Sent to subscribers October 2011.
Supplement #6 includes updates to twenty one chapters. There have been changes and new rules in many countries in the Asia Pacific Region, the Americas and in Europe, the corresponding chapters have been updated to reflect these developments. In particular, the chapters of countries in the European Union have been updated to reflect the status of implementation of the 2009 Amendment to the 2002 e-Privacy Directive. Also, the chapters on the 1995, 2002, and 2006 Directives have also been revised, reorganized and supplemented with new information.
— European Union Directives —
Chapter 6 – 1995 EU Data Protection Directive and Chapter 7 – 2002 EU Directive on Privacy and Electronic Communications. These chapters have been slightly revised and reorganized.
Chapter 8 – 2006 Data Retention Directive. Chapter 8 has been supplemented with information regarding the status of the implementation of the 2006 Directive into the laws of most of the EU Member States. We also provide information about the proposed revision of this Directive.
— Asia Pacific —
Chapter 10 – Asia Pacific Region. The changes to the APEC chapter pertain to recent developments regarding the Cross Border Privacy issues, and in particular, the establishment of the Cross Border Privacy Enforcement Arrangement.
Updates to Country Chapters
— Americas —
Chapter 11 – Argentina. In Argentina, several provinces have adopted new rules regarding privacy rights and access to personal information. There have been clarifications with respect to the crossborder transfers of personal information. We also provide a summary of the rules that pertain to credit bureaus.
Chapter 17 – Canada. Canada has adopted a new Anti Spam law and is expecting shortly the publication of regulations. The update provides a detailed summary of the anti spam law. In addition, the chapter is reorganized and supplemented. The size of the chapter has doubled.
— Asia —
Chapter 34 – India. In April 2011, India adopted Privacy Rules, which contain a definition of “sensitive personal information,” and identify the type of security measures that should be used to protect sensitive personal information. The Privacy Rules contain additional requirements that go beyond the mandate given to the Ministry, thus creating uncertainty as to the effect and enforceability of these new Rules.
Chapter 38 – Japan. The Japan chapter is supplemented with new regulations concerning the application of the APPI, the local data protection law.
Chapter 46A – New Zealand. New Zealand has updated its data protection law to bring it closer to the standards set by the 1995 EU Data Protection Directive, in the hope of being able to qualify for an “adequacy” ruling.
Chapter 48 – The Philippines. The Philippines have drafted another privacy bill, which adopts most of the provisions of the prior one. The bill is still pending.
Chapter 52 – Russia. The implementation of the data protection law of Russia continues. We provide an update on the enactment of new laws providing more protection for personal information. In the meantime, the deadline for the adoption of security measures keeps being extended.
Chapter 61 – Taiwan. In Taiwan, the registration system has been relaxed, so that no registration is required for certain categories of data controllers.
— Europe —
Several of the chapters that pertain to European countries have been amended to provide an update on the status of the implementation of the 2009 amendments to the 2002 e-Privacy Directive. In general, the Member States have adopted a “wait and see” attitude. Several of them have published drafts for comments. The United Kingdom has issued a controversial rule requiring opt-in consent in many circumstances, but has delayed enforcement of the rule by one year, to give companies more time to implement the rule.
Chapter 13 – Austria. A new section was added to the chapter regarding a draft of an amendment to the Austrian Telecommunications Act that was circulated in May 2011. The draft was in response to the 2009 Amendment to the 2002 e-Privacy Directive.
Chapter 28 – France. France has passed a law to authorize the French Government to “legislate by ordinance” in order to transpose the 2009 Amendment to the 2002 e-Privacy Directive and a new Ordinance was adopted to address the new cookie and security breach disclosure requirements. It also provided new requirements for the content of unsolicited commercial messages. Legislation has also been introduced to require all organizations with over 50 employees to have a Privacy Official.
Chapter 29 – Germany. Germany is planning changes to the Federal Data Protection Act in connection with the protection of employee information.
Chapter 44 – Malta. Malta issued Legal Notice 239 of 2011, which implements the 2009 Amendment. The sections on Electronic Communications Regulations, cookies and security breaches have been updated with information regarding Legal Notice 239. The updates also include new information about the international treaties to which the country is a party. The changes are primarily with respect to the conditions to the transfer of personal information out of the country.
Chapter 49 – Poland. The Poland chapter has been refreshed. It contains a long list of the international conventions to which the country is a party.
Chapter 50 – Portugal. A new section was included to the Portugal chapter in order to comment on the status of implementation of the 2009 Amendment regarding cookies.
Chapter 58 – Spain. The chapter has been updated with information regarding the status of implementation of the 2009 Amendment to the 2002 e-Privacy Directive. In late May 2011, Royal Decree 728/2011 was published in response to the 2009 Amendment; however, it only addresses telecommunications.
Chapter 60 – Switzerland. In Switzerland, new case law is being developed, in particular at the intersection of copyright infringement and access to evidence. There are also new developments in the telecommunications field.
Chapter 64 – United Kingdom. In May 2011, the United Kingdom adopted a controversial regulation that requires websites to implement a notice and opt-in regime. Enforcement has been postponed until May 2012.