On 2 June 2023, an Act concerning online privacy, data and safety protections and an employer’s duty to disclose known instances of sexual harassment or assault committed by an employee when making employment recommendations (SB 3) was adopted after being passed by the House of Representatives. Under the Act, businesses would be required to protect consumer health data by imposing several measures. In particular, only relevant employees and processors to whom the user has given consent may access the health data and the processing may only be constrained to a specific purpose or service that the consumer has requested. In addition, geofencing to track and identify health data is prohibited. The Act also revises disclosure requirements relating to warrants directed to providers of electronic communication services and remote computing services. Data processors are required to enter into a binding contract with the business that specifically outlines the processor's tasks. The Act also contains provisions for minor data: a social media platform is required to delete a social media account of a minor if such a request is received from the minor (or the minor's guardians if they are younger than sixteen years of age) and cease processing the personal data associated with the account. As for workplace obligations, employers are required to disclose any knowledge it has of any sexual harassment or sexual assault committed in the workplace. The duty to disclose this information expires one year after the employer was informed of the incident.
Original source