Europe
The Federal Council of Switzerland has approved the Swiss-US Data Privacy Framework, which enables the secure transfer of personal data from Switzerland to certified companies in the United States. Effective from September 15, 2024, this framework recognizes that certified US entities meet an adequate level of data protection for Swiss personal data, aligning with Switzerland’s privacy standards. As a result, personal data can be transferred from Switzerland to qualifying US companies without the need for additional transfer safeguards, such as Standard Contractual Clauses, similar to the EU-US Data Transfer Framework.
- Guidance and Tools from Data Protection Authorities
- ICO Releases Privacy Notice Generator Tool. The ICO has launched a user-friendly privacy notice generator tool to help start-ups, small, and medium-sized businesses create customized privacy notices quickly.
- CNIL Publishes Monitoring Tool for Compliance with Binding Corporate Rules (“BCRs“). BCR holders are generally responsible for implementing such rules themselves. CNIL has developed a monitoring tool consisting of two questionnaires to help companies verify their BCRs’ compliance with GDPR requirements.
- Dutch Data Protection Authority Imposes Major Fines for Data Privacy Violations
In August 2024, the Dutch DPA fined Uber €290 million for unlawfully transferring taxi drivers’ sensitive personal data, including location, payment details, and medical records, to US servers without implementing the required Standard Contractual Clauses after the EU-US Privacy Shield’s invalidation. The Dutch DPA also fined Clearview AI €30.5 million for unlawfully collecting and processing billions of biometric images from persons, including Dutch citizens without consent. Clearview AI’s invasive practices violated GDPR regulations, and the company faced additional sanctions across Europe, including previous fines from France and Austria.
The Polish DPA (UODO) advised administrators on reporting data breaches in the wake of the recent global cloud service outage. The guidance clarifies that even reports only need to be made if an outage poses a risk to the individual rights and freedoms data subjects due to the inaccessibility of the cloud services. Since not every service outage infringes such rights and freedoms, the UODO clarified the importance of conducting a risk assessment in each case to determine whether or not reporting is required.
In September 2024, the Advocate General of the CJEU published an opinion clarifying that data subjects requesting information about the logic involved in an automated decision have a right to receive the methods and criteria used by the algorithm to reach its decision. The information must be presented in a way that enables the data subject to see a connection between the input and the output of the algorithm and cannot be presented in a way that is too technical. Controllers cannot use complexity as a justification to withhold information. In cases where trade secrets may be impacted, supervisory authorities or courts should balance the interests and determine the scope of the access.
US
In June 2024, Rhode Island passed a comprehensive privacy law aimed at businesses that target Rhode Island residents. The law applies to entities that, in the previous calendar year, either controlled or processed personal information of at least 35,000 Rhode Island residents or controlled or processed personal information of at least 10,000 residents and generated over 20% of their gross revenue from the sale of personal information. Rhode Island’s privacy law, effective January 2026, stands out by omitting data minimization and universal opt-out requirements. However, it imposes stringent privacy notice requirements on any website or service provider conducting business within Rhode Island’s jurisdiction, regardless of whether the specific thresholds are met.
- US States Pass Laws to Protect Minors
In June 2024, New York passed two laws to protect minors online. The Stop Addictive Feeds Exploitation for Kids Act restricts social media platforms from providing addictive content to users under 18 and limits notifications to minors at nighttime, unless parental consent is obtained. The New York Child Data Protection Act prohibits the processing of personal data for users under 13 unless allowed by the Children’s Online Privacy Protection Act (COPPA) and requires informed consent for processing data of users aged between 13 to 18 (except if such processing is strictly necessary for certain listed purposes). The law takes effect in June 2025.
Louisiana also passed a law in June 2024 banning social media platforms with over 1 million users from displaying targeted advertising to Louisiana residents under the age of 18 and from selling their sensitive personal data, effective July 2025.
California’s AB 1949 prohibits businesses from collecting, using, or disclosing minors’ personal information without proper consent. For consumers aged 13 to 18, the individual must provide affirmative authorization for data collection, while for those under 13, consent must be obtained from the parent or guardian of the consumer.
The New York Attorney General’s investigation revealed that many websites continued tracking users despite implemented privacy controls, some of which were misleading. The investigation resulted in publishing a guidance emphasizing the need for businesses to ensure that their tracking practices align with what they disclose, focusing on common problems like misconfigured tools and miscategorized cookies. Businesses were advised to assign dedicated personnel to manage tracking technologies and conduct thorough assessments before implementation. This serves as a reminder that simply having privacy controls in place is not enough; businesses must ensure they are effective and accurate.
The FTC has published an article providing clarification on its stance on “anonymous data” in the context of hashing. The FTC found that hashing, which converts data, such as email addresses or phone numbers, into seemingly random numbers, is often misrepresented by companies as a method of anonymizing data. The FTC emphasizes that hashed data can still be traced back to individuals, meaning it is not anonymous. Companies should therefore not claim that hashing personal information renders it anonymous.
Israel
On August 5, 2024, the Israeli Parliament (“Knesset“) definitively approved Amendment 13 to the Israeli Protection of Privacy Law-1981 (respectively, the “Amendment” and the “Privacy Law“). The Amendment will come into effect on August 14, 2025.
Following the adoption of the Amendment, certain entities subject to the Privacy Law will be obligated to appoint a DPO. The Amendment significantly scales back the applicability of the obligation to register databases in Israel, while substantially increasing the Privacy Protection Authority’s (the “PPA“) supervisory and enforcement powers. The Amendment establishes enhanced administrative enforcement mechanisms, including warning notices and significant monetary penalties, and for the first time vests the PPA with the ability to assess substantial financial penalties due to failure to comply with the Protection of Privacy Regulations (Data Security)-2017 (“Data Security Regulations“). For a more comprehensive review of the Amendment, read here.
Under the Protection of Privacy Regulations (Transfer of Information to Databases outside of the State’s Boundaries)-2001 (“Data Transfer Regulations“), legal basis is required for data transfer from Israeli databases to a location outside the State of Israel. Among the various listed legal bases, Regulation 2(4) includes data transfer to an entity committed to uphold the obligations with respect to personal data under Israeli law, with the necessary adaptations. The PPA’s draft opinion paper dated September 15, 2024, states that such adaptions may include compliance with ISO/IEC 27001 instead of strict compliance with the Israeli Data Security Regulations. Conversely, matters such as data subject inspection and correction rights must be provided in full accordance with Israeli law. Notably, the leniencies listed do not apply in connection with transfer to a processor, in which case, strict compliance with Israeli law is still required.
On September 3, 2024, the PPA published Directive 1/2024 (“BOD Directive“) delineating the obligations of the board of directors in connection with a company’s compliance with the Data Security Regulations. The BOD Directive only applies to companies in which processing of personal data is at the core of their activities or if their activities create increased risk to data subjects’ privacy rights, as determined by the characteristics of the company, the types of data processed, the number of data subjects whose data is processed and the number of persons authorized to access the data within the company. In such a company, the board of directors is required to ensure the drafting of an internal policy with respect to compliance with the requirements of the Data Security Regulations. The policy must define effective control, supervision and compliance processes for the company. The board is required to determine the identity of the persons responsible for its implementation. The board of directors is also responsible for ongoing supervision of compliance with the policy. The BOD Directive emphasizes that the imposition of the listed obligations on theboard of directors does not exempt management or the CEO from their obligations under law.
____________________
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
