Global News Roundup: May 4–10, 2021

In this week’s global legislative roundup, China’s National People’s Congress Standing Committee released the second draft of the Personal Information Protection Law for public comment, Thailand postponed enforcement of its Personal Data Protection Act to May 31, 2022, and lawmakers in Canada are debating which legislative committee should be next to consider the country’s framework for federal privacy law reform. In the U.S., Sen. Rick Scott, R-Fla., introduced legislation that would require organizations with more than 30 million subscribers to obtain consent before using data or tracking users’ preferences.

LATEST NEWS 

China’s National People’s Congress Standing Committee released the second draft of the Personal Information Protection Law for public comment, according to Stanford University’s DigiChina Cyber Policy Center.
More

The U.S. Department of Labor’s Employee Benefits Security Administration issued cybersecurity-focused guidance on benefit plans regulated by the Employee Retirement Income Security Act that emphasizes steps to mitigate risks, according to Hogan Lovells. 
More

ICYMI

For The Privacy Advisor, University of São Paulo Law School’s Beatriz de Sousa and LGBTeses Founder Bernardo Fico explored the children’s privacy provisions under Article 14 of Brazil’s General Data Protection Law, the importance placed on consent and what can be done to protect kids under the law.
More

IAPP Westin Fellow Nicole Sakin broke down the Indian Ministry of Electronics and Information Technology’s Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, for The Privacy Advisor.
More

The IAPP created a chart for the Resource Center comparing the data privacy laws in Virginia and California in the U.S. The chart looks at the scope of Virginia’s Consumer Data Protection Act, the California Consumer Privacy Act and the California Privacy Rights Act and how each approaches data subject rights and the roles of processors and third parties.
More

ENFORCEMENT

The Cyberspace Administration of China found 33 mobile phone applications violated data privacy rules by gathering data without consent, Reuters reports.
More

France’s data protection authority, the Commission nationale de l’informatique et des libertés, announced it closed its injunction against Google.
More

According to DLA Piper’s blog, “Privacy Matters,” the German Federal Labor Court dismissed a claim that Article 15 of the EU General Data Protection Regulation grants a right to receive copies of emails as inadmissible.
More

Iceland’s DPA, Persónuvernd, fined InfoMentor ISK 3.5 million over a security breach that took place during February 2019.
More

Norway’s DPA, Datatilsynet, issued a notification of an infringement fee of NOK 5 million to toll company Ferde for allegedly transferring motorists’ personal data to China.
More

Norway’s Datatilsynet also plans to fine Disqus NOK 25 million for violations of the GDPR.
More

Spain’s DPA, the Agencia Española de Protección de Datos, fined Equifax approximately $1.1 million for allegedly scraping individuals’ publicly available data and using it in credit reports, the Wall Street Journal reports.
More

Spain’s AEPD also issued a 1.5 million euro fine against EDP Comercializadora for GDPR violations.
More

ASIA-PACIFIC

The Cabinet of Thailand signed a royal decree postponing the enforcement of the Personal Data Protection Act to May 31, 2022, the Bangkok Post reports.
More

CANADA

Canadian lawmakers are debating which legislative committee should be next to consider Bill C-11, the country’s framework for federal privacy law reform, The Hill Times reports.
More

EUROPE

A leaked document shows EU lawmakers may soon come to an agreement on a temporary derogation from the ePrivacy Directive to combat online child sexual abuse, Euractiv reports.
More

LATIN AMERICA

Mexican Sen. José Alberto Galarza Villaseñor introduced amendments concerning the territorial scope of the Federal Law on Protection of Personal Data Held by Private Parties.
More

US

U.S. Sen. Rick Scott, R-Fla., introduced the Data and Algorithm Transparency Agreement Act, which would require organizations with more than 30 million subscribers to obtain consent before using data or tracking users’ preferences, Florida Politics reports.
More

GUIDANCE

Denmark’s DPA, Datatilsynet, announced updates to its guidance on consent under the GDPR. Notable updates include clarifications on consent for processing by public authorities and how swiping or scrolling through a site “is not considered an unequivocal expression of will.”
More

The Dutch DPA, Autoriteit Persoonsgegeven, published a blog post explaining processes for “hashed and cut” anonymization techniques, which commonly do not anonymize data fully unless done properly.
More

The Committee of Ministers of the Council of Europe adopted a Declaration urging member states to bolster protections for children’s privacy and personal data.
More