive (NIS2). The directive comes into force next year and affects UK companies operating in the EU, with the purpose of elevating cybersecurity throughout the bloc.

New York’s Child Data Protection Act and More New Privacy Laws Across the US

At least 16 US states have introduced privacy laws in the 2022–2023 legislative cycle, with those from earlier sessions coming into effect from this year. This momentum doesn’t seem to be slowing as Maine and New Hampshire announced their intentions to present state privacy bills in the 2024 session.

Meanwhile, New York officials have proposed a new Child Data Protection Act that would prohibit online sites from “collecting, using, sharing or selling the personal data of anyone under 18 for the purposes of advertising, without informed consent or unless doing so is strictly necessary for the purpose of the website.”

Canada’s Privacy Commissioner Proposes Changes to Privacy Laws

Canada’s Privacy Commissioner, Philippe Dufresne, spoke before Parliament outlining ways to enhance federal privacy legislation through Bill C-27, The Digital Charter Implementation Act, alongside proposals to amend the Consumer Privacy Protection Act.

The proposals aim to ensure Canadian privacy law remains fit-for-purpose amid technological advancement and can protect children’s privacy while ensuing the Office of the Privacy Commissioner is able to effectively protect individuals’ fundamental right to privacy in the country.

A further tranche of provisions set out in Quebec’s Privacy Law Bill 64 came into force this month, requiring more stringent privacy controls including privacy-by-default in products and services, a published external privacy policy and governance policies and procedures implemented as part of a formal privacy program.

OAIC Annual Report Reveals Increase in Privacy Complaints and Data Breaches

The Office of the Australian Information Commissioner (OAIC) released their annual report this month. While receiving 34% more privacy complaints in the period, they finalized 84% of complaints within 12 months. Most complaints were received against the finance sector.

Notifiable data breaches increased 5% compared to the previous year, with 895 cases reported. A majority of these came from healthcare and financial organizations.

New Zealand’s Privacy Commission is wrangling with Retail NZ’s call for a sector-wide roll out of facial recognition technology to combat retail crime. Privacy Commissioner Michael Webster has raised concerns that the initiative, which would involve scanning customers’ faces and comparing them to a watchlist, is a “justified and proportional response” to the risk.

Data discovery can give you the insight you need for global privacy compliance. Find out more.