Sent to subscribers in January 2012

With Supplement #7 to the two-volume treatise Global Privacy and Security Law, a new milestone will be reached. Three new country chapters will be added: Costa Rica, Paraguay, and Peru. With this addition, the Global Privacy and Security Law treatise will cover the data protection laws of 65 countries on all continents. In addition, to the three new chapters, we are providing updates to 25 of the existing chapters.

Three New Country Chapters

Chapter 20A Costa Rica. Costa Rica adopted its data protection law in September 2011. The law applies to personal data contained in automated or manual databases of public or private entities. However, there are numerous exceptions, which are much broader than those that are usually found in Central and South America data protection laws. For example, the provisions related to the transfer of personal information to a third party do not distinguish cases were the personal information is transferred out of the country, and thus, do not provide guidance on crossborder transfers of personal information to countries that do not offer an adequate level of protection.

Chapter 47A – Paraguay. The Data Protection Law of Paraguay, which was first enacted in 2001, and amended in 2002, focuses mostly on the protection of financial and credit information. The law covers a much narrower range of data protection issues than comparable laws in the region. For example, it does not address the basic issues of limitation on the collection or retention of personal data, and does not require that individuals be informed of the data handling practices of those who collect their personal information. There is no obligation to use security measures to protect personal information, and no restrictions to the crossborder transfers of personal information.

Chapter 47B – Peru. Peru adopted a national data protection law in July 2011. This law, which supplements existing sectoral laws, is inspired by the data protection principles in effect in the European Union, and brings Peru to par with the growing number of South and Central American countries that have enacted modern data protection laws in the recent years. The law defines eight principles, which serve as general guidelines. There are, in addition more detailed provisions. Individuals receive extensive rights, including, the right of access, correction, and deletion, as well as the right to obtain recourse, and the right to be indemnified. The law restricts crossborder transfers of personal data to countries that do not maintain an adequate level of protection.

Updates to the Country Chapters

In addition, Supplement #7 will contain updates to 25 of the country chapters. Many of the changes occurred in Europe as a result of the implementation of Directive 2009/136/EC, which introduced a stringent opt-in requirement before companies can send cookies to users’ equipment or devices, and a security breach disclosure requirement for Internet and telecommunications service providers. In addition, some of the EU/EEA Member States are also implementing the 2006 Data Retention Directive, which requires that traffic be kept for a minimum period.

— Africa Middle East —

Chapter 24 – Dubai. The Dubai chapter has almost doubled. We provide new information on the Dubai Free Zones, which were created by the Dubai Emirate to attract foreign businesses. The Dubai International Financial Center (DIFC) is one of the most well known free zones. Background information is provided to explain the unique legal structure of this entity, which has its own laws and own courts. The regulation applicable in the Dubai Healthcare Center (DHCC) has also been added. The DHCC is another free zone within the Dubai Emirate. It benefits, however, from less autonomy than the DIFC, and the scope of its laws is less extensive than that of the DIFC. The DHCC, nevertheless, has adopted a comprehensive set of rules to address the protection of patient information. This regulation has its roots and inspiration in the OECD Privacy Guidelines, the EU Data Protection Directives, the APEC Privacy Framework, as well as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, which regulate the protection of personal health information of patients in the United States.

Chapter 56 – South Africa. The chapter on South Africa has been augmented with a description of the anti-spam laws of South Africa. Both the Electronic Communications and Transactions Act as well as the Consumer Protection Act contain provisions regulating the use of unsolicited messages sent to South Africa residents, and provide for an opt-out regime. The Consumer Protection Act provides for a Do-Not- Call database, but this database is not yet operational. On the other hand, the proposed draft of the Protection of Personal Information (POPI) bill, which is intended to become the country’s national data protection law, provides for an opt-in regime.

— Americas —

Chapter 17 – Canada. The Canadian Anti Spam regulations have been published for comment, but it is expected that the Canadian Anti-Spam Legislation (CASL) will not become effective until at least mid-2012. A transition period extends the effective date of certain restrictive provisions until three years after the implementation of CASL.

— Asia —

Chapter 19 – China. The updates to the China chapter discuss the new regulations for financial institutions in the banking industry. Among other things, the “Notice Strengthening the World Relating to the Protection of Personal Financial Information by Financial Institutions in the Banking Industry” requires that financial information be collected legally, that the use of this information be consistent with the purposes for which it was collected, and that the information be stored in China.

Chapter 34 – India. The India chapter discusses clarifications to the Privacy Rules, which were promulgated in April 2011. The April document raised significant concerns regarding the interpretation of the Privacy Rules, and the specific entities to which the rules apply. The notice published by the Indian government during the summer of 2011 clarifies that the Privacy Rules are not intended to create restrictions or obligations for the processing of data collected outside India, and that the mandates for privacy and security measures or disclosures only apply to companies doing business in India.

Chapter 53 – Singapore. Singapore does not currently have a national data protection law, although it has laws addressing the protection of personal information in some sectors, such as with respect to financial information or unsolicited commercial communications. The Ministry of Information Communications and the Arts (MICA) has published a consultation paper regarding a proposed consumer data protection regime, to be discussed by the Singapore Parliament in 2012. The proposed framework would include key objectives and principles, and would provide for the implementation of a do-not-call registry.

— Europe —

Chapter 16 – Bulgaria. Bulgaria has updated its law on Electronic Communications, in order to implement the 2006 Data Protection Retention Directive, adopting a one-year retention requirement. However, it has not yet implemented the provisions in the 2009/136/EC Directive. While amendments have been proposed, they have not yet been adopted. Thus, there is no guidance on how cookies can be used.

