As 2024 comes to an end, it’s time to reflect on the year’s advancements in privacy, cybersecurity and AI Governance. From new legislation to guidelines on ethical AI and a large number of landmark legal actions, this year emphasised on the global effort to balance innovation with responsibility and ethics. Here is a highlight of some key regulatory updates and legal actions that had a significant impact on the data privacy and AI landscapes this year:
Regulatory and Policy Updates
- EU AI ACT Enacted
The European Union Artificial Intelligence Act (AI Act) was finalised in the first half of 2024 and published in the Official Journal of the European Union on 12th July 2024. The Act officially took effect on August 1st, 2024. This Act which aims to ensure that AI applications deployed in the EU market are safe, ethical, and trustworthy, adopts a risk-based approach to regulating AI. The Act will become applicable in a phased manner with the first set of compliance requirements becoming mandatory from February 2025. A major portion of the Act is set to become applicable by August 2026 and the Act in its entirety shall become applicable by August 2027.
Read our newsletter and blog post to know more.
2. SEBI’s New Cybersecurity and Cyber Resilience Framework
On 20th August 2024, the Securities Exchange Board of India (SEBI) issued a new Cybersecurity and Cyber Resilience Framework for SEBI-regulated entities. The framework was developed with the objective of tackling evolving cyber threats, aligning with industry standards, promoting effective audits, and fostering compliance among regulated entities.
Read our newsletter here to know more.
3.KSA PDPL Now in Full Effect
Saudi Arabia’s Personal Data Protection Law (KSA PDPL) which was issued in September 2021 and further amended in March 2023 came into force on 14th September 2023 with a one-year transition period for businesses to become compliant with its provisions. This period officially ended in 2024 and the PDPL became fully enforceable on 14th September 2024. To supplement the primary legislation, the SDAIA also published the Implementing Regulations and Regulation on Personal Data Transfer outside the Kingdom (cross-border data transfer regulations) on 7th September 2024. These regulations also became applicable along with the primary legislation on 14th September 2024.
Click here to learn more about compliance requirements under KSA PDPL
To understand the core provisions of the cross-border data transfer regulations, click here
4.CSA’s Guidelines on Securing Artificial Intelligence Systems
In October 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence Systems accompanied by a Companion Guide to help organizations manage cybersecurity risks across the AI lifecycle. They emphasize risk assessments, continuous monitoring, and tailored security measures at each stage—planning, development, deployment, operation, and end-of-life. The Companion Guide provides practical security measures, including testing, adversarial training, and defensive techniques, to enhance AI system resilience and minimize risks, ensuring safe AI adoption and deployment.
To know more about these guidelines, read our blog here.
5.The EU Cyber Resilience Act Enters into Force
The EU Cyber Resilience Act (CRA) aims to enhance cybersecurity for products with digital elements, such as IoT devices, by imposing common cybersecurity standards. The CRA also mandates that manufacturers ensure cybersecurity throughout the product lifecycle, including third-party assessments for critical products. It includes requirements for incident reporting and automatic security updates. The CRA was adopted by the European Parliament and the Council in October 2024 and entered into force on December 10, 2024. This regulation seeks to improve the overall cyber resilience within the EU.
6.South Korea’s Landmark AI Act
On 26th December 2024, the South Korean National Assembly passed the Basic Act on the Development of Artificial Intelligence and the Establishment of Trust (the AI Act), making South Korea the second jurisdiction after the EU to officially pass a comprehensive AI regulation. The Act focuses on three main points: Establishing an organizational system with the National AI Committee and AI Safety Research Institute to promote AI policies, Supporting AI development through research, academic data, and an AI data centre, and Ensuring safety and reliability for high-risk and generative AI.
Legal Actions
- LinkedIn fined €310 Million by the Irish DPC
On 24th October 2024, the Irish Data Protection Commission (DPC) imposed a €310 million fine on LinkedIn for violating the General Data Protection Regulation (GDPR). The violations included breaches of lawfulness, fairness, and transparency, as LinkedIn’s data processing lacked a valid legal basis, provided insufficient information to users, and unfairly disadvantaged them. Additionally, LinkedIn failed to validly rely on any of the necessary legal bases for processing personal data as required under Article 6 of the GDPR. In response to these violations, the DPC imposed several corrective measures and penalties on LinkedIn, including an official reprimand and three fines totalling €310 million. Furthermore, LinkedIn was ordered to bring its data processing practices into compliance with the GDPR within three months.
Want to know more? Click here!
