Background
In August 2024, global data privacy saw major shifts with new cross-border agreements like the EU-Japan EPA, Brazil's landmark injunction on WhatsApp, a sizeable fine against Uber, and China's identity authentication measures. Sector-specific protections tightened, especially for children's privacy in the U.K. and facial recognition in Denmark, while formal guidance from Brazil and India clarified compliance in an evolving digital landscape.
New Cross-Border Data Agreements
In July and August 2024, new agreements and mechanisms were advanced to regulate and facilitate cross-border data transfers while maintaining robust privacy protections:
EU-Japan Economic Partnership Agreement: On July 1, 2024, the EU-Japan Economic Partnership Agreement (EPA) entered into force, enabling free data flow between these two major digital economies. The agreement ensures that data transfers occur without arbitrary restrictions while allowing both regions to continue regulating cross-border personal data transfers as necessary.
China-EU Cross-Border Data Flow Communication Mechanism: China and the EU began discussions under a new mechanism aimed at addressing challenges related to the transfer of nonpersonal data. This initiative, part of the ongoing High-level Digital Dialogue, represents a significant step toward resolving data transfer issues between the two regions.
Switzerland's U.S. Adequacy Decision: Switzerland issued an adequacy decision on August 14, 2024, allowing the transfer of personal data to the U.S. under the Swiss-U.S. Data Privacy Framework. This decision, effective from September 15, 2024, aligns with similar agreements the U.S. has with the EU and U.K., ensuring that data transfers meet high privacy standards.
Suspended Data Flows & Fines
This summer saw significant corrective action for Meta and Uber:
Brazil's Injunction on WhatsApp: On August 16, 2024, a federal court in São Paulo suspended Meta's access to Brazilian consumer data following a ruling that WhatsApp's data-sharing practices lacked sufficiently clear and transparent disclosures. Such non-disclosure amounted to an abuse of consumer rights. The court prohibited the sharing of Brazilian consumer data with Meta companies and ordered WhatsApp to implement an 'opt-out' functionality within 90 days, severing data flow within the region.
EU General Data Protection Board Fine: The Netherlands' DPA, Autoriteit Persoonsgegevens, imposed a 290 million euro fine against Uber for improper data transfers between the EU and U.S. during the Privacy Shield gap, marking a significant enforcement action in the context of cross-border data transfers. The Dutch SA found that Uber collected, among other things, sensitive information of drivers from Europe and retained it on servers in the US. It concerns account details and taxi licenses, but also location data, photos, payment details, identity documents, and even in some cases criminal and medical data of the drivers.
Sector-Specific Data Protection
In August 2024, European regulators focused on protecting sensitive data in specific sectors, particularly targeting industries where vulnerable populations are involved:
U.K. ICO Review of Children's Privacy: The U.K. Information Commissioner's Office (ICO) conducted a review of 34 social media and video-sharing platforms, identifying 11 that failed to adequately protect children's privacy. The ICO's findings suggest potential enforcement actions, emphasizing the need for stricter privacy measures in digital platforms catering to children.
Denmark's Facial Recognition Ruling: Denmark's Data Protection Authority (DPA) ruled that facial recognition systems could be used in gyms for identity verification, provided valid and informed consent is obtained. This decision underscores the importance of sector-specific privacy considerations, particularly in contexts involving sensitive biometric data.
Formal Guidance on Data Practices
Several countries issued formal guidance on data practices, aiming to clarify and expand obligations for data protection and privacy compliance:
Brazilian Data Protection Authority (ANPD) Guidance: The ANPD issued new regulations on data transfers, including Standard Contractual Clauses, through CD/ANPD No. 19, providing clarity on international data transfer obligations. In July, the ANPD also published guidance on Controller and Data Protection Officer (DPO) obligations, further defining roles and responsibilities under Brazil's data protection framework.
China's National Network Identity Authentication Measures: On August 25, 2024, China's Ministry of Public Security and the CAC passed the "National Network Identity Authentication Public Service Management Measures" after public consultation. These measures aim to enhance personal information protection and improve public network identity authentication services, with a focus on promoting the digital economy and reducing the collection and storage of plaintext identity information.
India's DSCI Report on Cybersecurity & Data Privacy: To prepare Indian businesses for compliance with the Digital Personal Data Protection Act (DPDPA)in 2024, the Data Security Council of India (DSCI) published a report offering actionable strategies for managing emerging cyber threats, ensuring compliance, and adopting best practices for data lifecycle management.
This summer has been a pivotal month for global data privacy legislation and enforcement, marked by increased cross-border data agreements, rigorous enforcement actions, and targeted sector-specific protections. Governments are making strides in regulating technology, instilling greater confidence in these institutions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.