CPRA Rulemaking Process Enters Final Steps
The California Privacy Protection Agency’s approval of modifications to draft regulations and subsequent initiation of a public consultation concerning those modifications mark one of the last steps to what’s become an unexpectedly drawn-out process. Included in the updates to the draft rules was language for consideration of a potential enforcement delay where deemed appropriate in connection to the CPPA’s slower drafting.
Tanzania Parliament Passes Personal Data Protection Bill
Tanzania’s Parliament unanimously passed the Personal Data Protection Bill 2022 recently. Minister for Information, Communication and Information Technology Nape Nnauye said he expects a “flood of investors should President Samia Suluhu Hassan sign the bill into law. The bill establishes a Commission for the Protection of Personal Data, which would have the authority to issue fines for the mishandling of personal data and set policies and procedures for the handling of such data.
US Senators Request Halt to FTC Privacy Rule-Making
U.S. senators sent a letter to U.S. Federal Trade Commission Chair Lina Khan asking the agency to stop its rulemaking initiative on commercial surveillance and lax data security. The U.S. senators wrote that the FTC “should not exceed its authority” with rulemaking in the absence of a federal privacy law and instead “leave that work to Congress.” The senators added that privacy and data security issues require “robust, adaptive” standards that “can only be struck within federal legislation that is comprehensive and preemptive.”
European Parliament’s Take on the Proposed Data Act
Members of the European Parliament raised more than 1,000 amendments to the original draft legislation in September alongside the Parliament rapporteur’s official draft review. Potential changes concern public access to private data, Internet of Things considerations, and data governance and interoperability. German MEP Angelika Niebler said the proposal needs to be “technically feasible, legally secure and financially viable and attractive.”
Argentina Finalizes Proposed Data Protection Reform
Argentina’s data protection authority, the Agency of Access to Public Information, announced the finalization of its proposed reforms to Law No. 25,326 on the Protection of Personal Data. Following an extended public consultation featuring 173 submissions, the AAPI took up 80 articles in its final proposal and modified 43 based on public comments. The reform package was presented to Argentina’s government for review before introduction to the National Congress of Argentina.
Russian App Posing as US-Based Company Used by US Army, CDC
Thousands of Apple and Google mobile applications were found to contain computer code developed by a Russian software company disguised as a U.S. company. The apps, including some used by the Centers for Disease Control and Prevention and the U.S. Army, were made by Pushwoosh. Upon contact by Reuters, the CDC removed seven of its public apps, while the Army removed an app in March after it was used by soldiers at a combat training base. The code allows developers “to profile the online activity of smartphone app users.”
EDPS Issues Opinion on EU-Wide Cybersecurity Requirements
European Data Protection Supervisor welcomed proposed regulation, including security and data minimization principles, in EU-wide cybersecurity requirements. He said, “Harmonised cybersecurity requirements across the EU should reduce the risks for Europeans of being victims of cyber-attacks and of the vast consequences that these may entail, such as the theft and misuse of their personal data.” He noted controllers and processors must ensure appropriate security in processing personal data under the EU General Data Protection Regulation.
MEIT likely to Introduce New Data Protection Bill Draft
India’s Ministry of Electronics and Information Technology is anticipated to introduce a new version of India’s proposed data protection bill Nov. 16. The bill was withdrawn in Parliament during the Monsoon Session over issues related to personal data protection, Union Minister of Railways, Communications and Electronics and Information Technology Ashwini Vaishnaw said. The new version of the bill proposes establishing a data protection board, rather than a data protection authority.
Children’s Privacy Regulation Could See Final 2022 Push in US Congress
Advocates and lawmakers say proposals to protect children’s data online could be rolled into year-end defense packages. U.S. Senate leadership is pushing two proposed bills, the Kids Online Safety Act and the Children and Teens’ Online Privacy Protection Act. Senate Committee on Commerce, Science and Transportation Communications Director supports any efforts to pass the proposals.
ICO Publishes Transfer Risk Assessment Guidance
The U.K. Information Commissioner’s Office announced new guidance and resources for data transfer risk assessments. The ICO said its guidance presents an “alternative, achievable approach” compared to the European Data Protection Board’s guidelines and touted the assessment process as “reasonable and proportionate.” The assessment tool rolled out by the ICO evaluates risk based on “whether the transfer significantly increases the risk of either a privacy or other human rights breach.”
MEPs Pitch Enforcement Changes to Proposed AI Act
European Parliament rapporteurs for the proposed Artificial Intelligence Act circulated a fresh compromise text focused on overhauling parts of the bill’s enforcement framework. The proposed updates include unannounced on-site checks of high-risk AI systems, joint investigations for large-scale incidents and a broader approach to a pan-European database for such systems. Additional changes to incident reporting obligations and approach to noncompliance concerning technical documentation were also raised.
The Ins and Outs of India’s Proposed Digital Personal Data Protection Bill 2022
The recently proposed Digital Personal Data Protection Bill 2022 from India’s Ministry of Electronics and Information Technology is seeking to fulfill years of shortcomings with the Indian government’s prior draft data protection legislation. The new bill deals with processing digital personal data within the territory of India, including provisions from the scrapped Data Protection Bill and fresh takes on data protection problems. See more about the bill here.
EU Council Releases New Proposed Cyber Resilience Act
The Czech Presidency of the Council of the European Union released new text on the proposed Cyber Resilience Act, legislation intended to enact cybersecurity requirements for connected devices and related services, Euractiv reports. In the addition, member states are not prevented from imposing national restrictions on digital products, including bans, based on national security.