Since welcoming the start of the new year, data privacy practitioners worldwide have seen major developments including, key rulings concerning employee data and workplace monitoring, major fines issued for data breaches, emerging legislative changes, and proposed growth opportunities in the realm of artificial intelligence.  

The UK has seen government push for the development of AI, recently publishing the AI Opportunities Action Plan to reinforce the country’s commitment to a pro-innovation regulatory approach. Additionally, the Information Commissioner’s Office have reprimanded an NHS Trust for failing to respond to subject access requests promptly, highlighting the importance of prioritising data management practices.  

In Belgium, the Data Protection Authority (‘DPA’) issued warnings to employers for unlawfully restricting access to their timesheets and failing to promptly close business mailboxes after employment contracts were terminated. The DPA has also provided clarity on the use of cookie banners, confirming that users should be provided with all options in an equivalent manner. In Cyprus, the Data Protection Commissioner ruled against excessive data collection in job applications, reinforcing the principle of data minimisation. France has been active in enforcing data privacy laws, with the CNIL (the Commission Nationale de l’Informatique et des Libertés) imposing substantial fines for excessive surveillance of employee activity and unsolicited marketing practices.  

There has also been a collection of fines levied against major tech enterprises, with Ireland’s Data Protection Commission fining LinkedIn EUR 310 million for unlawful data processing and targeted advertising, the Italian Garante fining OpenAI EUR 15 million for various data privacy violations related to its ChatGPT service, and the Dutch DPA fining Netflix EUR 4.75 million for failing to provide clear and sufficient information to their customers in its privacy policy.  

Across the globe, the Indian government has released draft data protection rules to facilitate the implementation of the new data protection law, focusing on notice and consent obligations, information security safeguards, breach reporting, data retention mandates and data subject rights. Whilst in Brazil, we have seen the introduction of new regulations for Data Protection Officers, clarifying requirements and workplace data governance.  

In Singapore, the Personal Data Protection Commission clarified the test for defence under the Personal Data Protection Act, and in Türkiye, new guidelines on the transfer of personal data abroad were published. Ukraine saw a rare criminal proceeding for the unlawful use of personal data on the internet, resulting in a fine for the offender. 

Discover these and many more updates in our March Workplace Data Privacy Update which can be downloaded here.