Privacy News Roundup — September 2023

Australia and New Zealand propose changes to local privacy laws

On September 28, 2023, the Australian Government published its response to the Privacy Act Review released in February 2023. Of the 116 recommendations made in the original report, the government has committed to 38 and has agreed “in principle” to a further 68. The changes will enhance both individuals’ privacy rights and the requirements of entities handling personal information to handle it securely.

Alongside the government’s response, the OAIC published its latest Notifiable Data Breaches Report for H1, 2023. While the total number of breaches reported fell compared to H2, 2022, one breach affected more than 10 million Australians — the highest number reported under the notification scheme.

Meanwhile, New Zealand’s Privacy Amendment Bill was introduced to Parliament on September 5. Among the proposed changes, the Amendment Bill introduces a new notification requirement for organisations when they collect personal information indirectly. This means they will need to take “reasonable steps” to ensure the individual is informed about their collection of their data.

UK passed Online Safety Bill; issues AI enforcement notice

The UK’s new Online Safety Bill passed its final Parliamentary debate in September and will soon be passed into law. There’s been controversy surrounding the bill since it was first published four years ago, mainly associated with its original demand that end-to-end encryption used by social media and messaging services to protect individuals’ privacy and security be broken to support criminal and child abuse investigations. 

The Information Commissioner in the UK has issued its first preliminary enforcement notice against the generative AI chatbot “My AI,” arguing that its creators failed to “adequately assess the data protection risks posed by the generative AI technology, particularly to children.” 

California and Delaware step up residents’ privacy rights

Delaware Governor John Carney signed the Delaware Personal Data Privacy Act into law on September 11, 2023. The new law will come into force from January 1, 2025. Similar to its counterparts in Connecticut and Virginia, the Delaware act adopts a broader definition of sensitive personal data as well tighter restrictions for the sale of data and targeted advertising for children and young adults up to the age of 18.

California’s CPPA will be empowered to create a system enabling residents to make a single request to delete their data across data brokers operating in the state if the California Delete Act is signed into law. The bill is in the hands of state governor, Gavin Newsom. 

Data discovery can provide the insight you need for regional and global privacy compliance. Find out more.