Global updates – a quick glance
Australia:
- Changes to the fixed rate method for claiming home office deductions, increased from 52 cents to 67 cents per hour effective from July 1, 2023.
- Australia Budget 2023; introduced changes to medicare levy thresholds.
Belgium: Record retention period under VAT increased from 7 years to 10 years effective January 1, 2023.
Brazil:
- Racial or ethnic information of the employees to be recorded in the employee records and documents.
- New Transfer Pricing Law effective from January 1, 2024.
Canada: British Columbia’s Pay Transparency Act enters into force from May 11, 2023; Introduces new obligations for the employers.
China:
- Increases R&D super deduction rate from 75% to 100% effective from January 1, 2023
- Filing Guidelines under the standard Contractual Clauses Measure for the overseas transfer of personal information released on May 30, 2023; Guidelines provide submission of standard contract and personal information protection impact assessment report.
Costa Rica: Tax rates and slabs announced for the tax year 2023 for corporates and employed individuals.
Denmark: European Union (“EU”) Directive on “Public” country by country reporting – transposed into domestic law.
European Union: EU-US Data Privacy Framework adequacy decision adopted on July 10, 2023.
France:
- Public disclosure of CbC reporting to be applied for financial years beginning after June 22, 2024.
- Legislation to obligate small and mid-size business to implement “Profit Sharing Scheme” under consideration of French Parliament.
Finland: Employer certification system introduced to simplify residence permit process.
Germany: European Union (“EU”) Directive on “Public” country by country reporting – transposed into domestic law.
Hong Kong:
- Hong Kong passed the Inland Revenue (Amendment) (Child Allowance and Tax Concessions) Bill 2023 on April 19, 2023, implementing the increased basic and the additional child allowance for each child born during the tax year 2023–24.
- Offset of the severance payments (“SP”) and long-service payments (“LSP”) payable on termination/ retirement against Mandatory Provident Fund (“MPF”) benefits to be repealed effective from May 1, 2025.
India:
- Reduces aggregate turnover threshold for e-invoicing from INR 100 million to INR 50 million effective August 1, 2023.
- Tax exemption limit increased for Leave Encashment for Non-Government Salaried Employees from INR 3 Lakh to INR 25 Lakh effective from April 1, 2023.
- MCA establishes separate centre C-PACE to simplify the process of striking off of name of company from register.
Indonesia: Guidelines on prevention of sexual violence at workplace introduced.
Ireland:
- Ireland’s Work Life Balance and Miscellaneous Provisions, Act 2023 receives presidential assent, on April 4, 2023; Maternity leave can be availed by transgender men.
- European Union (“EU”) Directive on “Public” country by country reporting – transposed into domestic law.
Israel:
- New privacy protection regulations published for data transferred from the EEA in order to align Israeli law to the requirements of GDPR; implementation in phased manner staring from August 7, 2023.
- Adoption of Continuous Transaction Controls (“CTC”) system for reporting and submission of e-invoice to be effective from January 1, 2024.
Japan: several changes to labor law to take effect in 2023 and 2024; changes include digital payment of wages, obligation to disclose childcare leave, etc.
Lithuania: European Union (“EU”) Directive on “Public” country by country reporting – transposed into domestic law.
Malaysia:
- Mandatory e-invoicing scheduled to be implemented from June 2024.
- Malaysia revises Income Tax (Transfer Pricing) Rules 2023 and Income Tax (Advance Pricing Arrangement) Rules 2023 applicable for the assessment year 2023 onwards,
- scope of transfer pricing documentation expanded to cover detailed information about the group.
- arm’s length range is redefined to be falling between the 37.5th percentile and the 62.5th percentile.
Netherlands:
- Senate adopts Dutch Pensions Act replacing defined benefit schemes with defined contribution schemes, transition period beginning from July 1, 2023
- Removal of threshold for intrastate reporting effective from 2023
Poland: New regulations under Labour Code Act are introduced for parental leave with effect from April 26, 2023.
Singapore: Singapore Companies Act amended to allow conduct of meetings fully virtual or hybrid effective from July 1, 2023.
Serbia: Application for Company registration to be filed online effective from May 17, 2023.
South Korea: South Korean National Assembly amends the Personal Information Protection Act effective from September 15, 2023, to strengthen data subject rights and enhance safety measures.
Spain: European Union (“EU”) Directive on “Public” country by country reporting – transposed into domestic law.
Sweden: European Union (“EU”) Directive on “Public” country by country reporting – transposed into domestic law.
Taiwan: Personal Data Protection Act amended to increase fines up to maximum of TWD 15 million in case of severe violations or failure to rectify the default.
