Below are snapshots of recent global updates courtesy of Nymity Research.
Best Practices: LGPD Compliance Checklist for Small and Micro-Businesses
The IDEC encourages businesses to establish breach notification procedures, appoint a DPO, determine the legal bases for processing (use purpose of processing as a guide), create various policies for data subjects and employees (privacy, cookies, security, and data protection policies), train employees to ensure they understand their LGPD compliance obligations, create data retention periods, develop processes for data subject rights requests, and identify the risks of processing for data subjects. Read more here.
Surveillance: Mexico Advocates Raise Privacy and Safety Concerns
There is concern about the use of Pegasus malware to spy on human rights defenders, journalists, and government opponents; the advocates call on private companies to respect human rights, the Government of Mexico to investigate the use of the surveillance technology to protect the right to privacy and the freedom of expression, and a moratorium against the sale, transfer and use of this type of technology. Read more here.
Legislation: Baltimore City Ordinance Prohibits Face Surveillance
Effective September 15, 2021 until December 31, 2022, the City of Baltimore may not purchase or otherwise obtain a face surveillance system (including through a contract with another entity or individual), and an entity may not obtain, access or use in Baltimore City a face surveillance system or information derived from such a system; violations will be treated as a misdemeanor and subject to a fine of $1,000 and/or imprisonment up to 12 months (each day of violation constitutes a separate offense). Read more here.
Legislation: China Enacts Comprehensive Personal Information Protection Law
Effective November 1, 2021, personal information processing within Chinese territory, and processing outside China (when concerning natural persons within China) is subject to the PIPL; PI processors (those that may autonomously decide processing purposes) must generally obtain consent for processing unless an exception applies (contractual relationship, HR management, statutory duties, public health/emergency response, news reporting, already disclosed), and must follow prescribed requirements for: providing notice, entrusting processing to another processor, implementing safeguards, conducting PIAs, facilitating rights to access, correct, transfer and delete data, use of surveillance, restrictions on lawful disclosure and cross-border transfers. Read the TrustArc blog on PIPL here.
Stay informed with daily comprehensive regulatory updates using Nymity Research. Minimize the need for time consuming searches for accurate analysis with easy to understand alerts on the latest privacy laws. Start a free trial today.