An insight into U.S. data protection laws  

The globe has never been as interconnected as it is right now. With the significant development of technology over recent years, the way we process and share data between countries is seemingly easier than ever before. Data sharing and international data transfers are on the rise, so it is essential that your organisation is aware of and understands various international data protection laws and adopts appropriate measures to protect your data subjects’ personal data.  

The United States, unlike other countries, has a congregation of different laws to adhere to dependent on the State in which you’re in; which can be confusing for organisations who either operate in, or process data on behalf of citizens who reside in the U.S. 

In this blog, we will be looking at some of the data protection laws that are in effect across the U.S., the scope for new legislation and discuss the potential federal laws that could, one day, help with the legislative gaps. You can read the full blog here.

Data Reform Bill 2.0 introduced into Parliament 

The UK government has re-introduced the (new) Data Protection and Digital Information Bill to Parliament. The new bill has replaced the old one, which was published under the Johnson government and then revised following the public consultation process. Despite Michelle Donelan announcing that her Government would “replace GDPR with our own business and consumer-friendly data protection system”, the key reforms laid out in the original Bill remain the same. There have however, been a few changes particularly in scientific research, legitimate interest, automated decision-making, record keeping, the duty to report, and international transfers. It is unclear how long it will take to become law, as there may well be resistance from the House of Lords on some parts. 

European Parliament adopts the OECD's definition of 'AI'   

On the 3^rd of March, representatives working on the AI Act reached a political agreement on the definition of ‘Artificial Intelligence’ (AI). This agreement is highly consequential as it will define the scope of the Act and the AI rulebook. The definition is: “‘Artificial intelligence system’ (AI system) means a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate output such as predictions, recommendations, or decisions influencing physical or virtual environments”. The definition agreed on largely overlaps the Organisation for Economic Cooperation and Development's (OECD) definition. The OECD has recently released a paper on ‘advancing accountability in AI’, presenting research and findings on accountability and risk within the AI system and providing an overview of how risk-management frameworks and the AI system lifecycle can be integrated to promote trustworthy AI.

DPC publishes 2022 Annual Report 

The Irish Data Protection Commission (DPC) has published its Annual Report for 2022. In a statement from Helen Dixon, Commissioner for Data Protection, she stated “2022 was a year that saw significant outputs from the DPC in its efforts to drive GDPR compliance and protect the rights of those in Ireland and across the EU…. the DPC has also demonstrated it does not shy away from enforcing the law and applying sanctions where warranted”. Some of the notable figures include the DPC concluding 10,008 cases, with 17 large-scale inquiries with administrative fines in excess of €1billion, and four draft decisions were made in the large-scale inquiries. The DPC also became a founding member of Ireland’s first Digital Regulators Group, helping to integrate communication with the Government and drive regulatory coherence ahead of the pending EU-level legislative changes.

'Right to be forgotten' requests soar during the pandemic 

Research from Surfshark has revealed that Google and Bing received more than a million ‘right to be forgotten’ requests between 2015 and 2021, with the rate dramatically increasing during the pandemic. The research shows a country by country breakdown of these requests, with around half coming from western Europe. France was one of the most popular countries for requests, with nearly a quarter of all requests coming from French citizens. Estonia had the most requests per head of population and 125,300 requests came from the UK (around 12% of the total requests submitted). The report also found that there was some enthusiasm when the right came into effect, which then tailed off, but quickly picked up during the Covid-19 pandemic. This could be because of the move to the ‘virtual world’, with people becoming more aware of their rights, or perhaps the accelerated enforcement of GDPR and online privacy rights.

Costa Rica introduces a Bill on Data Protection to the Legislative Assembly 

Bill No.23097 for the Data Protection Law was introduced to the Legislative Assembly. The bill aims to prohibit the processing of sensitive personal information including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership. The bill also prohibits the processing of genetic, biometric, health, or sex life data. The bill introduces data subject rights similar to the GDPR and outlines data processing principles like accuracy, legitimacy, proportionality, and accountability. The bill also introduces proactive measures for processing personal data, like privacy by design and self-regulating measures.

India data protection update: MeitY presents the proposed Digital India Act 

During the Digital India Dialogues, the Ministry of Electronics and Information Technology (MeitY) presented the proposed Digital India Act 2023 (DIA). Highlighted in the presentation was the limitation of their current Information Technology Act 2000 in respects to the global advancements around data protection, highlighting India’s digital revolution. The DIA would seek to adopt the principles and a rule-based approach to data protection regulation. Some of the elements include age-gating to protect children’s data and to set a mandatory ‘do not track’ requirement to avoid children being the target of advertisements, creating certain digital user rights like the right to be forgotten, regulations for market entry for privacy-invasive devices, and strict Know Your Customer requirements for retail sales.