The Latest Privacy & Data Protection News — March 2023


Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

The most important developments in privacy come from the legislatures of certain states such as New York and West Virginia which have proposed new privacy bills, as well as Australia, which proposed multiple amendments to the Australia Privacy Act 1988 (see below). In addition, it appears that there is some opposition to the EU-US data transfers framework, which you can read more about below as well.  We hope that you find this newsletter helpful for staying up to date with the myriad changes in the privacy field. 

What’s new in privacy in March 2023? 

Below are some of the most notable news in privacy from this month: 

Privacy in the State of the Union Address.

Much has been written about the mentions of privacy in President Biden’s State of the Union address. Highlighting the need for both regulation and enforcement in hot topic data privacy issues, he focused on children’s privacy and online mental health, as well as Big Tech, data minimization, algorithmic transparency and health data. The volume and breadth of privacy topics in the speech far outnumber his predecessors, perhaps signaling a shift in priorities. Read the official speech, the fact sheet, and the commentary by Wired.

Executive Order and FTC Shakeup.

Perhaps following up on the State of the Union address, agencies received instructions from the White House and some restructuring in the FTC. President Biden issued an executive order directing federal agencies to address algorithmic discrimination. He renominated FTC Commissioner Rebbeca Kelly Slaughter for another term, while FTC Commissioner Christine Wilson, the agency’s sole Republican commissioner, resigned. Finally, FTC Chair Lina Khan announced the creation of an Office of Technology, to be led by Chief Technology Officer Stephanie Nguyen. Read more about the executive order, Commissioner Slaughter’s renomination, Commissioner Wilson’s resignation, and the Office of Technology.

MEP Opposition to the EU-US Data Privacy Framework.

The European Parliament Committee on Civil Liberties, Justice and Home Affairs issued a draft resolution discouraging the Commission from finding adequacy for the US under the EU-US Data Privacy Framework. Holding that the agreement fails to create “actual equivalence” in the level of privacy protections, the Committee took issue with the relevant executive order’s scope and reversibility, as well as the lack of a federal data privacy law in the US, the breadth of US state surveillance and the limitations of available remedies. Read the full release. Notably, the US Supreme Court recently declined to review Wikimedia’s case against the NSA “upstream surveillance” program.

AI Act Negotiations in EU, AI Enforcement in Member States.

The European Parliament introduced compromise amendments to the draft AI Act, following some debate on classification of high-risk AI systems. In the meantime, multiple member states have increased or promised to increase enforcement on AI. Italy’s data protection authority, Garante, banned US-based AI chatbot Replika from processing personal data of Italian users. France, Spain and the Netherlands opened dedicated AI oversight and enforcement units. Read more about the draft AI Act debate, the Garante action, and the dedicated AI units. We recently wrote an article on whether ChatGPT can write your Privacy Policy

European Commission Bans TikTok on Corporate Devices, Canada investigates TikTok.

Citing data protection concerns, the European Commission has banned TikTok from corporate devices, with their IT service asking for employees to uninstall the app from corporate devices and personal devices using corporate apps. The same week, Canada’s privacy authorities announced an investigation into TikTok’s privacy practices, especially as they relate to children’s data. More on the Commission ban and Canada’s investigation.

Australian Privacy Act Reform.

Australia’s Attorney-General released its highly anticipated Privacy Act Review Report, seen as a key step in its privacy law reform. The report includes 116 recommendations acquired from stakeholders over a two-year period of review of the 1988 Privacy Act. Public comments are accepted until March 31. If you’re interested in learning more, check out the report and some commentary.

Norwegian DPA finds that Google Analytics is not compliant.

Norway’s Data Protection Authority issued a preliminary conclusion ruling that Google Analytics breaches GDPR’s data transfer rules. The formal decision will come at the end of April but the DPA states that companies should seek alternatives to Google Analytics.

US Marshals Service hit with ransomware attack.

The US Marshals Service recently confirmed that it was subject to a ransomware attack that compromised sensitive information. The attack occurred on a server, which was taken off its network after the ransomware was discovered. The attack did not target the Witness Security Program databases but certain other sensitive information such as PII relating to employees and subjects of investigations was accessed.

Researchers uncover ChatGPT Android malware and phishing campaigns.

Cybersecurity firm Cyble found phishing websites containing malware that are spread via a spoofed social media page for ChatGPT and OpenAI. Other phishing sites posed as payment portals for users to pay for ChatGPT services in order to steal credit card information.

CPPA to hold board meeting.

The California Privacy Protection Agency will hold a board meeting on March 3. The agenda will focus on the first draft of CPRA regulations, the annual budget, agency priorities and the second CPRA rulemaking procedure.

What privacy bills are we tracking? 

As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog


Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals: 

  1. 2023 Antitrust Spring Meeting – March 29 – March 31
  2. Cross-Border Institute: The Intersection of Global Discovery, Privacy and Data Security – July 20 – July 21
  3. Body Worn Video and Privacy in Nova Scotia – March 2
  4. What In-House Counsel Should Know About BIPA – March 9.

If you made it this far, there’s a good chance you just can’t get enough of privacy. Be sure to subscribe to our podcast, Privacy Lawls, where we talk privacy with some of the leaders in the industry.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.