January 2023 global regulatory update

Global Updates – January 2023

Global updates – a quick glance

Argentina: Foreign individuals and legal entities, without a presence in Argentina who are processing personal data of Argentine data subjects, can now register with the authorities through a newly available online form.

 Australia: Increased penalties under the Australia’s Data Privacy Act and expansion of extraterritorial application of the Act.

 Bulgaria: Increased the VAT registration threshold from BGN 50,000 to BGN 100,000 effective from January 1, 2023.

 Canada: Canada and Quebec’s social security contribution rates and maximums for 2023 were announced.

 China:

    • China Introduces new employer obligations to prevent sexual harassment of women in the workplace effective January 1, 2023.

    • Small-scale taxpayers with monthly sales less than RMB 100,000 are exempt from VAT payment liability until December 31, 2023; The VAT rate for small taxpayers is reduced from 3% to 1%.

 Colombia: The timeline has been extended for submission of Ultimate Beneficial Owners’ (“UBO”) information.

 Czech Republic: The VAT registration threshold has been increased from CZK 1 million to CZK 2 million effective January 1, 2023.

 European Union: The Draft Adequacy Decision on proposed EU-US Data Privacy Framework for cross-border data transfers published.

 France: 

    • A scheme to buy-back reduced working time (“RTT”) days has been introduced.

    • France passes the Finance Bill 2023:

    • Business Contribution on Added Value (“CVAE”) rates halved for the year 2023; CVAE to be abolished beginning in 2024.

    • Reduction in territorial economic contribution (“CET”).

 Germany:

    • Changes in maximum income bases and rates for social security contributions were announced for 2023.

    • Yellow sick notes have been replaced by electronic sick notes for employees covered under public insurance from January 1, 2023

    • Income tax changes announced for 2023 include increased employee allowance, revised income tax slabs, etc.

    • Additional information relating to fictitious Ultimate Beneficial Owner (“UBO”) needs to be reported to the Transparency Register effective January 1, 2023

 Hungary: New requirement to provide transfer pricing information as a part of Annual Corporate Income Tax has been introduced.

 India: 

    • India publishes Draft Digital Data Protection Bill withdrawing the earlier Bill on data privacy.

    • Central Board of Direct Tax allows the paper filing of Form 10F until March 31, 2023.

    • 100% “work from home” allowed for eligible employees of Special Economic Zone Units until December 31, 2023.

 Ireland: The Statutory Sick Pay (“SSP”) scheme commences January 1, 2023.

 Mexico:  Employees are entitled to increased paid vacation leave of 12 days after completion of one year of service effective January 1, 2023,

 Morocco: Simplifies corporate tax rate; publishes corporate tax rates applicable from 2023 to 2026.

 Netherlands: 

    • VAT registration thresholds to be maintained at EUR 25,000 until December 31, 2024.

    • Dutch Parliament approves the Tax Plan for 2023:

    • Personal Income Tax (“PIT) slabs and rates revised.

    • Base Corporate Income Tax (“CIT”) rate increased from 15% to 19% with the income bracket for basic income tax rate reduced from EUR 395,000 to 200,000.

 Philippines: Reduces personal income tax rates by 5% for income up to PHP 2 million and by 2% for income between PHP 2 million to PHP 8 million effective from January 1, 2023.

 Serbia:

    • Increases the non-taxable salary limit from RSD 19,300 to RSD 21,712 with mandatory electronic filing of personal income tax return.

    • From January 1, 2023, employer’s contribution rate for pension and disability insurance reduced from 11% to 10%.

 Singapore: Increased financial penalty under the Personal Data Protection Act (“PDPA”), effective from October 1, 2022.

 Slovakia: Amends Labor Code to transpose EU Directives on predictable working conditions.

 Slovenia:

    • Slovenian Parliament passed amendments to Income Tax rates; top income tax rate increased to 50% from 45%.

    • Personal Data Protection Act (“ZVOP-2”) adopted for transposing GDPR.

 South Korea: Amends income-tax law, reduces corporate tax rate by 1% effective January 1, 2023.

 Spain: Faster formation of limited liability companies (“LLC”) possible through CIRCE platform and reduction in minimum share capital requirement from EUR 3,000 to EUR 1 for LLCs.

 Sweden: National income tax thresholds for individuals increased to SEK 598,500 from SEK 540,700 for the year 2023.

 Switzerland: The VAT rate increased to 8.1% from 7.7% effective January 1, 2024.

 Taiwan: The maximum insured amount for universal health insurance (part of social security contribution) has been revised to TWD 219,500 effective July 1, 2022.

 Thailand: Amends Civil and Commercial Code effective from February 16, 2023, to reduce the minimum number of promoters required for a new company from three to two and to allow virtual attendance of directors for board meetings.

 United Arab Emirates:

    • Amendments to VAT Law effective January 1, 2023, allowing businesses engaged in 100% export activity or zero-rated supply to seek exemption from VAT registration and extending time-limit for tax audit in certain situations. 

