Welcome to Last Week in Privacy! Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

  1. Egypt has passed its first-ever data protection law. The law, which was approved last week, will create new data privacy protections for all Egyptian citizens and EU citizens located in Egypt. In general, the law requires organizations to obtain consent from individuals before collecting, processing or disclosing their personal data, and failure to comply with the law’s requirements can result in fines and even imprisonment in some cases. The law also establishes a new data protection authority in Egypt, known as the Centre for Personal Data Protection, which will be responsible for enforcement, as well as licensing the processing of sensitive personal data as well as transfers of personal data to foreign countries.
  2. South Korea has amended its data protection law to require companies to obtain explicit consent from parents or legal guardians of children under age 14. The revised law will go into effect in 2020. The law specifies that companies can obtain parental consent via text, payment information, or authentication through smartphone, followed by the company sending a written confirmation back to the parent. Violations of the new consent requirement can result in fines of up to 3% of annual revenue, in addition to administrative penalties.
  3. The Italian data protection authority announced that it has approved a code of conduct under the General Data Protection Regulation. In particular, the Code of Conduct identifies the adequate guarantees and methods that data controllers and processors in the commercial information and credit management sector should implement when processing personal data to protect the rights of data subjects. The Code of Conduct states that adhesion to the Code of Conduct may be used as an element to demonstrate compliance with the GDPR.
  4. The UK Information Commissioner’s Office fined mobile network operator EE Limited 100,000 pounds for unsolicited direct marketing messages. In particular, the ICO outlined that EE Limited was found to have sent over 2.5 million text messages to its customers from February to March 2018 in order to encourage them to access and use the ‘My EE’ app to manage their accounts and upgrade their devices. The ICO noted that this was a violation of the UK Privacy and Electronic Communications Regulations, and also outlined that although EE had argued that the texts were sent as service messages and were therefore not covered by e-marketing rules, the messages contained direct marketing content and the company sent them deliberately.
  5. In the United States, a bipartisan pair of senators announced a plan to introduce new legislation that would require tech companies to disclose the value of their users’ data. Specifically, the draft bill states that companies with over 100 million monthly users would have to not only disclose the types of data collected and how it is used, but also provide an assessment of the value of that data at least once every 90 days. Companies would also have to provide an annual report with the Securities and Exchange Commission detailing the aggregate value of all of their users’ data, any contracts with third party data processors, how revenue is generated from user data, and the measures taken to protect the data. The bill would also direct the SEC to develop methods for calculating the value of user data based on different factors, and require companies to allow individuals to delete their personal data.

That’s all for now. Thanks again for watching Last Week in Privacy, helping you to prepare for this week in privacy. See you next time.