2.€30.5 Million Fine on Clearview AI for GDPR Violations
In May 2024, the Dutch Supervisory Authority (SA) fined Clearview AI €30,500,000 and issued four compliance orders for ongoing violations of the GDPR following an ex officio investigation and complaints about data subject rights. Clearview unlawfully processed personal data of individuals in the Netherlands without a valid legal basis (Articles 5(1)(a) and 6(1) GDPR) and biometric data, a special category of personal data (Article 9(1) GDPR). The company also failed to adequately inform data subjects (Articles 12(1), 14(1) & (2), and 5(1)(a) GDPR) and did not respond to access requests or facilitate the exercise of data subject rights (Articles 12(2) & (3) and 15 GDPR). Furthermore, Clearview violated Article 27(1) GDPR by not appointing an EU representative. The SA imposed the penalty to address these significant breaches and ensure compliance.
You can read more about this by clicking here!
3.CCI’s WhatsApp Ruling
The Competition Commission of India (CCI) recently imposed a fine of ₹213.14 crore on Meta, the parent company of WhatsApp, for unfair business practices related to WhatsApp’s 2021 privacy policy update. The policy required users to accept terms to retain their account information and outlined how user data would be shared with Meta and its subsidiaries. The CCI determined that this practice violated competition laws by exploiting WhatsApp’s dominant position to force user compliance, thus stifling competition and limiting user autonomy. While this ruling falls within the domain of competition law, it also highlights the increasing recognition of privacy in competition law and a broader emphasis on user autonomy over their data.
Click here to understand the impact of this ruling on privacy.
4.Italy Hits OpenAI with €15 Million Fine
On 20th December 2024, Italy’s data protection authority, Garante, imposed a fine of €15 Million on OpenAI after closing an investigation into the use of personal data by ChatGPT. It was found that the personal data of users was processed to train ChatGPT without adequate legal basis and in violation of the principle of transparency as required by the GDPR. It was found that OpenAI did not have a sufficient age verification procedure in place. It did not implement adequate safeguards to prevent children under 13 from accessing potentially inappropriate content generated by ChatGPT. The authority also required the company to run a six-month public awareness campaign in Italy to educate users about ChatGPT’s data collection practices. OpenAI described the fine as disproportionate and announced its intention to appeal.
As 2024 ends, it’s clear that this year marked a significant milestone in the evolution of privacy and AI governance. We look forward to what 2025 has in store for the world of data privacy and AI governance.
If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com
News of the Week
- Volkswagen Data Breach Exposes Personal Information of 800,000 EV Owners
Volkswagen experienced a major data breach exposing the location and personal information of 800,000 electric vehicle owners due to a misconfiguration in its software subsidiary, Cariad. The breach, discovered by the Chaos Computer Club, compromised GPS data, contact details, and other such sensitive information, including those of politicians, police and high-profile individuals.
https://cybersecuritynews.com/volkswagen-data-breach/
2. Cyberhaven and Other Companies Targeted in Chrome Extension Hacks
Hackers compromised multiple Chrome browser extensions, including one from Cyberhaven, a data protection company, in a campaign starting mid-December. The attack on Cyberhaven, confirmed on Christmas Eve, targeted an extension used for securing web-based client data. Experts suggest the breaches were part of a broader effort to collect sensitive data from various Chrome extensions, including those related to AI and VPNs.
3.Meta’s WhatsApp Wins Lawsuit Against NSO Group
On 20th December 2024, U.S. District Judge Phyllis Hamilton in Oakland, California ruled in favour of Meta’s WhatsApp in a lawsuit against Israel’s NSO Group for exploiting a bug to install surveillance spyware on users’ devices. WhatsApp accused NSO of unauthorized access to its servers to install Pegasus spyware, affecting various persons including journalists and activists. The case now proceeds to trial for damages. Will Cathcart, WhatsApp’s head, described the ruling as a victory for privacy.
4.Salt Typhoon Attack: Ninth U.S Telecom Company added to list
A ninth U.S. telecom company has been compromised in the Chinese-linked Salt Typhoon cyberespionage operation. Hackers gained access to sensitive metadata, phone calls, and texts, raising concerns over national security. The breach, targeting government officials and law enforcement systems, has prompted urgent calls for stronger security regulations from the U.S. government. In response, the U.S. government has urged the use of encrypted apps and proposed new FCC rules to secure telecom networks, aiming to prevent future breaches.
5.ZAGG Data Breach: Credit Card Information Exposed via Third-Party App
ZAGG Inc., a consumer electronics accessories maker, disclosed a data breach where hackers exploited the FreshClicks app, a third-party tool from BigCommerce’s marketplace, to inject malicious code. This compromised card details of ZAGG.com shoppers between October 26 and November 7, 2024, exposing names, addresses, and payment data. BigCommerce uninstalled the app after detecting the breach, emphasising its systems were unaffected. ZAGG notified regulators, law enforcement, and impacted individuals, offering 12 months of free credit monitoring through Experian. The total number of affected customers is yet to be confirmed.