While China has pursued passing multiple data security laws in recent years, cross-border data sharing rules are still being finalized. Rules and guidance provided in recent months outline initial implementation details for transfers.
Geolocation data is a growing topic among privacy professionals due to the lack of regulatory safeguards around such data. Gravy Analytics Vice President of Legal and Chief Privacy Officer Jason Sarfati said arriving at a legislative solution isn't easy given misunderstandings around user identifiability. Sarfati offered a rundown of what geolocation data is all about and pointers for U.S.
California Attorney General Rob Bonta announced the first enforcement action under the California Consumer Privacy Act, a $1.2 million settlement with multinational retailer Sephora over violations of the law's "Do Not Sell" provisions. Sephora's violation specifically relates to failures to inform individuals about the sale of their data and process sale opt-outs through the Global Privacy Control. The retailer did not utilize the 30-day cure period allowed under the CCPA. The landmark settlement also includes required operational improvements.
Kenya created a requirement for startups that process personal data to register with the Office of the Data Protection Commissioner, PYMNTS.com reports. While Kenya’s Data Protection Act is the EU General Data Protection Regulation’s closest parallel on the African continent, a potential bilateral trade deal with the U.S. could save American companies compliance headaches after the EU-U.S. Privacy Shield was overturned in 2020. However, provisions of the anticipated Kenya-U.S.
Turkey’s data protection authority, the Kişisel Verileri Koruma Kurumu, published draft guidelines for the processing of genetic data. The KVKK considers genetic data under the umbrella of “sensitive personal data” under the Law on the Protection of Personal Data.
The U.S. Department of Health and Human Services Office for Civil Rights fined New England Dermatology and Laser Center $300,640 for violating the Health Insurance Portability and Accountability Act Privacy Rule. The health center was found to have improperly deleted protected health information when it threw out specimen containers with labels carrying patient names, birthdates, dates of sample collection and name of the provider who took the specimen.
The U.S. is facing “creeping authoritarianism,” Thor Benson writes for Wired. Experts advocated for policymaking that fundamentally ingrains privacy in law so those mechanisms could not be abused by a future autocratic leader. He said some experts claim the American Data Privacy and Protection Act does not establish strong enough privacy protections for individuals.
Austrian consumer advocacy group NOYB filed a complaint to France’s data protection authority, the Commission nationale de l'informatique et des libertés, over Google allegedly violating an EU court order, Reuters reports. The complaint alleged Google sent unsolicited advertising emails directly to its European Gmail users. If the CNIL were to rule against Google, the decision would only apply to French Gmail users; however, such a ruling could force Google to reevaluate its practices across the EU.