International Data Privacy Laws: What to Expect in 2024

Consumers are Greatly Concerned About Data Privacy

Data privacy and identity protection are top concerns among consumers. A recent report from Pew Research Center reveals that 81% of adults are concerned about how companies use the data they collect about them. 71% are concerned about the government’s use of their data. Additionally, two-thirds of adults admit to having minimal to no understanding of how companies or the government handle their Data privacy and identity protection.

Data Privacy and Identity Protection Preparedness

Source: Womble Bond Dickinson

• 50% of U.S. and U.K. organizations feel “very prepared” to address data privacy laws in the U.S. and Europe
• 50% of respondents doing business in the EU and/or UK say understanding the data held within their organization is a key hurdle
• 34% of respondents understand data practices at their organization

What Changed in Data Privacy Laws in 2023?

Before we dive into what’s new in 2024, this is an overview of the data privacy laws that emerged in 2023.

Saudi Arabia Personal Data Protection Laws (PDPL)

Amendments to the Kingdom of Saudi Arabia (KSA) took effect September 14, 2023 that resolve implementation challenges and align with more international regulations. The Saudi PDPL is the country’s first federal, sector agnostic data privacy law. It governs the processing of personal data within the Kingdom, encompassing activities conducted by foreign businesses in relation to individuals residing in the Kingdom.

Data controllers are granted a one-year ‘grace’ period, extending until September 14, 2024, to bring their processing activities in line with the PDPL and its implementing regulations. Following the conclusion of this grace period, the Saudi Data and Artificial Intelligence Authority (SDAIA) is anticipated to actively oversee and enforce compliance.

Canadian Personal Information Protection and Electronic Document Act (PIPEDA)

The Canadian Personal Information Protection and Electronic Document Act (PIPEDA) is a national privacy law for the private sector. In September 2023, Quebec’s Bill 64 introduced a private right of action for damages resulting from privacy infringements, emphasizing consent and data transparency. Notably, section 12.1 of Bill 64 mandates that enterprises using automated processing for decisions must inform the individual affected at or before the decision.

Bill 64 aligns with GDPR, lacking exceptions for cessation of dissemination, de-indexing, and re-indexing. While GDPR grants rights like restriction, objection, and the “right to be forgotten,” Quebec’s legislation does not include these specific provisions.

Read more: Data Privacy Laws in 2023

Canada’s Digital Charter Implementation Act, Bill C-27

On the path to become law in 2023 or 2024, Canada’s Digital Charter Implementation Act, Bill C-27, is currently at consideration in committee in the House of Commons. If passed, it would enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, while amending an existing data privacy law. User consent is a key requirement under the CPPA, with some exceptions based on “legitimate interests” related to business activities. Noteworthy provisions include the mandate to anonymize personal information, individuals’ rights to request data deletion, and portability of personal information.

Ultimately, the CPPA empowers Canada’s Office of the Privacy Commissioner to assess privacy programs and recommend corrective measures. Track the bill’s progress here.

India Digital Personal Data Protection Act

India passed the Digital Personal Data Protection Act, 2023 (DPDP Act) to regulate the processing of users’ personal data. This legislation sets guidelines for organizations on handling personal data and empowers citizens with control over their collected information. The Act mandates entities to obtain express user consent for data processing, with exceptions. It designates certain entities as “Significant Data Fiduciaries” with increased compliance measures based on data volume and nature. Provisions include prohibiting behavioral monitoring and targeted advertising for minors. The Act establishes the Personal Data Protection Board to investigate breaches and address consumer inquiries. Violations may result in fines of up to $30 million.

Read more: Primer on India’s Digital Personal Data Protection Act

What’s Ahead for Data Privacy Laws in 2024?

Several U.S. states enacted data privacy laws in 2023 that go into effect in 2024:

• Oregon – takes effect July 1, 2024; The Oregon Consumer Privacy Act applies to entities conducting business in Oregon or offering products/services to Oregon residents that, in a calendar year, either control or process data of 100,000 or more consumers (excluding payment transaction data) or control or process data of 25,000 or more consumers while deriving 25% or more of their annual gross revenue from selling personal data.
• Texas – takes effect July 1, 2024; The Texas Data Privacy and Security Act applies to businesses operating in Texas or providing products/services to Texas residents but excludes small businesses defined by the U.S. Small Business Administration (those with fewer than 500 employees). Although it doesn’t broadly apply to small businesses, the act includes a provision prohibiting them from selling sensitive data without obtaining prior consent from the consumer.
• Montana – takes effect October 1, 2024; The Montana Privacy Act applies to entities conducting business in Montana or targeting Montana residents and processing personal data of at least 50,000 consumers or at least 25,000 consumers with more than 25% of gross revenue derived from the sale of personal data.

Quebec’s Law 25, also known as the Privacy Legislation Modernization Act, contains requirements in a phased approach. Most of the requirements went into effect in September 2023, however there is a third phase of requirements that go in effect in September 2024. Under the law, businesses must provide data subjects with collected personal information in a portable format upon request.

Read more: Primer for IT Security Professionals

Stay on Top of Updated Data Security and Identity Protection

Adhering to the ever-changing landscape of global, regional, and sector-specific privacy and security mandates can be challenging. Secuvy gives customers full data visibility, enabling the discovery of ALL sensitive data assets, including dark and unstructured data within hours. Secuvy’s trailblazing advanced unsupervised machine learning algorithms put full data visibility at your fingertips through a single pane of glass resulting in renewed data agility and risk management.