Sent to subscribers in May 2011.
Supplement #5 includes both updates to the foundation chapters and to the country reports. The foundation chapters are updated to reflect recent changes in several areas, including the proposed overhaul of the EU privacy framework. The reports for 19 countries are updated as a result of changes or proposed changes in the national laws of these countries.
Chapter 3 – Genesis. Chapter 3, which contains a historical overview of the development of the protection of personal data, is updated with recent developments concerning security breach notice laws, the new version of the PCI DSS Guidelines, and the proposed overhaul of the European Union privacy framework. We have also revised our table of laws and bills.
Chapter 4 – The Byzantine Process of European Union Data Protection Law Making. The changes to Chapter 4 reflect the recent amendments to the 2002 Directive, and the proposed overhaul of the EU privacy framework.
— European Union Directives —
Chapter 5 – Introduction to the European Union Data Directives. Chapter 5 is substantially augmented with a historical and political perspective on the development of the three current European Union Data Directives. We also provide a detailed description and analysis of the blue prints presented by the European Commission on its plan to update the European Union data protection framework.
Chapter 9 – Transferring Personal Data out of the European Union and the EEA. The changes to Chapter 9 reflect the recent recognitions of Andorra and Israel as countries that offer adequate protection for personal data and privacy rights.
Updates to the Country Chapters
— Africa / Middle East —
Chapter 36 – Israel. The update reflects that in February 2011, the European Commission determined that the Israel laws establish an adequate regime for the protection of personal data held in automated databases in Israel. The adequacy determination applies to data held in manual databases, only to the extent that these data are processed through automatic means while under Israel jurisdiction.
Chapter 62 – Tunisia. The Tunisia data protection authority was recently created, and there are discussions about developing a law that would ensure the protection of personal data online. The update also provides information on the international treaties and agreements to which Tunisia is a party.
Chapter 63 – Turkey. There has not been any progress on the discussion, revision, or adoption of Turkey’s draft bill on data protection. In the mean time, a proposed bill on eCommerce has been drafted. The bill addresses among other things rules to govern unsolicited commercial communications.
— Americas —
Chapter 15 – Brazil. A new data protection bill has been introduced, which may signal the first step towards the adoption of a national data protection law in Brazil. We also provide a report on a case on employee monitoring.
Chapter 18 – Chile. Chile has become a member of the Organization for Economic Cooperation and Development (OECD). To this end, it has amended its Tax Code to modify the provisions that govern the secrecy of banking information. The amendment requires banks to provide account information to the tax authorities, and it establishes a procedure for the notification of the taxpayer when the tax authorities request a bank to provide access to the taxpayer’s account information. The chapter has also been supplemented with a discussion of the international treaties and agreements to which Chile is a party, and the constitutional provisions that address privacy rights.
Chapter 20 – Colombia. In Colombia, the Congress has adopted a new bill regulating in general terms data protection in Colombia. The purpose of the bill is to regulate all aspects of data protection not covered by the current law. The Bill needs to be approved by the Constitutional Court; and it is likely to be substantially revised. The section on the protection of children information is expanded with a description of a law that is intended to protect children against predators. In addition, the chapter has been supplemented with a discussion of the international treaties and agreements to which Colombia is a party, and the constitutional provisions that address privacy rights.
Chapter 44 – Mexico. The section on telecommunications is augmented, and provides additional details on certain provisions of the law. A description of the provisions that are used in connection with the protection of victims of kidnapping was also added.
Chapter 65 – United States. The United States chapter discusses the recent staff report and paper issued by the Federal Trade Commission and the US Department of commerce, which outline their vision on how the US privacy landscape should be changed. In addition, the chapter has been augmented with new sections related to identity theft protection such as the red flags rules, the expansion of information security laws, and an update on security breach disclosure laws. There are also new sections on the regulations issued by the Department of Health and Human Services and the Federal Trade Commission to implement the HITECH Act.
