Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.


Here’s a quick recap of last week’s top privacy industry headlines:

  1. California is set to become the first U.S. state to enact a law that specifically regulates internet of things devices. The California legislature has passed a bill that, if signed, would create information security requirements for any device that connects either directly or indirectly to the Internet and has an IP or Bluetooth address. Specifically, the bill calls for device manufacturers to equip devices with reasonable and appropriate security features designed to protect against breaches of personal information. The bill does provide two examples of what a ‘reasonable security feature’ might be, but those examples are limited to password security when users access new devices for the first time. The bill now goes to California Governor Jerry Brown for signature, and if enacted would come into effect on January 1st, 2020, the same day as the recently enacted California Consumer Privacy Act.
  2. The UK Information Commissioner’s Office recently stated that many organizations are over-reporting minor personal data breaches to them that do not need to be reported. According to deputy commissioner James Dipple-Johnstone, the Commissioner’s Office has received around 500 calls per week to their breach reporting hotline since the GDPR took effect on May 25th, and that about one-third of the incident reports they’ve received are not reportable breaches under the GDPR. According to Article 33 of the GDPR, personal data breaches must be reported to the competent supervisory authority unless they are unlikely to result in a risk to the rights and freedoms of individuals. The deputy commissioner said that the ICO anticipated that over-reporting would happen early on under the GDPR but that they would be working with organizations to try and discourage over-reporting in the future as everyone becomes more familiar with this new reporting threshold set by the GDPR.
  3. EU institutions and bodies will be facing stricter data protection rules after lawmakers approved new rules for data processing that are intended to align with the GDPR and proposed e-privacy rules. The updated rules strengthen the role of the European Data Protection Supervisor in enforcing data protection requirements against public sector entities, including giving the EDPS the ability to levy fines against EU institutions and bodies for violations. The rules are now awaiting formal approval by the Council of the EU.
  4. India will be waiting until 2019 for action to be taken on its draft Personal Data Protection Bill. According to recent reports, the Bill is likely to be tabled during the winter months and not passed until after the 2019 general elections next spring. India’s IT Ministry has also extended the public consultation period for the law until September 30th, giving the public more time to send in their comments and suggestions for the draft law.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.