Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.


Here’s a quick recap of last week’s top privacy industry headlines:

  1. Brazil’s new data protection bill has been signed into law. The Brazilian General Data Protection Law is heavily influenced by the EU’s GDPR, taking a risk-based approach to compliance, and includes new rights for individuals, as well as requirements around records of processing, data protection impact assessments, breach notifications and more. There were also several items in the original text of the bill that were vetoed by the President, including a provision that would have created a new national data protection authority in the country. However, government officials have stated that the creation of a DPA will be handled in separate legislation. The Brazilian General Data Protection Law is expected to go into effect in February of 2020, giving organizations time to adapt their programs to meet the new requirements.
  2. In the United States, the NIST Small Business Cybersecurity Act has been signed into law. The law requires the director of the National Institute of Standards and Technology, a division of the Department of Commerce, to issue guidance and resources to help small and medium-sized businesses with addressing cybersecurity risks. The law calls on NIST to simplify its guidance for SMEs and to ensure that it remains technology-neutral and includes elements that promote awareness of basic controls, a culture of cybersecurity in the workplace and security in third-party relationships. According to government officials, the law will provide tools to smaller organizations who previously thought that NIST compliance was too costly or complex to obtain.
  3. The Australian government has proposed a new law that would force tech companies to hand over encrypted data to law enforcement authorities who obtain a warrant to access the data. Penalties for non-compliance include fines of up to $7.3 million and jail time. The Australian government says the law is intended to target platforms that could be used for criminal activities or to plan terror attacks. The law is currently still a draft and has yet to be presented in the Australian parliament.
  4. Australia has appointed a new information and privacy commissioner. Angelene Falk, who has been the acting commissioner since the retirement of former chief Timothy Pilgrim in March, has officially taken up the role. In making the appointment, Australian Attorney General, Christian Porter, cited Falk’s extensive experience and track record in the Commissioner’s Office, as well as her role in setting up Australia’s notifiable data breaches scheme and in reforming Australia’s Privacy Act last year.
  5. In a column for The Washington Post, European Data Protection Supervisor Giovanni Buttarelli provided an analysis of the GDPR. In the column, Buttarelli acknowledges that EU regulators are recognizing the “great efforts at compliance” by organizations, but that the spirit of the law has been somewhat overlooked. Buttarelli goes on to examine several areas of GDPR compliance, namely in the area of consent, which he states should be used with care as “asking for consent often signals that a party wants to do something with personal data that the individual may not be comfortable with or might not reasonably expect.” Buttarelli also noted that 30 different cases of alleged GDPR violations are already being investigated by EU supervisory authorities, and that we should expect to see the first results of those investigations before the end of this year.
  6. Kenya’s ICT Ministry has drafted a national data protection bill. The bill includes rules on how personal data may be collected, used, shared and stored by data handlers, and includes a fine of $50,000 or a five-year jail term for violations. The bill would also require data controllers to obtain consent prior to processing, includes data subject rights to rectification and deletion of personal data and calls for the appointment of a Data Protection Commissioner to provide oversight and enforcement.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.