By Tham Shen Hong, Irma Gudžiūnaitė, Venkatesh Krishnamoorthy, Wong Wai San, Tomoko Naoe, Olga Medina, Kate Goodloe, Thomas Boué, and Joseph Whitlock.
Organizations worldwide have observed Data Privacy Day since 2007, to raise awareness about the importance of protecting privacy. To help mark the occasion of Data Privacy Day 2024, BSA’s global policy experts around the world share their perspectives on what privacy developments to watch for this year.
- Australia: Overhauling the Privacy Act
- European Union: Second Report on the General Data Protection Regulation
- India: Implementing the New Digital Personal Data Protection Act
- Indonesia: Finalizing Regulations for Personal Data Protection Law
- Japan: Reviewing National Privacy Law
- US: States Leading on Privacy Legislation
- US: Federal Focus on Privacy and AI
- Transatlantic Data Transfers: First Regular Review of the EU-US Data Privacy Framework
- Digital Trade Agreements Advance Global Privacy Norms
Australia: Overhauling the Privacy Act
This year, Australia will focus on reforming its more than 30-year-old Privacy Act of 1988. After more than two years of consultations that culminated in a report with 116 proposed reforms, the Government indicated it would overhaul the Act to ensure that it remains fit-for-purpose, agreeing to some reforms and agreeing “in principle” to others. The overhaul will expand the scope of the Act to apply to more entities, provide more clarity for businesses, improve individuals’ control over their personal information, and strengthen the enforcement powers of regulators. Importantly, the Government agreed in principle to create a distinction in the Act between controllers and processors, which aligns with the longstanding distinction recognized in privacy laws worldwide. Moving forward, the Government will develop legislative text on “agreed” reform proposals and conduct further consultations on proposals that were “agreed-in-principle.” These reforms will complement other ongoing efforts including consultations on Supporting Safe and Responsible AI in Australia and the 2023-2030 Australian Cyber Security Strategy.
– Tham Shen Hong, Senior Manager, Policy — APAC, based in Singapore
European Union: Second Report on the General Data Protection Regulation
By early summer, the European Commission is set to release the second report on the application of the EU’s General Data Protection Regulation (GDPR). The report will come just before the end of the Commission’s political term and six years after the GDPR took effect. It is expected to build on the Commission’s 2020 GDPR report, which highlighted the GDPR’s technologically neutral and future-proof approach. This year’s report is expected to be similarly positive, minimizing the likelihood of substantial changes to the GDPR. However, the report may advocate for stronger enforcement, increased support for SMEs, and improved utilization of the international data transfers tools. EU Member States and the European Data Protection Board have already outlined their wish lists for the report, focusing on reducing burdens for SMEs, enhancing data transfer tools, and providing targeted guidelines. Over the English Channel, the UK continues to work on its privacy reforms that would diverge from the EU GDPR and create greater flexibility for industry. The UK government expects to conclude the legislative procedure on the UK Data Protection and Digital Information Bill by spring 2024.
– Irma Gudžiūnaitė, Director, Policy, based in Brussels
India: Implementing the New Digital Personal Data Protection Act
This year, India will focus on implementing its new national privacy law, after it enacted the Digital Personal Data Protection (DPDP) Act last August. The Ministry of Electronics and Information Technology’s (MeitY) will publish implementing rules and establish the new Data Protection Board (DPB). MeitY is expected to issue draft rules in early 2024, focusing on rules that are high-level and principled, but raise key issues on data breach reporting obligations, consent requirements, and obligations for significant data fiduciaries. However, India will have national elections in April-May 2024, making the timeline for completing that rulemaking process unclear.
— Venkatesh Krishnamoorthy, Country Manager, India, based in New Delhi
Indonesia: Finalizing Regulations for Personal Data Protection Law
Indonesia is also expected to focus on implementing its recently enacted national privacy law this year. It adopted the long-awaited Personal Data Protection Law at the end of 2022, joining the expanding club of APAC jurisdictions with a national-level personal data protection law. In mid-2023, Indonesia consulted the industry on draft regulations and this year we expect to see those regulations finalized. We are watching for provisions on consent, additional bases for processing personal data, data breach notifications, cross-border transfers, and data subject requests. While the February 14 Presidential Elections may complicate matters, President Joko Widodo’s term officially ends in November 2024. It is therefore still possible for the regulations to be issued by the end of his term, which industry insiders have reported is a priority for him.
― Wong Wai San, Senior Manager, Policy — APAC, based in Singapore
Japan: Reviewing National Privacy Law
In 2024, Japan will review its national privacy law, under the “Every-Three-Year Review” system of the Act on the Protection of Personal Information. The Personal Information Protection Commission (PPC) has already started this process, focused on issues including: substantial protection of individual rights and interests; effective monitoring and supervision, particularly to prevent large-scale data breaches; supporting efforts to utilize data for public interest in areas such as healthcare, education, disaster prevention, and children; and facilitating international data transfers. PPC may also use this opportunity to examine the processing of personal data in connection with generative AI systems and in cloud environments. PPC is expected to release an interim report this spring and continue the review throughout the year before submitting a draft amendment of the Act to the Diet in 2025.
