Sent to subscribers in May 2010.

Supplement #2 increases the number of countries covered in the book to 60 by adding two new chapters. Supplement #2 also addresses major changes in the European Union; provides updates on new laws and new constitutional developments in several of countries; and adds a new appendix.

Two New Countries Added

Two new countries are added—the Isle of Man and New Zealand are added to the scope of the book.

  1. The Isle of Man is a small island located between Ireland and England. It is one of the few countries for which the European Commission has determined that the data protection laws provide adequate protection to individuals. The country is the home of many banking institutions, which are able to take advantage of the favorable data protection climate. The data protection law of the Isle of Man is similar in many respects to the data protection act of the United Kingdom.
  2. New Zealand, an island located in the South Pacific, 2,000 miles southeast of Australia, has the unique privilege of having the capital that is the southernmost capital in the world. The data protection law of New Zealand is based on the OECD Guidelines on the Protection of Privacy and Transborder Data Flows. A member of the Commonwealth of Nations, for many years, New Zealand operates under a data protection regime that has numerous similarities with that of Australia—one of its closest neighbors—and that of the United Kingdom, whose monarch is also the Head of State of New Zealand.
— European Union —

The institutions of the European Community have been very active in the past few months. They have issued or adopted a flurry of very important new rules, which are analyzed in this Supplement #2.

  • The E-Privacy Directive (Chapter 7) has been amended through a new Directive that was adopted in November 2009 as part of the overhaul of the EU Telecom System. The 2009 amendments are aimed at increasing the protection of individual’s privacy and that of their personal data. One of the major changes modifies the regime in place for the use of cookies and other technologies that store personal data, now requiring the prior consent of the data subjects in most cases before their data may be collected by the cookies or other devices. Each country that is subject to the Directive must implement the amendments to the E-Privacy Directive by June 2011.
  • The complex structure applicable to the transfer of personal information out of the European Union and European Economic Area has been modified once again. The update of Chapter 9 discusses the new Standard Contractual Clauses for Controller to Processor transactions. This new document replaces the pre-existing Standard Contractual Clauses—Controller-to-Processor, to take into account the existence of subprocessors, and the fact that, in many processing transactions, the processor subcontracts to one or several layers of subprocessor the processing services that it provides to the data controller.
  • The fundamental political, economical, legal and structural framework of the European Union is also evolving. Chapter 4, which explains the complex political and legislative structures that frame Europe and the European Union, addresses the important changes that are introduced by the signature of the Treaty of Lisbon by the 27 EU Member States in November 2009. The Treaty of Lisbon takes the European Union to a new direction, with a new president, new increased powers for the European Parliament, and a streamlined structure. This new structure has been viewed as creating a more favorable climate for the regulation of data privacy and data protection in the European Union. It is also intended to allow the European Union to interact with non-EU countries as a single voice, and a cohesive, unified ensemble.
  • Finally, the adoption of the Madrid Resolution may be the first step towards a global agreement on acceptable standards for data protection. Chapter 3, Genesis of Modern Information Privacy and Security, is supplemented with a new section on the 2010’s. This section addresses the new Madrid Resolution, a document adopted at the recent annual conference of the Data Privacy Commissioners of over 50 countries, which has also been endorsed by ten large multinational companies. The Resolution is intended to serve as a first draft of an international document that would set an international standard for the protection of personal data.
— Americas —

Data Protection laws in the Americas differ drastically. Argentina uses a model that is the closest to the 1995 EU Data Protection Directive, which has allowed Argentina to be deemed to offer adequate privacy protection. The Dominican Republic and Mexico have only sectoral laws, and are still trying to adopt national data protection laws that would make them more attractive to foreign investors.

  • The data protection of Argentina, described in Chapter 11, has been clarified through new documents issued by the local data protection authority. The practical aspects of the conditions for the transfer of personal data out of the country have been refined in an opinion of the national data protection authority. The methods to be used when sending unsolicited commercial messages are clarified, as well.
  • The new Constitution of the Dominican Republic (Chapter 24), adopted in January 2010, incorporates important structural changes in the organization and operation of the government, in addition to recognizing the right of privacy. The new Constitution ensures respect and non-intrusion in private life, family, domicile, and the private documents of the individual, as well as the right of honor, “good name,” and “self-image.” Any authority or individual that infringes these rights is required to compensate or repair the harm done to the victim in accordance with the law.
  • The Mexico chapter (Chapter 45) is enhanced with a new section on State laws. The United States of Mexico is comprised of 31 States. Several of these States have laws that address the protection of personal data held by governmental agencies and public entities of the States. In addition, the civil code of one of these States has special provisions that protect personal data held by private entities located in the State.
— Asia —

In Asia, China is showing increased interest in regulating the protection of personal data. A recent Tort Liability Law modifies the China data protection landscape.

  • The update to the China chapter (Chapter 19), comments on the new PRC Tort Liability Law, which becomes effective as of July 1, 2010. The new law includes several provisions that specifically or generally relate to the protection of personal data. A “right to privacy” is included in the list of the protected civil rights and interests. When the PRC Tort Liability Law becomes effective, data subjects will be able to make claims against the disclosure or misuse of their personal data and the remedies available for them will be subject to substantial change.
— Europe/Middle East —

Finally, recent developments in the Europe/Middle East region are also discussed.

  • Denmark, in Chapter 23, has adopted a new guidance that focuses on whistleblowing hotlines. In addition, the country has adopted new regulations that supplement its data protection law.
  • With the recent publication of an opinion on adequacy by the Article 29 Working Party, Israel may soon be recognized by the European Commission as providing adequate privacy protection to individuals. Chapter 36 describes this development, as well as new developments in the relations between employers and employees.