Chapter 66 – Uruguay. Uruguay is seeking a determination by the European Union that the country offers adequate protection to personal data and privacy rights. The country adopted modifications to its data protection law in December 2010. In addition, several decrees were adopted recently, and the country’s data protection supervisory authority is now operational. As a result of these efforts, the Article 29 Working Party published an opinion in October 2010, stating that it believes that the data protection law of Uruguay provides an adequate level of protection of personal data and privacy rights. A final determination by the European Commission should follow soon.
— Asia —
Chapter 38 – Japan. The update describes the work accomplished by the Consumer Affairs Agency, and the resulting changes to the legal and regulatory landscape. Recently published guidelines are described, and a detailed description of the security measures expected from companies that hold personal data is provided. The descriptions of the applicable laws and regulations have been supplemented, and include more details, references, and examples. In addition, the chapter has been supplemented with a discussion of the international treaties and agreements to which Japan is a party, and the constitutional provisions that address privacy rights.
Chapter 43 – Malaysia. The update reflects the adoption of the Personal Information Protection Act of 2010, which has received royal assent.
— Europe —
Chapter 10B – Andorra. The chapter update reflects that in October 2010, the European Commission determined that the Andorran Data Protection Act establishes an adequate regime for the protection of personal data and privacy rights.
Chapter 14 – Austria. The Austrian Data Protection law has been amended, creating a new requirement to disclose a breach of security. The amendment also creates new obligations for data controllers. New sections on the international agreements signed by Austria, and the provisions of the Austrian constitution that address the protection of personal information are provided. We also provide additional information about the existing requirements.
Chapter 35 – Ireland. The Irish Data Protection Acts and Regulations have been amended. Fines for violations of the law have been increased. The Data Protection Commissioner has published a Code on Security Breach, which requires organizations that have suffered a breach of security to contact the Data Protection Commissioner, in a limited number of circumstances. The Code is expected to become binding soon. In addition, Ireland has adopted a new law on data retention, which implements the requirements of the 2006 Data Retention Directive. The revised chapter also describes the treaties and constitutional provisions that address the protection of privacy rights in Ireland.
Chapter 47 – Norway. The changes to the Norway chapter focus primarily on the interaction between data protection laws and other laws or legal concepts, such as the concept of freedom of speech, or the law on the protection of copyright. Recent cases are discussed, including a case related to an investigation of file sharing practices. This case is an example of the conflict between providing information of individuals accused of file sharing in furtherance of a copyright infringement case, and keeping the information confidential as required by the privacy laws. In addition, the revised chapter describes the treaties and constitutional provisions that address the protection of privacy rights in Norway.
Chapter 50 – Portugal. The chapter is supplemented with information on the specific rules that apply to crossborder transfers of personal data out of Portugal. While the Safe Harbor is recognized, binding corporate rules are not. The update also includes details on enforcement and penalties, which may include prison terms. Changes in the notification procedures are described; electronic filings are now accepted. There are also new developments affecting privacy in the work place. Several opinions have been issued concerning the processing of employee personal information and the use of whistleblowing schemes. Portugal has also made progress in the implementation of the data directives. The update describes the rules that apply to the use of personal information in connection with direct marketing as well as the new regulations that implement the 2006 Data Retention Directive. In addition, the revised chapter describes the treaties and constitutional provisions that address the protection of privacy rights in Portugal.
Chapter 58 – Spain. The Spanish data protection law has been updated to provide new fines and penalties in case of violations of the law.
Chapter 60 – Switzerland. The update to the Swiss chapter discusses the lessons learned from a recent case, namely whether IP addresses are “personal data”; and whether data collected by a service provider for the purpose of providing services to its customers could also be used for a different purpose than those that are disclosed to the data subject. There is also a discussion of the concept of “implicit consent.” Finally, the revised chapter describes the treaties and constitutional provisions that address the protection of privacy rights in Switzerland.
Chapter 64 –United Kingdom. The updated chapter discusses the international treaties and agreements to which the United Kingdom is a party and explains the unique legal structure of the country, which results from the fact that there is no written constitution. The section on sensitive data is expanded, and several examples of recent enforcement actions are provided. The update discusses as well recent guidance on the protection of children information.