Chapter 22 – Czech Republic. Proposed amendments to the Act on Electronic Communications are still being discussed by commissions of Czech parliament. In addition, the Czech Republic has become a member of the mutual recognition procedure used to expedite the approval of binding corporate rules (BCR) when a company has operations in several Member States of the European Union. As a result, it becomes easier to have BCR approved in the Czech Republic.

Chapter 23 – Denmark. Denmark is expected to implement the cookie provisions of Directive 2009/136/EC through an executive order, but has not yet done so. It has postponed implementation of the 2009 Directive until it is clear that the provisions will be implemented by the other EU Member States. The Denmark chapter is augmented with information regarding the provisions of the Danish Constitution addressing the protection of personal information.

Chapter 27 – Finland. Finland has amended its Act on the Protection of Privacy in Electronic Communications in order to implement Article 5(3) of the 2009 Directive. The revised section provides that service providers may use cookies if the user has given his consent and the service provider has provided the user with comprehensible and complete information on the purposes of the cookie.

Chapter 28 – France. France has implemented the 2006 Data Retention Directive, requiring that the traffic data be retained for one year. It has also implemented several aspects of the 2009/136/EC Directive, including the provisions regarding the requirement to notify the data protection authority, and in some cases, the users, when a breach of security has occurred. The security breach requirement concerns only Internet and telecommunications service providers. Further, French law now requires the prior consent of the user before a cookie can be installed on the user’s devices. The update to the France chapter also discusses the changes to French law regarding the use of biometric devices, which simplifies and clarifies the prior notification regime, and the new guide for use by healthcare professionals, regarding the protection of health data, published by CNIL, the French data protection authority.

Chapter 30 – Greece. While Greece has not yet implemented the 2009/136/EC Directive, it has adopted several laws that address privacy rights. There are new requirements for the use of video cameras in the workplace, which require that the principle of proportionality be applied strictly, for example to prohibit the use of cameras outside public lavatories and in locker-room areas. New regulations are being drafted to ensure the privacy and secrecy of postal mail, as well as that of networks and information systems. There are also new developments regarding online consents, and new restrictions regarding the collection of personal information in connection with the census.

Chapter 32 – Hungary. The chapter on Hungary is significantly and substantially revised as a result of the adoption of the new Constitution of Hungary, and a new Data Protection Law. Both of them become effective as of January 2012. Among other things, the new data protection law contains expanded provisions with respect to the security requirements for the protection of personal data. The existing data protection authority is replaced by a new agency named “Data Protection and Freedom of Information Agency.” The update also discusses certain restrictions to the use of personal information in connection with commercial communications and the implementation of the 2009/136/EC Directive with respect to the use of cookies, and with respect to the disclosure of a breach of security by internet service providers and telecommunications providers.

Chapter 37 – Italy. In Italy, recent modifications to the Data Protection Code simplify the disclosure that needs to be made to the data protection authority with respect to the security measures used by an entity. The chapter also discusses a recent judgment of the court of appeals of Milan, where two managers of a company have been sentenced to serve nine months in jail for spamming and illegal processing of personal data. There are also changes in the Do Not Call regime. On the other hand, there is no news regarding the implementation of the cookie provisions of Directive 2009/136/EC. There are currently no plans to implement the Directive.

Chapter 46 – Netherlands. The Dutch Parliament passed a bill that implemented Section 5(3) of the 2009/136/EC Directive into its Telecommunications Act. This bill would mandate an opt-in consent. The bill is currently waiting the approval of the Senate. The senate has raised several concerns about the draft legislation, thus it is difficult to predict whether, when and in what form the 2009 Directive provisions regarding the use of cookies will be implemented into Dutch law.

Chapter 47 – Norway. Norway has implemented provisions of the 2006 Data Retention Directive and requires that traffic data be kept for 12 months. As of October 2011, Norway has not yet implemented Directive 2009/136/EC into Norwegian law.

Chapter 51 – Romania. Romania is delinquent in several aspects. It has not yet implemented the 2009/136/EC Directive. There is no information regarding the implementation of the restrictions to the use of cookies. Further, Romania has not yet implemented the 2006 Data Retention Directive, and, as a result, it has received an ultimatum from the European Commission. The Romania Parliament actually voted on a law that would have implemented the Data Retention Directive, however this law was declared unconstitutional by the Constitutional Court, and there has been little progress since then.

Chapter 54 – Slovakia. Slovakia has adopted a new Act on Electronic Communications, which is effective as of November 1, 2011. The new act implements the provisions of Directive 2009/136/EC with respect to the restrictions to the use of cookies.

Chapter 58 – Spain. The Spanish Congress has proposed an amendment to the Spanish e-Commerce Act that will implement the requirements of the 2009/136/EC Directive with respect to the restrictions on the use of cookies. The proposed bill would require the consent of the user but does not provide information or practicable suggestions for the implementation.

Chapter 59 – Sweden. Sweden has amended its Telecommunications Act to implement the changes required by Directive 2009/136/EC, in order to modify the regime applicable to the use of cookies. In its guidelines, the Swedish Interactive Advertising Bureau has stated that browser settings are a valid form of consent only where the site has provided proper information about cookies. On the other hand, Sweden has not yet implemented the 2006 Data Protection Directive, and as a result, the European Commission filed a complaint against Sweden with the European Court of Justice, seeking payment of a fine and liquidated damages by Sweden. In late 2011, the Swedish Government filed a defense with the European Court of Justice, which stated that the European Commission request to impose hefty fines on Sweden for its failure to implement the EU Data Retention Directive was disproportionate and that the action of the European Commission should be dismissed.