This Privacy Regulation Roundup summarizes the latest major global privacy regulatory developments, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant.

One Year On, the AI Executive Order Is Likely a Dead Letter

Type: Announcement/Legislation
Date: November 2024

Summary: In October 2023, the Biden Administration introduced a landmark executive order on artificial intelligence, which included ambitious directives to address governance, safety, and security challenges, and to deliver trustworthy artificial intelligence capabilities. The order directed federal agencies to take a wide range of actions, including:

• Developing and using standards for AI safety and security.
• Enforcing protections for Americans’ privacy.
• Enhancing equity and civil rights.
• Advocating for and supporting consumers, patients, students, and workers.
• Promoting innovation through research and competition in the AI market.
• Ensuring responsible and effective government use of AI.

At the end of October 2024, the White House celebrated the anniversary of the executive order’s issuance by announcing that federal agencies had completed all tasks mandated for them to complete in the last year.

Conspicuous by its absence from the list of accomplishments is passage of legislation that would regulate AI. IAPP notes that “more than 120 AI-related bills were introduced to Congress this year… but few have made it out of House or Senate committees so far.”

Analyst Perspective: And that brings us to the recent US federal election. The president-elect previously said he would repeal the executive order on taking office, and it seems likely he will follow through on that promise. It’s unclear what will replace the executive order, however. An MSN article notes that he has “described AI as a ‘superpower’ and called its capabilities ‘alarming,’” but hasn’t articulated a coherent approach to legislation or regulation.

In the face of a shifting and uncertain regulatory landscape, focus on what you can control. As a privacy or security leader, advocate for a responsible and adaptive approach to AI governance that aligns with your organizational goals and risk appetite, and build in mechanisms that allow governance to adapt to changes in your regulatory environment. For example, you could establish a standing committee that can review relevant legislative changes, identify gaps that would prevent the organization from meeting those requirements, and mandate changes.

Analyst: Andrew Sharp, Research Director – Infrastructure & Operations

More Reading:

• Source Material: IAPP, The White House, MSN
• Related Info-Tech Research:
  • Govern the Use of AI Responsibly With a Fit-for-Purpose Structure
  • Address Security and Privacy Risks for Generative AI

The EU Cyber Resilience Act: Opportunities and Challenges

Type: Regulation
Date: October 2024

Summary: The EU Cyber Resilience Act (CRA) was passed on October 10, 2024. It sets cybersecurity requirements for products with digital elements, such as Internet of Things (IoT) devices. Products which are already covered by product safety legislation are excluded from the CRA’s scope (e.g. medical devices). The Act primarily applies to manufacturers. However, some requirements may fall to authorized representatives, importers, and distributors as well. Among others, key requirements include:

• Cybersecurity compliance: Products must be designed with strong security measures such as encryption, secure configurations, and resilience against attacks, with updates available to fix vulnerabilities.
• Vulnerability handling: Manufacturers must document vulnerabilities, provide updates free of charge, and disclose security fixes publicly, including information on impacted products.
• Critical and important products: Products considered critical (e.g. hardware security devices, smartcards) or important (e.g. identity management software, VPNs) will face specific certification or conformity assessment procedures.
• Reporting obligations: Manufacturers must report actively exploited vulnerabilities or severe incidents to relevant cybersecurity authorities within 24 hours of discovery and inform users of any security risks without undue delay.
• Penalties for noncompliance: Fines for noncompliance can reach up to €15 million or 2.5% of global annual turnover.

There will be a phased approach to its enforcement, with reporting obligations taking effect in 2026 and comprehensive compliance expected by 2027.

Analyst Perspective: While the CRA aims to strengthen cybersecurity across the European Union, private organizations, particularly those in manufacturing and software development, may face significant challenges in meeting the compliance requirements. Costs associated with securing products, documenting vulnerabilities, and obtaining certifications could burden smaller organizations and startups too. However, the principle of proportionality may be applied.

For companies able to meet these standards, the Act also offers opportunities to enhance security, improve brand reputation, and streamline market access across the EU. Organizations may find it worthwhile to weigh the costs of compliance against potential benefits and risks. Business leaders will be better informed about the time and effort required to adapt processes in alignment with the evolving cybersecurity landscape.

Analyst: Ahmad Jowhar, Research Analyst – Security & Privacy

More Reading:

• Source Material: IAPP, European Council
• Related Info-Tech Research:
  • Secure IT/OT Convergence
  • Build a Security Compliance Program
  • Build an Information Security Strategy

PIAs in the Canadian Public Sector: The Overhaul

Type: Directive
Date: October 2024

Summary: The Canadian government has introduced major changes to the Privacy Impact Assessment (PIA) process for government institutions, marking the most substantial update since 2002. These changes, overseen by the Treasury Board of Canada Secretariat (TBS), aim to integrate privacy more effectively into the governance of projects and programs.

Under the updated requirements, a new mandatory checklist must be completed before initiating a PIA, helping privacy teams determine whether a PIA is necessary. The scope of when a PIA is required has been broadened to include instances of new or modified information technologies, third-party involvement, and automated decision systems. Additionally, an updated PIA template has been mandated to address current challenges. Furthermore, a new form for publishing PIA web summaries has been introduced, requiring clearer descriptions of programs, identified risks, and mitigation measures.

A formal approach has been established for conducting PIAs across multiple institutions, with prior submission to TBS and the Office of the Privacy Commissioner of Canada (OPC). Enhanced emphasis has also been placed on transparency regarding personal information collection and management, with mandatory forms for updating Personal Information Banks (PIBs). Institutions must now document, review, and annually update risk mitigation measures.

Lastly, clarification has been provided on the use of privacy protocols for nonadministrative uses of personal information, which don't require full PIAs. This new standard is effective immediately, with a deadline of October 10, 2025, for updating PIBs and PIAs for existing programs.

Analyst Perspective: The new PIA requirements represent a shift toward a more comprehensive and standardized approach to privacy impact assessments in Canada. Although the updates aim to modernize privacy practices and increase transparency, their implementation could create considerable burdens for organizations in the public sector. The added complexity, especially for institutions that are not well-resourced or have limited privacy infrastructure, could create significant challenges. Institutions will need to invest in resources, personnel, and systems to comply with the new standards. Despite these hurdles, the updates also present an opportunity to improve privacy practices, enhance governance, and align more effectively with current and future privacy risks. Organizations that start early and are proactive in adapting to the new standards will likely be better positioned to manage these challenges and benefit from improved data protection practices.

Analyst: Safayat Moahamad, Research Director – Security & Privacy

More Reading:

• Source Material: IAPP, Government of Canada
• Related Info-Tech Research:
  • Mature Your Privacy Operations
  • Conduct an AI Privacy Risk Assessment