    • UAE Ministry of Finance releases corporate tax law, clarifies tax treatment for Qualifying Free Zone Person” (“QFZP”), introduces transfer pricing provisions.

 United Kingdom: The Autumn budget proposes changes to the personal income-tax threshold of an additional tax rate of 45%, also amends R&D expenditure credit provisions.

 

 

Data Protection Fines Table
Country Authority Name Fine imposed on  Reason For Fine Related to Data Protection Failure Amount of Fine
France The French Data Protection Authority (“Commission nationale de l’informatique’et des libertés/CNIL”) Clearview AI, a company engaged in the business of providing facial recognition platform.  Fine was imposed for collecting and using of the photographs of French individuals unlawfully. EUR 20 million
Hungary Hungarian Data Protection Authority (“NAIH”) Amplifon Kft., a company engaged in the business of selling hearing aid. Fine was imposed for unlawful data processing without obtaining explicit consent of data subjects or adequate legal basis. HUF 80 million
Hungary Hungarian Data Protection Authority (“NAIH”) Magyar Éremkibocsátó Kft, a company engaged in the numismatic business. Fine imposed for processing data without valid basis and clearly defined purpose. HUF 30 million
Ireland The Data Protection Commission (“DPC”) Meta Platforms Ireland Limited, (Operating as the data controller of the social media platform – Facebook, a multinational Information Technology company). Fine was imposed under GDPR for privacy violations i.e., failure to comply with data controller’s obligations of protecting personal data. It failed to prevent the disclosure of users’ personal information to an online hacking forum. EUR 265 million
Ireland The Data Protection Commission (“DPC”) Meta Platforms Ireland Limited, a multinational Information Technology company. Fine was imposed for breaches under GDPR relating to services provided on Facebook and Instagram. The DPC ordered the company to reassess the legal basis for running advertising based on personal data in the European union. Approximately EUR 390 million 
Italy Italian Data Protection Authority (“Garante”) A joint-stock company engaged in cosmetic industry, namely Douglas Italia SPA. Fine was imposed for violations of the provisions and data subjects’ rights under GDPR. EUR 1.4 million
Italy Italian Data Protection Authority (“Garante”) A joint-stock company engaged in telecommunication sector, namely Vodafone Italia SPA. Fine was imposed for unlawful use of personal data in promotional campaigns thereby violating the GDPR provisions. EUR 500,000
Italy Italian Data Protection Authority (“Garante”) A company engaged in software services, namely Alpha Exploration Inc. Fine was imposed for violation of certain GDPR provisions, failing to provide privacy notices and carrying out data processing activities for marketing purposes. EUR 2 million
Poland The Polish data protection authority (“UODO”) Virgin Mobile Poland Spz o.o,    a provider of prepaid and post-paid wireless voice, text, and data communications services. Fine was imposed for failure to meet GDPR security obligations for registering personal data of subscribers of pre-paid services. This resulted in gaining access to personal data by unauthorized persons and hence resulted in breach of the principles of integrity and confidentiality. Approximately PLN 1.6 million 
South Korea The Personal Information Protection Commission (“PIPC”‘) Agentsoft, Ltd., a company engaged in the business of information retrieval services. 
 

Fine was imposed for failure to:- 

  1. implement appropriate safety measures;
  2. notify data breaches;
  3. delete personal information whose purpose or retention period has expired.
KRW 10.2 million
South Korea The Personal Information Protection Commission (“PIPC”) DS&G Ltd., a company engaged in the wholesale business of computers, peripheral equipment, and software. 

Fine was imposed for the following reasons:

  1. processed resident registration numbers without legal rights;
  2. failure to implement appropriate safety measures;
  3. failed to delete personal information whose purpose or retention period has expired.
KRW 11.4 million
South Korea The Personal Information Protection Commission (“PIPC”) BiznBook Co. Ltd., an in-house library management agency. 

Fine was imposed for failure to:

  1. notify data breach;
  2. implement appropriate safety measures.
KRW 9 million
South Korea The Personal Information Protection Commission (“PIPC”) IMO Co., Ltd.

Failure to:

  1. implement appropriate safety measures;
  2. notify data breaches.

KRW 7.8 million
Spain Spanish Data Protection Authority (“AEPD”) A company engaged in advertisement sector, namely Techpump Solutions SL. Fine was imposed for violation of GDPR provisions with respect to third-party website cookies. EUR 525,000
United Kingdom The Information Commissioner’s Office (“ICO”) Easylife Ltd., a catalogue retailer which sells household items, as well as services and products under their Health, Motor, and Gardening Clubs. Fine was imposed for unlawful use of personal information to predict the health condition of individuals and target them with health- related products and also for making predatory marketing calls without the consent of individuals. GBP 1.48 million

CLICK HERE FOR FULL REPORT

Scroll to Top