Sent to subscribers in January 2012
With Supplement #7 to the two-volume treatise Global Privacy and Security Law, a new milestone will be reached. Three new country chapters will be added: Costa Rica, Paraguay, and Peru. With this addition, the Global Privacy and Security Law treatise will cover the data protection laws of 65 countries on all continents. In addition, to the three new chapters, we are providing updates to 25 of the existing chapters.
Three New Country Chapters
Chapter 20A Costa Rica. Costa Rica adopted its data protection law in September 2011. The law applies to personal data contained in automated or manual databases of public or private entities. However, there are numerous exceptions, which are much broader than those that are usually found in Central and South America data protection laws. For example, the provisions related to the transfer of personal information to a third party do not distinguish cases were the personal information is transferred out of the country, and thus, do not provide guidance on crossborder transfers of personal information to countries that do not offer an adequate level of protection.
Chapter 47A – Paraguay. The Data Protection Law of Paraguay, which was first enacted in 2001, and amended in 2002, focuses mostly on the protection of financial and credit information. The law covers a much narrower range of data protection issues than comparable laws in the region. For example, it does not address the basic issues of limitation on the collection or retention of personal data, and does not require that individuals be informed of the data handling practices of those who collect their personal information. There is no obligation to use security measures to protect personal information, and no restrictions to the crossborder transfers of personal information.
Chapter 47B – Peru. Peru adopted a national data protection law in July 2011. This law, which supplements existing sectoral laws, is inspired by the data protection principles in effect in the European Union, and brings Peru to par with the growing number of South and Central American countries that have enacted modern data protection laws in the recent years. The law defines eight principles, which serve as general guidelines. There are, in addition more detailed provisions. Individuals receive extensive rights, including, the right of access, correction, and deletion, as well as the right to obtain recourse, and the right to be indemnified. The law restricts crossborder transfers of personal data to countries that do not maintain an adequate level of protection.
Updates to the Country Chapters
In addition, Supplement #7 will contain updates to 25 of the country chapters. Many of the changes occurred in Europe as a result of the implementation of Directive 2009/136/EC, which introduced a stringent opt-in requirement before companies can send cookies to users’ equipment or devices, and a security breach disclosure requirement for Internet and telecommunications service providers. In addition, some of the EU/EEA Member States are also implementing the 2006 Data Retention Directive, which requires that traffic be kept for a minimum period.
— Africa Middle East —
Chapter 24 – Dubai. The Dubai chapter has almost doubled. We provide new information on the Dubai Free Zones, which were created by the Dubai Emirate to attract foreign businesses. The Dubai International Financial Center (DIFC) is one of the most well known free zones. Background information is provided to explain the unique legal structure of this entity, which has its own laws and own courts. The regulation applicable in the Dubai Healthcare Center (DHCC) has also been added. The DHCC is another free zone within the Dubai Emirate. It benefits, however, from less autonomy than the DIFC, and the scope of its laws is less extensive than that of the DIFC. The DHCC, nevertheless, has adopted a comprehensive set of rules to address the protection of patient information. This regulation has its roots and inspiration in the OECD Privacy Guidelines, the EU Data Protection Directives, the APEC Privacy Framework, as well as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, which regulate the protection of personal health information of patients in the United States.
Chapter 56 – South Africa. The chapter on South Africa has been augmented with a description of the anti-spam laws of South Africa. Both the Electronic Communications and Transactions Act as well as the Consumer Protection Act contain provisions regulating the use of unsolicited messages sent to South Africa residents, and provide for an opt-out regime. The Consumer Protection Act provides for a Do-Not- Call database, but this database is not yet operational. On the other hand, the proposed draft of the Protection of Personal Information (POPI) bill, which is intended to become the country’s national data protection law, provides for an opt-in regime.
— Americas —
Chapter 17 – Canada. The Canadian Anti Spam regulations have been published for comment, but it is expected that the Canadian Anti-Spam Legislation (CASL) will not become effective until at least mid-2012. A transition period extends the effective date of certain restrictive provisions until three years after the implementation of CASL.
