Sent to subscribers in January 2013.

I am pleased to announce that Supplement #10 to the two-volume treatise Global Privacy and Security Law is now available.

Supplement 10 contains updates to twenty-three chapters. Updates have been made to the Philippines chapter following the introduction of a new data protection act in September 2012. The chapter provides a complete analysis of the new law. The chapter on the Czech Republic has also been significantly updated for this Supplement 10. In keeping with many of the other chapters in Global Privacy and Security Law, it now contains new detail on data protection with respect to health information, children information, and whistleblowing and security breach disclosure laws.

The other significant updates in Supplement 10 are detailed below.

Americas

Chapter 15—Brazil. While Brazil does not have a national data protection law, it is working on a bill that would establish parameters for the use and access to the Internet in Brazil. The proposed bill would define the civil liabilities of Internet service providers, and specify means and principles to preserve free speech and users’ privacy on the Internet.

Chapter 17—Canada. With the arrival of a new contributor to the Canada chapter, the substance and scope of the chapter have been significantly expanded. Among other things, the supplement discusses the proposed regulation on the use of cookies, and provides information on the new Outsourcing Guidelines, which apply to the transfer of data out of Canada. The supplement also discusses the regime for the protection of health information, and the new common law tort of “breach of privacy” that has been introduced through a Court of Appeals case in Ontario.

Chapter 45—Mexico. The Mexico chapter discusses new provisions of the Code of Criminal Procedure, the Criminal Code, and the Federal Telecommunications Act regarding the use of geolocation in connection with criminal investigations.

Asia

Chapter 19—China. The addition to the China chapter discusses the unique rules that apply to the protection of employee data within the framework of internal compliance investigations. The scattered provisions under various Chinese laws that address the protection of personal information in China make internal investigations especially challenging.

Chapter 48—Philippines. In September 2012, the president of the Philippines signed the new Data Protection Law of the Philippines. This law had been in preparation for several years, and prior versions of this chapter discussed the various iterations of the bills that are the precursors of the new law. This new supplement provides a complete analysis of the new law, and references to the final section numbers.

Chapter 53—Singapore. The Singapore Parliament passed the new Data Protection Law on October 14, 2012, as we were finalizing the drafts of this Supplement #10. This supplement provides a brief overview of the new law. An in-depth analysis will be provided in Supplement #11.

Chapter 61—Taiwan. In Taiwan, the new data protection law, the Personal Data Protection Act, which was passed in May 2010 is still not in effect, but is expected to become effective shortly. Similarly, a draft Anti-Spam Act has made little progress, but has passed first review of the legislative Yuan. In addition, the rules for the protection of children information have been strengthened. The penalties for violation of the law have been significantly increased.

Europe

Chapter 21—Cyprus. The update to the Cyprus chapter discusses the amendments to the Electronic Communications and Postal Services Law in order to implement the 2009 amendment to the 2002 e-Privacy Directive regarding the use of cookies and other tracking technologies. Clarifications to existing provisions of the national data protection law are also provided.

Chapter 22—Czech Republic. The Czech Republic chapter is supplemented with new sections on health information, children information, whistleblowing, and security breach disclosure laws. The Czech Republic has not yet implemented the 2009 amendment to the 2002 e-Privacy Directive regarding the use of cookies and other tracking technologies.

Chapter 26—Estonia. With the arrival of a new contributor, the Estonia chapter has been supplemented with descriptions of the status of the protection of employee information, health information, and children information. The rules that apply to commercial communications are also discussed.

Chapter 27—Finland. The supplement to the Finland chapter discusses the new concept of the data “report card” or “balance sheet.” The Finnish data protection Ombudsman has issued a guideline requiring companies to provide an overview of their personal data handling practices in the form of a “report card” or “balance sheet.” The section on commercial communications discusses the proposed draft “Information Security Code.” There are also new sections on the protection of health information and the protection of children’s information.

Chapter 28—France. The supplement to the France chapter discusses the new provisions regarding the new requirements associated with the use of cookies that result from the implementation of the 2009 amendment to the 2002 e-Privacy Directive regarding the use of cookies and other tracking technologies into French law.

Chapter 32—Hungary. The Hungary chapter is supplemented with new sections on the protection of employee information, health information, and children information, and the rules that apply to the disclosure of security breaches. The rules that apply to whistleblowing or reporting of misconduct are also discussed. A new section analyses the circular of the Hungarian Data Protection Authority discussing the use of cloud computing services.

Chapter 35—Ireland. The Ireland Data Protection Authority has also expressed interest in the issues raised by cloud computing, and has issued a Guidance Note on Data Protection in the Cloud. The Guidance is discussed in the supplement to Chapter 35.

Chapter 37—Italy. Recent amendments to the Code, Italy’s data protection act, have eliminated the need for providing prior notice to individuals in some circumstances, such as when processing resumes from applicants to a job opening. The rules requiring companies to draft a security policy are also slightly relaxed. In addition, a recent Court of Appeals decision has affirmed a decision to sentence two managers of a company to nine months prison term for spamming and illegal processing of personal data.

Chapter 41—Lithuania. With the arrival of a new contributor to the Lithuania chapter, the chapter on Lithuania privacy and data protection laws is augmented. New sections discuss the protection of employees in the workplace, the protection of health information, the protection of children’s information, and the rules that apply to the anonymous reporting of internal misconduct or “whistleblowing.” In addition, the new requirement for the disclosure of a breach of security is explained.

Chapter 47—Norway. While Norway has not yet implemented the 2009 amendment to the 2002 e-Privacy Directive regarding the use of cookies and other tracking technologies, the country has declared that the use of Google Analytics was contrary to Norwegian data protection law. The update to the Norway chapter discusses this interesting recent development.

Chapter 49—Poland. The update to the Poland chapter provides clarification of existing sections, updates broken links in footnotes, and discusses the conditions for the cross-border transfer of personal data.

Chapter 54—Slovakia. With the arrival of a new contributor to the Slovakia chapter, the chapter is supplemented, and an in-depth analysis of the provisions relating to enforcement and the powers of the data protection authority is provided.

Chapter 59—Sweden. The Sweden chapter contains a new paragraph regarding the requirement for disclosure of breaches of security. As this is the case in most countries of the European Union, only providers of electronic communications services are currently required to notify customers and the data protection authority of the occurrence of a breach of security. These provisions are found in the Electronic Communications Act.

Chapter 64—United Kingdom. The update to the United Kingdom chapter provides clarification on the rules regarding data subject access to his personal data held by an entity. The update also provides additional information on the implementation of the 2009 amendment to the 2002 ePrivacy Directive regarding the use of cookies and other tracking technologies in the United Kingdom privacy and data protection framework.

Middle East—Africa

Chapter 25—Dubai. The Dubai chapter is moved into a new chapter on the United Arab Emirates to recognize that Dubai is one of the emirates that comprise the UAE.

Chapter 56—South Africa. South Africa is about to have a new data protection law. The final version of POPI, the law on the Protection of Personal Information, was passed in September 2012 by one of the houses of Parliament, and is expected to pass the second house in early 2013.

Chapter 63A—United Arab Emirates. The new United Arab Emirates chapter incorporates the former Dubai chapter and provides additional geopolitical information about the United Arab Emirates. It provides additional information on the unique structures that allow the creation of special zones, especially in Dubai, where specific laws apply within the small territory of a particular zone. The best known of these special zones is the Dubai International Financial District. There are many others.