In a recent article, The Cybersecurity of Gen-AI and LLMs: Current Issues and Concerns, the Cyber Security Agency of Singapore provides helpful commentary on the security and privacy challenges associated with generative artificial intelligence and large language models. The article outlines issues such as accidental data leaks, vulnerabilities in AI-generated code and potential misuse of AI by malicious actors, before providing recommendations on the steps that technology companies can take to address these concerns.
On 30 July 2024, the National Consumer Secretariat published Technical Note No. 2/2024/Gab-DPDC/DPDC/SENACON/MJ, providing for the Ads Quality Criteria and Data Quality Criteria, as transparency parameters to be adopted and complied with by digital platforms in Brazil. The recent Technical Note established transparency criteria applicable to platforms, mentioning the need to comply with dignity, health, safety, protection and harmony within consumer relations.
Malaysia’s Cyber Security Bill 2024 was passed by both houses of the Malaysian Parliament on 27 March 2024 (Dewan Rakyat) and 3 April 2024 (Dewan Negara) respectively. Subsequent to its Royal Assent on 18 June 2024 and publication in the Official Gazette on 26 June 2024, the Malaysia Cyber Security Act 2024, together with four subsidiary regulations, came into force on 26 August 2024.
The Brazilian Data Protection Authority (ANPD) published Resolution CD/ANPD No. 19, which creates the procedures and rules for recognizing the suitability of other countries or international bodies to carry out international personal data transfer operations, as well as approving the standard contractual clauses that may be used by processing agents to legitimize the international transfer of personal data.
The National Privacy Commission (NPC) recently issued NPC Circular No. 2024-02 (“Circular“), which provides an updated policy framework on the use of closed-circuit television (CCTV) systems. The Circular is intended to address emerging privacy risks arising from the use of CCTV systems, and to enable data controllers and processors to properly manage personal data processing carried out through such systems.
The Circular took effect on 27 August 2024.
Following the passing of the Personal Data Protection (Amendment) Bill 2024 by the Malaysian Parliament in July 2024, three public consultation papers have been issued in relation to the implementation of the following impending new legal obligations:
- Notifying the Personal Data Protection Commissioner and affected data subjects for personal data breach.
- Appointing data protection officer(s).
- Effecting the data subject’s right to data portability.
The deadline to provide feedback is 6 September 2024 (Friday).
On 25 June 2024, the Government proposed to enact a new piece of cybersecurity legislation, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill, to enhance the protection of computer systems of critical infrastructures (CIs). On 2 July 2024, the proposed legislative framework was tabled to the Legislative Council Panel on Security for consultation. The proposed legislation would require CI operators to fulfill certain statutory obligations and take appropriate measures to strengthen the security of their critical computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks.
The Brazilian Data Protection Authority (ANPD) has published Resolution CD/ANPD No. 18, which creates additional rules for the appointment of the Person in Charge (similar, although not equivalent, to the Data Protection Officer under the GDPR).
As background, according to Law No. 13.709/18 (Brazilian Data Protection Law (LGPD)), data controllers must appoint a Person in Charge. The “Person in Charge” has the primary role of serving as a communication liaison between the data controller, data subjects and ANPD, as well as providing training and guidance to the controller’s employees, and complying with any other instructions that controller may give.
The Cyber Security Agency (CSA) has just released Guidelines on Securing AI Systems (“Guidelines”) and a Companion Guide on Securing AI Systems (“Companion Guide”).
The Guidelines advocate for a “secure by design” and “secure by default” approach, addressing both existing cybersecurity threats and emerging risks, such as adversarial machine learning. The aim is to provide system owners with principles for raising awareness and implementing security controls throughout the AI lifecycle.
The Companion Guide is an open-collaboration resource, and while not mandatory, it offers guidance on useful measures and controls informed by industry best practices, academic insights and resources such as the MITRE ATLAS database and OWASP Top 10 for Machine Learning and Generative AI.
The UK Government passed the long-awaited Digital Markets, Competition and Consumers Act (DMCC) on 24 May 2024.
The DMCC will bring radical change to the enforcement of consumer law in the UK, introducing new powers for the CMA to issue direct fines of up to 10% of global annual turnover for breaches. This spotlight series will focus on the substantive changes to consumer law introduced by the DMCC, and how it compares to the position in the EU.