Here is a roundup of some of the recent regulatory updates in the data protection and privacy space around the world.
On September 22, 2023, the second set of amendments to Quebec’s privacy law (under “Bill 64” or “Law 25”) came into effect. The amendment aims to modernise Quebec’s long-standing privacy law in line with modern data protection requirements. Organisations covered by Quebec’s privacy law must develop or review existing internal governance policies and practices related to the protection of personal information. These policies must align with legal requirements and receive approval from the “person in charge” (PIC). Other changes under the amendments include new rules for direct marketing, automated decision-making, and the transfer of personal information outside Quebec. The amendments also introduce a scheme for monetary administrative penalties (AMPs). Quebec’s data protection regulator, the Commission d’accès à l’information (CAI), has published a framework outlining how these AMPs will be enforced.
UK-US Data Bridge
The UK’s Department for Science, Innovation and Technology (DSIT) announced on 21 September 2023, that the UK-US Data Bridge will take effect on 12 October 2023. The UK-US Data Bridge allow UK businesses and organisations legally transfer personal data to US-based businesses that have self-certified under the UK Extension to the EU-US Data Privacy Framework (EU-US DPF).
The announcement confirms that the UK-US Data Bridge provides a level of protection for UK individuals’ personal data “essentially equivalent” to that of the UK GDPR. Preceding the UK’s announcement, on 18 September, the US Attorney General designated the UK as a “qualifying state” under Executive Order 14086. This move means UK individuals whose personal data is transferred to the US can access a newly established redress mechanism if they believe their data was accessed unlawfully by US authorities for national security purposes.
The UK-US Data Bridge is open only to US organisations under the Federal Trade Commission (FTC) or Department of Transportation (DoT)’s jurisdiction. Organisation not subject to FTC or DoT’s enforcement powers, such as banks, insurance firms, and telecommunications providers, cannot currently participate in the program.
On September 18, 2023, the Danish data protection authority (Datatilsynet) released new guidance aimed at helping organisations prevent unauthorised access to personal data by their employees. Datatilsynet acknowledges that detecting employee misuse of personal data for non-work-related purposes can be challenging. However, the regulator emphasises that such misuse can be addressed through a combination of systematic rights management, effective control procedures, and strong enforcement by the data controller.
The guidance provides specific measures that organisations can implement to reduce the risk of unauthorised access to personal data by employees, including:
- Conducting a risk assessment tailored to the organisation’s specific needs.
- Managing and controlling access rights, ensuring that employees only have access to data relevant to their job responsibilities.
- Maintaining logs of employee interactions with personal data, including actions such as reading, searching, deleting, modifying, and login attempts.
- Implementing robust control mechanisms, such as continuous monitoring of employee activities on systems that handle personal data.
- Informing employees about the existing control measures and the consequences of violating data access rules.
- Enforcing control measures by imposing sanctions, such as fines, on employees who misuse their access to personal data.
The guidance provides that, in certain cases where an organisation becomes aware of unauthorised access by an employee, it may be necessary to report the employee to law enforcement authorities, such as the police. It further provides a framework for organisations to proactively manage and mitigate the risk of unauthorised access to personal data by their employees, promoting both data protection and legal compliance.
As a global B Corp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements.
Contact our team if you want to discuss any of the topics or regulatory updates discussed.