Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

Here’s a quick recap of last week’s top privacy industry headlines:

  1. The data protection authorities of Belgium and France have each released reports on their enforcement efforts in the first six months of the GDPR. In total, the countries reported receiving over 1,000 data breach notifications, over 6,500 complaints, and over 35,000 DPO appointments. Additionally, the CNIL noted that 66% of French citizens that were surveyed said they were more sensitive to data protection now, after the GDPR, than in recent years.
  2. A recent report detailed the Chinese government’s practice of using local laws to push electric car manufacturers to send them the location data of electric vehicles within the country. The report states that over 200 different manufacturers deliver location information and other data to Chinese government monitoring centers without user permission. While the Chinese government insists that the data is used only for improving public safety and innovation, critics speculate that the data is also being used for tracking vehicles as a form of state surveillance. According to the report, automakers are sending over 61 different data points, including location, vehicle identification number, make and model, mileage, battery charge and engine function.
  3. Nine different human rights and civil liberties organizations sent a letter to the U.S. Justice Department objecting to a potential agreement between the United States and the United Kingdom that would give British law enforcement officials broad access to data held by U.S. technology companies. The proposed agreement, which stems from the U.S. CLOUD Act, would allow UK law enforcement officials to order U.S. tech companies to produce data about individual users without a warrant, so long as the search target is not a U.S. citizen or resident. However, critics of the proposal say it could also put the privacy of Americans at risk, and lead to potential Fourth Amendment abuses in scenarios where communications between a targeted British citizen and an American citizen could be turned over to British Law Enforcement, creating potential loopholes for U.S. law enforcement officials to obtain data without a warrant.
  4. FTC commissioners were questioned during a recent U.S. Senate hearing on Capitol Hill. The commissioners were questioned on a number of different topics, but the majority of the hearing was focused on data privacy and whether the FTC has the adequate resources and powers necessary to properly enforce. Overall, the U.S. Senate Subcommittee agreed that the FTC needed more of both in order to do its job properly, but the senators also expressed frustration over an apparent lack in progress on some of the FTC’s most notable investigations. The question of whether the U.S. needs comprehensive federal privacy legislation, akin to the GDPR, was also discussed in the hearing, including the question of preemption of state law, and how such a law could potentially give the FTC the increased enforcement authority it desires, such as the ability to seek civil penalties.
  5. The country of Serbia has enacted a new data protection law that will take effect on August 21s, 2019. The law is heavily based on the GDPR, similarly addressing extra-territorial scope, data protection officers, new data subject rights, consent, data security, privacy by design and DPIAs, breach notification, and cross-border data transfers. Potential fines under the Serbian law are significantly lower than under the GDPR, with the maximum fine reaching an equivalent of 17,000 euros, as opposed to the GDPR’s 20 million euros or 4% of annual global turnover.
  6. The European Data Protection Board released draft guidelines on the territorial scope of the GDPR. The guidelines address many questions about when and to what degree the GDPR applies to organizations, when a data subject is protected under the GDPR, as well as the obligations of non-EU-based companies establish representatives in the EU. The guidelines also use many real-world examples to help provide clarity in explaining the EDPBs answers to these many questions. The guidelines will now undergo public consultation so be sure to get your remaining questions in to the EDPB as they work to further refine a very important piece of regulatory guidance on the GDPR.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.