Welcome to Last Week in Privacy! Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

  1. Australian lawmakers passed a bill to amend current data protection laws in Australia to include a right to data portability for consumers. The bill will allow individuals and businesses to access and transmit their data, and contains stronger provisions on privacy safeguards than those contained in the current Privacy Act of 1988, including mandatory breach notification and increasing the enforcement powers of Australia’s data protection authorities. Currently, the Australian Government has committed to begin applying the consumer data right to the banking, energy and telecommunications sectors, but seeks to eventually apply it across all sectors of the economy.
  2. The UK Information Commissioner’s Office announced that it has selected its first participants for its regulatory sandbox. According to the ICO, the sandbox aims to support the use of personal data in innovative products and services as part of its three-year technology strategy. The ICO highlighted that the first selected projects include the use of biometrics to speed up airports, and technological advances in healthcare. In addition, the ICO outlined how it will support selected organizations by providing expertise and advise on privacy by design to help mitigate risks as the participants test their innovations.
  3. The Governor of New York has signed two new cybersecurity bills into law. First, the Stop Hacks and Improve Electronic Data Security (or SHIELD) Act will broaden the definition of a data breach, expand the scope of information subject to current data breach notification law in New York, create reasonable data security requirements for organizations, and empower the New York Attorney General to bring enforcement actions over privacy violations. In addition, the Identity Theft Bill amends the New York General Business Law and provides that when a breach of security of a consumer credit reporting agency’s system has occurred, the agency must offer reasonable identity theft prevention and mitigation services where applicable and at no cost to consumers.
  4. Delaware’s Governor signed the Insurance Data Security Act into law. The Act requires insurance companies to implement information security programs, conduct risk assessments, and to notify the Delaware Insurance Commissioner within three business days and impacted consumers within 60 days of confirmed data breaches. Finally, the Act requires that insurers offer free credit monitoring services for one year to consumers impacted by data breaches, and provides the Commissioner with the power to investigate any insurer to determine whether they are in violation of the Act.
  5. The Governor of Connecticut also signed an insurance data security bill into law which requires covered organizations to implement comprehensive information security programs. In addition, the law requires risk assessments, the designation of an information security officer, board oversight obligations, incident response plans, and vendor management requirements. The new law will take effect on October 1st, 2020.
  6. U.S. Senator Josh Hawley introduced a new bill titled the Social Media Addiction Reduction Technology Act (or “SMART” Act). The bill would ban certain social media features that are designed to be addictive, such as infinite scroll, autoplay, and certain “achievement”-centered features within platforms. The bill also includes new consent requirements, would require in-app tools for users to monitor their time spent on social media across devices, and would create a uniform standard for social media platforms to use the same formats, fonts and sizes for notice and consent tools.

That’s all for now. Thanks again for watching Last Week in Privacy, helping you to prepare for this week in privacy. See you next time.