BDO's PrivacyWatch

Caribbean Privacy

• On June 30, 2023, the Argentinian data protection authority (AAIP) announced that the National Executive Power had sent the Personal Data Protection Bill to the National Congress of Argentina. In the new version of the bill, banks and credit institutions (with a new definition) playnow an active role in the disclosure of individuals’ credit information, being in charge of providing such information to the Central Bank of Argentina for its publication, as well as of keeping it updated and being liable to any objections. Read More
   
• On July 7, 2023, the Brazilian data protection authority (ANPD) announced that it has initiated studies to analyse the processing of personal data by Meta Platforms, Inc. via its recently launched social network, Threads. The ANPD explained that this came in response to concerns raised by the press and by data protection experts about possible violations of the General Data Protection Law (LGPD) by the new social network.

Global Privacy

• EU-US DPF: Commission adopts adequacy decision on EU-US DPF: On July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF). The adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without the need to obtain any further authorization. On July 17, 2023, the Department of Commerce (DoC) International Trade Administration launched its EU-U.S. DPF website. Companies are now able to review the key requirements for participating organizations, including how to join the program and how to recertify.
   
• Oregon, USA: Bill on Data Brokers passed by Senate: The Oregon State Senate approved House Bill No. 2052, which pertains to the registration of companies that can act as data brokers. The Bill was then forwarded to the Governor of Oregon for approval. According to the Bill, Data Brokers would have to register with the Oregon Department of Consumer and Business Services (DCBS) and submit specific information, including their name and primary mailing, email, and website addresses. Additionally, the Bill would exclude several companies from the DCBS registration requirements, including data brokers who gather, sell, or license publicly available data as well as those that issue emergency alerts.
   
• South Korea: PIPC fines Meta KRW 6.5 billion and Instagram KRW 886M for PIPA violations related to collection and use of behavioural information of online users: The Personal Information Protection Commission (PIPC) of South Korea announced (available only in Korean) that it has imposed fines of approximately $5 million and $700,000 on Meta Platforms Ireland and on Instagram LLC respectively. These were the result of an investigation which found both entities in violation of the Personal Information Protection Act (PIPA), particularly around the collection and use of behavioural information of online users.
   
• China: TC260 publishes cybersecurity standard requirements for 2023: The National Information Security Standardization Technical Committee (TC260) announced the publication of cybersecurity national standard requirements (available only in Chinese) for 2023. The TC260 published a list of cybersecurity national standard requirements, including the name, content, and intended aim of each standard. The standards included establishing technical requirements for products that can screen and control information, stipulating requirements for products that can identify and block denial of service attacks, and proposing technical requirements for USB products, including identity authentication and trusted access mechanisms between storage devices and a host.

Industry Updates

• Zero Knowledge Proof and Data Protection: A cryptographic protocol called Zero Knowledge Proof enables users to demonstrate their knowledge or the validity of a particular information without disclosing the supporting documents or facts. Information protection in the event of a cyber breach is one of the main advantages of this technology. Traditional security methods frequently keep private information in centralized databases or servers, making them potential targets for cybercriminals looking for valuable data. However, organizations adopting Zero Knowledge Proof do not have to keep sensitive data in a risky centralized location; as a result, they completely avoid the risk, making their corporate data assets useless to hackers even if they are able to access the organization's systems.