Thailand:Thailand reduces withholding tax rates for the period from January 1, 2023, to December 31, 2025, for users of e-withholding tax system.
| Data Protection Fines Table | ||||
| Country | Authority Name | Fine imposed on | Reason For Fine Related to Data Protection Failure | Amount of Fine |
| France | The French Data Protection Authority (Commission nationale de l’informatique et des libertés/CNIL) | Doctissimo, a Company owning and operating an internet-based health care advertisement and information site. | Fine was imposed for violation of several GDPR regulations such as excessive duration of data retention, collection of health data without consent, failure to provide formal framework for data sharing, etc. | EUR 380,000 |
| France | The French Data Protection Authority (Commission nationale de l’informatique et des libertés/CNIL) | Clearview AI, a company engaged in the business of providing facial recognition platforms. | The fine was imposed for failure to comply with directions issued by CNIL not to collect and process data without legal basis and delete personal data of individuals in the given time. | EUR 5.2 million |
| France | The French Data Protection Authority (Commission nationale de l’informatique et des libertés/CNIL) | KG COM., a company operating multiple websites to provide clairvoyance readings to customers. | The fine was imposed for infringements of provisions related to the systematic recording of phone calls, collection of health data and information relating to sexual orientation, retention of banking data without consent of individuals, failure to notify data breach or non-compliance relating to use of cookies. | EUR 150,000 |
| France | The French Data Protection Authority (Commission nationale de l’informatique et des libertés/CNIL) | Criteo, a company engaged in the business of online advertising. | Fine was imposed for failing to verify that the persons whose data it processed had given their consent. | EUR 40 million |
| Hungary | The National Authority for Data Protection and Freedom of Information (‘NAIH’) | I&S Limited Kft., a company engaged in providing physical wellbeing improvement services. | Fine was imposed for the following reasons: Continuously recording the employees and monitoring guests through video cameras without a legal basis. Incorrect handling of personal data of the data subjects, including not providing specific storage period for the recordings, the rules for reviewing the recordings, or the purpose for which the recordings can be used. Failure to provide a default setting for the operation of the camera system that minimised data collection. Failure to employ the tools and system security measures necessary for the data protection. Usage of personal information of guests for marketing purposes without a legal basis. | HUF 30 million |
| Ireland | The Data Protection Commission (“DPC”) | Meta Platforms Ireland Limited, operating as the data controller of the social media platform – Facebook, a multinational Information Technology company. | The fine was imposed for violation of GDPR provisions in relation to transfer of personal data from the EU to the USA. The primary and supplementary data protection measures adopted by Meta for transfer of personal data under GDPR were held to be inadequate by DPC to protect EU citizens’ data from being accessed by US security agencies resulting in risks to fundamental rights and freedoms of data subjects. In addition to the fine, Meta was also instructed to suspend all transfers of personal data to the US within five months and bring its processing in line with the GDPR within six months. | EUR 1.2 billion |
| Italy | Italian data protection authority (‘Garante’) | TIM S.p.A, a company engaged in providing telecommunications services. | Fine was imposed for the following reasons: Failure to timely address several requests as per the data subjects’ rights. Failure to obtain consent of the data subjects for commercial communications. Failure to detect and address the data breach timely. | EUR 7.6 million |
| Netherlands | The Dutch Data Protection Authority (Autoriteit Persoonsgegevens/AP) | Social Insurance Bank (SVB), an entity engaged in implementation of national insurance schemes in the Netherlands. | Fine was imposed for failing to check the identity of the callers which led to leak of the personal information. | EUR 150,000 |
| Sweden | Swedish Authority for Privacy protection (‘IMY’) | A digital music service company namely, ‘Spotify’. | Violation of users’ right to access the data being processed, failure to provide appropriate safeguards relating to transfer of personal data. | SEK 58 million |
| Sweden | Swedish Authority for Privacy protection (‘IMY’) | A media company namely, ‘Bonnier AB’. | Processing personal data on an incorrect legal basis and usage of data for profiling without consent. | SEK 13 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Samsung Securities Co. Ltd., a company operating an investment education website. | Fine was imposed for the following: – failure to implement appropriate safety measures. breach of personal information. | KRW 101.60 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | McDonald’s Korea Limited, a food service company. | Fine was imposed for the following: failure to implement data access controls. failure to delete personal information whose purpose or retention period has expired. failure to report breach of personal information. | KRW 706.66 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Jarvis & Villains Co. Ltd., a company operating an app facilitating filing of tax returns. | Fine was imposed for following reasons: processed resident registration numbers without legal rights. using and processing personal information without obtaining proper consent. | KRW 866 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | LG HelloVision Co. Ltd., a company engaged in broadcasting and communication services. | Fine was imposed for following reasons: failure to implement safety measures which resulted in data breach. failure to notify data breaches. | KRW 1,230.20 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Samsung Electronics Co. Ltd., a company engaged in computer and electronic devices manufacturing. | Fine was imposed for recurrent failure to implement safety measures which lead to data leak. | KRW 890 million |
| South Korea | The Personal Information Protection Commission (“PIPC”) | Interpark Co. Ltd., a company providing e-commerce platform. | Fine was imposed for failure to implement safety measures to prevent abnormal login attempts to online platforms. | KRW 1,030 million |
| Turkey | The Personal Data Protection Authority (‘Kiisel Verileri Koruma Kurumu/KVKK’) | An unnamed technology company. | Fine was imposed for failing to obtain explicit consent of individuals and taking necessary precaution while transferring personal data abroad. | TRY 950,000 |
| United Kingdom | The Information Commissioner’s Office (“ICO”) | TikTok, a multinational company engaged in providing social networking platforms to users. | Fine was imposed for – failure in obtaining consent of parents while collecting and processing personal data of children under the age of 13 years; failure to provide necessary information about collection, processing and sharing of personal data to enable informed decision; and failure to process personal data in a fair, transparent and lawful manner. | GBP 12.7 million (Earlier EUR 27 million) |
| United Kingdom | The Information Commissioner’s Office (“ICO”) | Triboo Limited, a company engaged in the business of online recruitment.. | Fine was imposed for sending marketing mails to individuals without obtaining their consent which was in violation of UK GDPR. | GBP 130,000 |