Global updates – a quick glance
Australia:
- ‘Digital ID Bill’ received royal assent on May 30, 2024, aims to improve online privacy and security by making digital identity verification easier.
- Australian government increases the maximum superannuation guarantee contribution base to AUD 65,070 per quarter and contribution rate from 11% to 11.5% p.a., effective from July 1, 2024.
- Australia Budget 2024; introduced changes to Medicare levy thresholds, extension of benefit of instant write off of eligible assets below AUD 20,000 for small businesses.
Brazil:
- Security Incident Communication Regulations prescribing data breach notification requirements effective from April 29, 2024.
- Monthly return introduced for reporting certain tax benefits availed by the companies.
Bulgaria: introduced new remote working rules laying down health and safety measures and requiring specification of location of work in employment agreements.
Canada:
- Bill-149 amended provisions of Ontario’s Employment Standards Act, 2000.
- Digital Service Tax Act effective from June 28, 2024, and applicable retroactively for revenues earned from year 2022.
China:
- Introduced administrative measures for reporting of beneficial owners effective from November 1, 2024.
- Extended benefit of the reduced unemployment insurance rate by 1% and continued the unemployment contribution refund policy until December 31, 2025.
Colombia:
- Colombia amends Sexual Harassment Law.
- Incentives to employers for new hires.
Costa Rica: Costa Rica’s Tax authority publishes tax rates and slabs for the tax year 2024.
EU: The European Council has approved the Artificial intelligence (“AI”) Act which will regulate AI systems and be applicable to various stakeholders for AI distribution chain.
Finland:
- The standard VAT rate increased to 25.5.% from 24% effective September 1, 2024.
- Public Country by Country reporting to be effective from fiscal years starting on or after June 22, 2024.
France: announced revised thresholds for classification of companies/ groups based on size and appointment of an auditor.
Germany: Germany published Growth Opportunities Act in the official gazette on March 27, 2024.
Gibraltar: Gibraltar presented the budget for the year 2024-25; proposed changes include reduction in personal tax rate to 25% and increase in corporate tax rate to 15% among other changes.
Honduras: Country-by-Country (“CbCR”) reporting and notification obligation for companies in Honduras effective from January 1, 2025.
Hong Kong: Bill passed to give effect to the tax proposals in Budget 2024-25; two-tiered standard rates regime for “salaries tax” and “tax under personal assessment” introduced.
India:
- Rate of damages on delayed payment of provident fund contributions and accumulations revised effective from June 15, 2024.
- Indian Finance Minister presented the Union Budget, 2024, with the several key proposals –
- Change in the income slabs applicable under ‘default tax regime without deductions;’ standard deductions for individual earning salary or pension income increased up to INR 75,000;
- A private sector employee who pays tax under the ‘default tax regime without deduction’ shall be allowed a deduction towards contribution to national pension scheme made by an employer of an amount not exceeding 14% of the employee’s salary (earlier this limit was 10% of the employee’s salary);
- Provision levying tax on difference between issue price and fair market value of shares of private companies (known as angel tax) is proposed to be abolished
- Corporate tax applicable to foreign companies proposed to be reduced from 40% to 35%
Israel: The VAT rate increased to 18% from 17% effective January 1, 2025.
Japan:
- New measure released for partial removal of the residential address details of representative directors from the corporate registry record, effective from October 1, 2024.
- Japan revises labor law provisions to support employees having children effective from April 2025; requires employers to provide flexible working options, remote working facility, childcare leave, etc.
Lithuania: Lithuania approves global minimum tax effective from July 1, 2024.
Malaysia:
- Malaysia expanded the scope of Occupational Safety and Health Act to cover all workplaces effective June 1, 2024; mandated employers to conduct risk assessments, appoint occupation health and safety coordinator and strengthens employee protection requirements.
- Mandated implementation of e-invoicing in phased manner starting from August 2024.
Netherlands: Large employers are required to report work-related mobility databy June 30, 2025.
Peru: Introduction of additional deductions for hiring young employees.
Poland:
- Poland extends family care benefit payment to the first child in 2024, which was available only to the second and subsequent children.
- Mandatory e-invoicing in Poland postponed to February 1, 2026.
- The President signed the ‘Whistleblower Protection Act’ on June 19, 2024.
- Singapore:
- Tripartite Guidelines on Flexible Work Arrangement Request will come into effect on December 1, 2024
- Singapore amends the Cybersecurity Act, 2018.
Sweden: New rules for parental leave effective from July 1, 2024.
Switzerland: Swiss VAT-registered companies can opt for annual VAT reporting.
Thailand:
- The maximum medical expenses to be paid by employer increased from THB 50,000 to THB 65,000.
- Private limited companies exempted from e-commerce registration requirement, effective June 5, 2024.