— Asia —
Chapter 19 – China. The updates to the China chapter discuss the new regulations for financial institutions in the banking industry. Among other things, the “Notice Strengthening the World Relating to the Protection of Personal Financial Information by Financial Institutions in the Banking Industry” requires that financial information be collected legally, that the use of this information be consistent with the purposes for which it was collected, and that the information be stored in China.
Chapter 34 – India. The India chapter discusses clarifications to the Privacy Rules, which were promulgated in April 2011. The April document raised significant concerns regarding the interpretation of the Privacy Rules, and the specific entities to which the rules apply. The notice published by the Indian government during the summer of 2011 clarifies that the Privacy Rules are not intended to create restrictions or obligations for the processing of data collected outside India, and that the mandates for privacy and security measures or disclosures only apply to companies doing business in India.
Chapter 53 – Singapore. Singapore does not currently have a national data protection law, although it has laws addressing the protection of personal information in some sectors, such as with respect to financial information or unsolicited commercial communications. The Ministry of Information Communications and the Arts (MICA) has published a consultation paper regarding a proposed consumer data protection regime, to be discussed by the Singapore Parliament in 2012. The proposed framework would include key objectives and principles, and would provide for the implementation of a do-not-call registry.
— Europe —
Chapter 16 – Bulgaria. Bulgaria has updated its law on Electronic Communications, in order to implement the 2006 Data Protection Retention Directive, adopting a one-year retention requirement. However, it has not yet implemented the provisions in the 2009/136/EC Directive. While amendments have been proposed, they have not yet been adopted. Thus, there is no guidance on how cookies can be used.
Chapter 22 – Czech Republic. Proposed amendments to the Act on Electronic Communications are still being discussed by commissions of Czech parliament. In addition, the Czech Republic has become a member of the mutual recognition procedure used to expedite the approval of binding corporate rules (BCR) when a company has operations in several Member States of the European Union. As a result, it becomes easier to have BCR approved in the Czech Republic.
Chapter 23 – Denmark. Denmark is expected to implement the cookie provisions of Directive 2009/136/EC through an executive order, but has not yet done so. It has postponed implementation of the 2009 Directive until it is clear that the provisions will be implemented by the other EU Member States. The Denmark chapter is augmented with information regarding the provisions of the Danish Constitution addressing the protection of personal information.
Chapter 28 – France. France has implemented the 2006 Data Retention Directive, requiring that the traffic data be retained for one year. It has also implemented several aspects of the 2009/136/EC Directive, including the provisions regarding the requirement to notify the data protection authority, and in some cases, the users, when a breach of security has occurred. The security breach requirement concerns only Internet and telecommunications service providers. Further, French law now requires the prior consent of the user before a cookie can be installed on the user’s devices. The update to the France chapter also discusses the changes to French law regarding the use of biometric devices, which simplifies and clarifies the prior notification regime, and the new guide for use by healthcare professionals, regarding the protection of health data, published by CNIL, the French data protection authority.
Chapter 30 – Greece. While Greece has not yet implemented the 2009/136/EC Directive, it has adopted several laws that address privacy rights. There are new requirements for the use of video cameras in the workplace, which require that the principle of proportionality be applied strictly, for example to prohibit the use of cameras outside public lavatories and in locker-room areas. New regulations are being drafted to ensure the privacy and secrecy of postal mail, as well as that of networks and information systems. There are also new developments regarding online consents, and new restrictions regarding the collection of personal information in connection with the census.
Chapter 37 – Italy. In Italy, recent modifications to the Data Protection Code simplify the disclosure that needs to be made to the data protection authority with respect to the security measures used by an entity. The chapter also discusses a recent judgment of the court of appeals of Milan, where two managers of a company have been sentenced to serve nine months in jail for spamming and illegal processing of personal data. There are also changes in the Do Not Call regime. On the other hand, there is no news regarding the implementation of the cookie provisions of Directive 2009/136/EC. There are currently no plans to implement the Directive.
Chapter 47 – Norway. Norway has implemented provisions of the 2006 Data Retention Directive and requires that traffic data be kept for 12 months. As of October 2011, Norway has not yet implemented Directive 2009/136/EC into Norwegian law.