Sent to subscribers in September 2010.

Supplement #3 increases the number of countries covered in the book to 62 countries by adding two new chapters. Supplement #3 also provides updates to Chapter 2 and Chapter 5, updates on new laws and new developments in several countries, and adds a new appendix.


Chapter 2

This Supplement #3 provides an updated Chapter 2 “Taxonomy and Influences.” The chapter has been reorganized, revised, and updated.

Chapter 5

Chapter 5, which contains an overview of the EU data directives, has been updated to take into account the recent amendments to the 2002 e-Privacy Directive. These changes were discussed extensively in our update to Chapter 7, which is dedicated to the e-Privacy Directive.


Two New Countries Added

Two new countries—Albania and Andorra are added to the scope of the book.


Albania is a small country east of Italy, bordering the Adriatic Sea. Its closest neighbors are Montenegro, Kosovo, Macedonia, and Greece. Isolated from the remainder of Europe for many years because of its political regime, Albania has now established commercial relationships with its neighboring countries, and adopted a democratic regime.

Albania joined the Council of Europe in 1995, and the North Atlantic Treaty Organization (NATO) in 2009. It adopted a new constitution in 1998. In 2008, it overhauled its 1999 Data Protection Law in order to implement the Council of Europe Convention 108 on the protection of individuals with respect to the automatic processing of personal data, which it ratified in 2005. The new Data Protection Law reflects Albania’s long-term goal to become part of the European Union. Albania has now formally applied for EU membership, and is actively working with the European Union administration on the requirements for its admission into the EU.


Andorra is a very small country located in the Pyrenees Mountains, between France and Spain. Its capital, Andorra la Vella, has the highest elevation of all other capital cities in Europe. The Principality of Andorra is headed by two co-princes, the President of France and the Bishop of Seu D’Urgell in Spain.

The country has long been sensitive to the need to protect personal information. It adopted its first data protection law in 1976. Its current Data Protection Act was passed in 2004.

Unlike Albania, Andorra has not expressed interest in membership in the European Union. However, like Monaco—which was added to this book in a recent update—the Principality of Andorra is aware that it is in its best interest to ensure that its data protection legal regime is consistent with the requirements in place in the European Union. The country has a unique geographical situation within Europe, and unique commercial and other ties and relationships with Spain and France. In addition, tourism and its reputation as a tax haven are its most important sources of revenue.

In December 2009, the Article 29 Working Party issued a favorable opinion on the adequacy of the protection of personal data that is offered under the Andorran Data Protection Act. While a final determination must be made by the European Commission, this first step is very encouraging.

European Union

Ireland, Norway, and United Kingdom

The Ireland, Norway, and United Kingdom chapters were updated with recent developments. An important decision affecting the definition of “personal data” was issued in Ireland. Numerous changes were made to the data protection regime in the United Kingdom. Recent developments in Norway are also provided.



In July 2010, Mexico’s new Data Protection Act was signed by the President of Mexico. The Mexico chapter (Chapter 45) is drastically changed and enhanced with a comprehensive description of the provisions of the new Mexico Data Protection Act. The Mexico Data Protection Act intends to follow the APEC Privacy Framework. Many—but not all—of its provisions are also consistent with the 1995 EU Data Protection Directive. For example, the provisions that address the transfer of personal data out of the country do not meet the high standards set in the EU Data Protection Directive.



The updated India chapter addresses the recent changes to India’s Information Technology Act. Significant changes to this law were made after the November 2008 terrorist attacks in Mumbai. These changes affect the data protection regime in the country.


The updated Malaysia chapter describes the provisions of the upcoming new Malaysia Data Protection Act, which should become effective shortly. A more comprehensive analysis of the Malaysia Data Protection Act will be provided in the next supplement.


Finally, this update incorporates the new EU Standard Contractual Clauses for Processor to Controller Contracts. These new Standard Contractual Clauses were discussed in Supplement #2 (Chapter 9—Transferring Personal Data out of the European Union and European Economic Area). They have now become effective, and must be used for all new contracts—and all updated contracts—between EU-based data controllers and their foreign-based data processors in order to benefit from the “adequacy” treatment under the EU cross-border regime.