- Terminated employees likely to enjoy higher income-tax exemption on severance pay received after January 1, 2023.
Turkey:
- Turkey updates threshold for applicability of independent audit to companies.
- Turkey amended Personal Data Protection Law to introduce new grounds for processing of sensitive personal information and to address cross-border data transfer challenges.
Data Protection Fines Table | ||||
Country | Authority Name | Fine imposed on | Reason for Fine Related to Data Protection Failure | Amount of Fine and Penalty |
Belgium | Belgian Data Protection Authority (“Belgian DPA”) | Unnamed Company | A fine was imposed for the following reasons: Failure to comply with the complainant’s requests to erase data as data subject refuses to give consent for using data for direct marketing.Failure to cooperate with data protection authority.Failure to carry out processing of data as per the provisions of GDPR. | EUR 172,431 |
Czech Republic | Czech Republic DPA (‘UOOU’) | Avast Software s.r.o.), a software and anti-virus company | A fine was imposed for GDPR violations and data breach arisen due to unlawful processing and cross-border transfer of data to the third party. The company shared with the third-party browsing data related to its around 100 million users without anonymising it for market analysis purposes. | CZK 351 million |
France | French Data Protection Authority (“CNIL”) | HUBSIDE.STORE, which carries out phone and SMS prospecting campaigns for promotion of products for sell in its stores such as laptops, mobile phones etc. | A fine was imposed for the following reasons: Failure to obtain valid consent from individuals leading to absence of the legal basis to process the collected data.Failure to provide complete information to individuals regarding the purpose of data collection and its use. | EUR 525,000 |
Greece | Hellenic Data Protection Authority (‘HDPA’) | Ministry of Migration and Aslyum, Public body | A fine was imposed on government organisation for failure to conduct data protection impact assessment while buying and implementing digital security/ surveillance equipment (such as cameras, artificial intelligence tools, drones) for migrants, refuge, asylum centres in Aegan Islands and unlawful processing of biometric data. | EUR 0.175 million |
Italy | Italian data protection authority (‘Garante‘) | Eni Plenitude S.p.A., a company engaged in sales and marketing services of gas and electricity for homes and businesses. | Fine was imposed on the company for making unwanted commercial phone calls and related violations including the following: Failure to follow the principles of lawfulness, correctness, transparency, accuracy, and security;Failure to establish proper legal basis before conducting telemarketing activities; andFailure to adopt adequate security measures. | EUR 6.4 million |
Lithuania | The State Data Protection Inspectorate (‘VDAI’) | Vinted UAB, the operator of online second-hand clothing trading and exchange platform “Vinted.” | The fine was imposed on the company for following violations under the GDPR: Not acting upon requests from users regarding deletion of data, thereby not implementing proper systems for protecting the rights of data subjects related to access and erasure of the data;Unlawfully applied ‘shadow blocking’ (i.e., users violating the platform’s principles of operation are required to leave the platform without being aware about processing of their personal data), which is in violation of the principles of fairness and transparency; andLack of adequate technical and organisational measures to ensure the implementation of the principle of accountability, right of access of data subjects etc. | EUR 23.85 million |
South Korea | The Personal Information Protection Commission (‘PIPC’) | Kakao Corp. (Kakao) is a South Korean company engaged in mobile communication and Internet Service. | Fine was imposed for failure to: – implement appropriate safety measures;notify data breaches. | Fine – KRW 15 billion Penalty – KRW 7.8 million |
South Korea | The Personal Information Protection Commission (‘PIPC’) | Golfzon Co., Ltd. (Golfzon) is a South Korean company, engaged in manufacturing golf simulators. | Fine was imposed for the following reasons: Failure to implement appropriate safety measures;Failed to delete personal information for which retention purpose or retention period has expired. | Fine – KRW 5.4 million. Penalty – KRW 7.54 billion |
Spain | Spanish Data Protection Agency (‘AEPD’) | Caixa Bank S.A., a bank engaged in providing banking and insurance services | A fine was imposed for sharing the personal data of a customer with General Treasury of Social Security (“TGSS”) without obtaining free consent from the customers and thereby violating the provisions of GDPR. The consent requested from customers was not voluntary but compulsory having negative consequences, if not given, and no option to withdraw it. | EUR 1.2 million |
Sweden | Swedish data protection authority (‘IMY’) | Avanza Bank | The Bank was fined for unauthorized and accidental transfer of personal data of up to one million users to Meta due to incorrect settings of analytics tool used by the Company for optimizing its marketing by tracking visitors’ activity on the website. It was deactivated when the Bank became aware about the incident. The fine was imposed for violating the GDPR principles as follows: Breach involving high-risk data, such as financial information and social security numbers, which caused a significant risk to data subjects’ rights and freedoms.Lack of adequate technical and security measures for ensuring protection of personal data of website visitors and app users. | SEK 15 million |