― Tomoko Naoe, Director, Policy, — Japan, based in Tokyo
US: States Leading on Privacy Legislation
Already this year, New Jersey has enacted a consumer privacy law and New Hampshire’s legislature has passed a comprehensive privacy bill, which will soon head to the governor. If signed, it would bring the total number of states with comprehensive consumer privacy laws to 15. As we start 2024, five state privacy laws are in effect (in California, Colorado, Connecticut, Utah, and Virginia) and another four will take effect this year (in Montana, Oregon, Florida, and Texas). We also expect to see renewed efforts to pass privacy legislation from lawmakers who have tried before, including in Hawaii, Kentucky, Minnesota, New York, Ohio, Pennsylvania, and Wisconsin. For privacy professionals, the good news is that many of the new state laws adopt the same structural approach — and adjust it to increase or decrease protections for consumers —making it easier to map the obligations in these new laws against one another. This year, we’re watching to see if states depart from these existing models of state privacy legislation or take on privacy-adjacent issues such as biometric privacy, consumer health privacy, and the convergence of AI and privacy. It will also be an important year for enforcement and rulemaking, as the five states with privacy laws on the books look toward enforcement and California’s privacy agency moves ahead with rulemaking on cybersecurity audits, risk assessments, and automated decision-making.
― Olga Medina, Director, Policy, based in Washington, DC
US: Federal Focus on Privacy and AI
Both Congress and the Administration will focus on privacy in 2024, with a range of actions ahead. On the Hill, lawmakers in the Senate are focused on bills that would protect children’s privacy and online safety, while in the House discussion remains centered on the American Data Privacy and Protection Act, a comprehensive privacy bill that passed out of the House Energy & Commerce Committee last Congress with bipartisan support but has yet to be reintroduced in the current Congress. The increased attention on AI has also spurred more focus on privacy protections. Across the Administration, agencies including the National Institute of Standards and Technology (NIST) will touch on privacy as they implement aspects of the recent Executive Order on AI, including its support for privacy enhancing technologies. The Federal Trade Commission is also expected to move forward on its commercial surveillance rulemaking, which could sweep in privacy, cyber, and AI issues.
– Kate Goodloe, Managing Director, Policy, based in Washington DC
Transatlantic Data Transfers: First Regular Review of the EU-US Data Privacy Framework
This year will see the first annual review of the EU-US Data Privacy Framework (EU-US DPF). The purpose of this review is to verify whether the US legal framework supporting the DPF is operating in practice. In particular, it will focus on the effectiveness of redress mechanisms available to EU citizens whose personal data is wrongly handled, and the functioning of the new Data Protection Review Court that handles complaints on access to data by US national security authorities. As a reminder, the EU-US DPF also relies on binding safeguards regarding US national security authorities’ access to data (based on the US Executive Order 14086) that limit access to what is necessary and proportionate to protect national security. Depending on the outcome of that first review, the European Commission will decide, in consultation with the EU Member States and Data Protection Authorities, on the frequency of future reviews, which will take place at least every four years. In the meantime, the EU General Court will also deal with a challenge from a French politician (MP Philippe Latombe) to the EU-US DPF on the grounds that the newly created Data Protection Review Court does not offer an effective remedy and lacks transparency in relation to the alleged bulk collection of personal data by US intelligence authorities. Privacy professionals from both sides of the Atlantic and beyond will be watching this space.
– Thomas Boué, Director General EMEA, based in Brussels
Digital Trade Agreements Advance Global Privacy Norms
In the World Trade Organization (WTO) Joint Statement Initiative on E-Commerce, negotiations on digital trade and privacy, personal data protection, and consumer protection (among other topics) are expected to substantially conclude in 2024. The negotiations, which involve some 90 WTO Member States representing more than 90 percent of global trade, have been led by Australia, Japan, and Singapore. The negotiated outcome is expected to include provisions that recognize the contributions of personal data protection and privacy to digital trust and economic development. The outcome may also require Parties to: (1) Adopt or maintain a legal framework that provides for the protection of personal data related to electronic commerce; (2) Take into account the privacy-related principles and guidelines of relevant international bodies; (3) Recognize that high standards of privacy and data protection with regards to government access to privately held data, such as those outlined in the OECD Principles for Government Access to Personal Data held by Private Sector Entities, contribute to trust in the digital economy. Privacy professionals should take care to monitor these developments.
― Joseph Whitlock, Director, Policy and Executive Director, Global Data Alliance, based in Washington, DC
