Sent to subscribers in Jan 2014

We are pleased to announce that Supplement #13 to the two-volume treatise Global Privacy and Security Law is now available.

Supplement 13 contains updates to twenty-two of the existing chapters. In addition a new chapter, Chapter 20B, on Croatia has been added. This new chapter examines the data protection laws of Croatia, the newest member of the European Union, and it becomes the 66th country featured in our analysis of data protection regimes throughout the world.

The number of laws on data protection throughout the world continue to grow and develop. Slovakia enacted a new data protection law in July 2013. The updates to the Slovakia chapter examine Act No. 122/2013 coll. on Protection of Personal Data. Meanwhile Australia has made some significant amendments to its Data Protection Act, which will become effective from March 2014.

The other significant updates in Supplement #13 are detailed below.



Chapter 56 – South Africa: Parliament has adopted a bill protecting personal information: The Protection of Personal Information Bill (POPI). POPI attempts to follow the principles of the OECD Privacy Guidelines and of the 1995 EU Data Protection Directive. Once signed by the President (which is expected shortly), POPI will become law and will commence on a date to be determined by the Minister. Organizations will have a one-year grace period to ensure that all processes of personal information comply with POPI. If POPI Bill is signed by the end of 2013, companies would have approximately until mid-2015 to ensure that all processing complies.


Chapter 15 – Brazil: Currently, Brazil does not have a national data protection law. A proposed bill, the Marco Civil da Internet, has been presented. The bill would require companies that collect Brazilian users’ data to store these data in Data Centers located within the Brazilian territory. However, it is uncertain whether the Congress will accept this amendment or not. Additionally, Bill of Law 5344/2013, an attempt to regulate cloud computing in Brazil proposed by Congressman Ruy Carneiro, is under analysis by Congress. The Bill would establish general conditions for cloud computing in Brazil in order to establish a safer environment for the development of such services.

Chapter 17 – Canada: The province of Manitoba adopted a new data protection law: The Personal Information Protection and Identity Theft Prevention Act, S.M. 2013, c. 17, (the MB Act) was assented to on September 13, 2013. The MB Act addresses the collection, use, and disclosure of personal information by corporations, unincorporated associations, unions, partnerships, and individuals acting in a commercial capacity. In addition, the federal government has imposed a suite of policies, guidelines, and directives through the Treasury Board of Canada, in addition to the Privacy Act. These policies, guidelines, and directives have an impact on not only traditional government departments, but also Crown corporations and third-party service providers.

Chapter 24 – Dominican Republic: As of October 10, 2013, a proposed data protection bill has been presented to the Dominican Congress. The proposed bill would regulate the processing of personal data and protect personal data located in files, records, bank data, or other technical means. The bill would cover all types of data recorded on any medium, whether of private or of public ownership, in the Dominican Republic.

Chapter 45 – Mexico: The Mexico chapter has been expanded to discuss extensively the provision of the country’s Personal Data Act, and its related regulation, guidelines, and other amendments. Among other provisions, for example, the Regulations address the use of Cloud Computing Services.

Chapter 65 – United States of America:  The US chapter includes a detailed discussion of the laws that regulate the privacy of the telephone consumer, and the new laws adopted in California, which among other things, introduce a “right to be forgotten” for minors, extend the scope of the security breach disclosure law, protect the privacy rights of children of celebrities.

Chapter 66 – Uruguay: Uruguay has become the latest country to be deemed to provide “adequate protection” to privacy rights and personal data. This recognition will allow Uruguay to increase its commerce with European Union based companies, and other global companies that have to comply with the limitation of crossborder data transfers to countries that offer an adequate level of protection of privacy rights and personal data.



Chapter 31 – Hong Kong:  The update to the Hong Kong chapter describes recent amendments to the data protection laws, especially the adoption of an opt-in requirement before companies can send commercial messages.

Chapter 34 – India: The update describes a recent initiative of the Ministry of Communication and Information Technology, through its Department of Electronics and Information Technology, concerning India’s first national cyber security policy.

Chapter 53 – Singapore: The chapter has been overhauled to describe the new Personal data Protection Act 2012. Certain provisions of the Act have taken effect as of January 2, 2013. The provisions related to the Do Not Call Registry come into force on January 2, 2014 and the main data protection rules will come into force on July 2, 2014.

Chapter 57 – South Korea: The South Korea chapter is significantly revised with an in depth description of the two major laws that regulate the protection of personal data. The chapter also provides a description of the rules that regulated the protection of personal data in the financial and credit area.

Chapter 61 – Taiwan: The Taiwan chapter is also significantly updated with a description of the new Personal Data Protection Act (PDPA), which significantly modifies the pre-existing Computer Processes Personal Data Protection Act (CPDPA).



Chapter 12 – Australia: The Australia chapter describes the significant amendments to the Australian Data Protection Act, which become effective as of March 2014.



Chapter 20B – Croatia: Croatia is the newest member of the European Union. With the entry of Croatia in the European Union in July 2013, we are happy to add a new country to our list of countries featured in the Global Privacy and Security Law treatise. This new chapter describes extensively the data protection laws that are in effect in Croatia.

Chapter 27 – Finland: The section on the powers of the Data Protection Ombudsman has been expanded to include inspections on various fields of businesses, various data protection related issues, and codes of conduct.

Chapter 28 – France: The chapter discusses a number of recent initiatives by the French Data Protection Authority, the CNIL, in connection with the recent revelation of US government surveillance that might be reaching into activities outside the US territory.

Chapter 32 – Hungary: The Hungarian Ministry of Justice has adopted a new legislation, the Bill on Public Interest Disclosure, which will replace the whistleblowing provisions of the Act No. CLXIII on the Protection of Fair Process and will take effect on 1 January 2014. In addition, updates have been made to the sections on Criminal Provisions and Misuse of Personal Data.

Chapter 35 – Ireland: The update to the Ireland chapter discusses Data Protection Commissioner’s option under section 10(1)(b)(i) to refuse the investigation of a complaint was considered by the High Court in the recent case of Nowak v Data Protection Commissioner. The High Court confirmed the decision of the Circuit Court, holding that where the Data Protection Commissioner had merely determined that a complaint did not warrant investigation, the complainant did not have the right to appeal this in the Circuit Court.

Chapter 37 – Italy: The Italian Data Protection code has been amended with Law Decree 69, which requires user’s consent in order to store or retrieve information stored in the user’s equipment. In addition, a completely updated section on Security Breach Disclosure Law and a new case to the section Sample Cases and Penalties have been added.

Chapter 47 – Norway: The update to the Norway chapter discusses amendments to the Norwegian Copyright Act. After the amendment to the Copyright Act, it is no longer necessary to grant a license to monitor file sharing. According to the amendments, it is sufficient to notify the Norwegian Data Inspectorate about the monitoring.

Chapter 50 – Portugal: The update to the Portugal chapter describes the new Security Breach Disclosure provisions that were adopted in order to implement the 2009 Amendments to Directive 2002/58/EC. As for the directive, the provisions only apply to security breaches suffered by Internet service providers and telecommunications providers.

Chapter 54 – Slovakia: In Slovakia, a new data protection law (Zákon č. 122/2013 Z. z. o ochrane osobných údajov a o zmene a doplnení niektorých zákonov) was enacted in 2013 and entered into force as of 1 July 2013, as Act No. 122/2013 Coll. on Protection of Personal Data (Data Protection Act). The update describes the changes brought by the new law.


Middle East

Chapter 5 – Israel: Israel has adopted a new law regarding Biometric Data Bases. A first trial period for the Biometric Database Law began in July 2013 despite perceived security deficiencies, delays and objections.