Sent to subscribers in January 2015.

In September 2014, we celebrated the fifth anniversary of Global Privacy and Security Law. In the past five years the numbers of laws, regulations, standards and guidelines, and cases regarding the protection of personal data around the world have increased dramatically. As a result, Global Privacy and Security Law has almost doubled in size, growing from about 2000 pages to more than 3500 pages.

Supplement 16 contains updates to twenty one chapters. A new chapter on Indonesia has been added. This chapter examines the unique legal data protection regime in Indonesia. The chapter on Russia has been updated to examine the interesting legislative development whereby those companies conducting business in Russia will be, once the legislation is enacted, legally obliged to process and store the data of the citizens of the Russian Federation on servers located within the Russian Federation.

The other significant updates in Supplement 16 are highlighted below.



Chapter 24—Dominican Republic: This chapter has been updated following the enactment, in August 2014, of Law No. 310-14, which addresses the sending of unsolicited commercial communications via e-mail. The chapter contains a new section on Commercial Communications, which examines the main provisions of the Law No. 310-14.

Asia Pacific

Chapter 12—Australia: The chapter on Australia now provides additional detail on the Privacy Regulation 2013, which has been in force since July 2014, and on the guidelines that were issued by the Information Commissioner on data security and the handling of personal information security breaches.

Chapter 31—Hong Kong: This chapter has been updated to provide an overview of the operation of data breach notifications in Hong Kong.

Chapter 34A—Indonesia: A new chapter has been added to analyze the data protection laws in effect in Indonesia. Indonesia has a unique legal data protection regime. While there is no national privacy or data protection law, numerous laws address the protection of personal data. These laws contain many of the concepts found in the most modern laws, such as the obligation to protect the security of data and to disclose a breach of security. However, in some cases, the approach is different, which makes the study of the data protection regime in Indonesia even more interesting and challenging.

Chapter 38—Japan: The Japan chapter has been updated to provide an analysis of the “Guidelines Regarding Protection of Personal Information in the area of Employment Management” and the administrative guidelines that have been issued by the relevant competent authorities in Japan.

Chapter 43—Malaysia: The updates to the Malaysia chapter supplement the existing analysis with a more detailed review of the main provisions of the country’s Personal Data Protection Act.

Chapter 52—Russia: In July 2014, Russia passed amendments to its existing laws to require companies doing business in Russia to process and store the personal data of the Russian Federation citizens on servers located within the Russian Federation.

Chapter 53—Singapore: The Singapore Data Protection Law is now fully in effect. Throughout 2014, the Personal Data Protection Commission issued a number of advisory guidelines for various sectors of the Singapore economy. In addition, a number of regulations were enacted both in 2013 and in 2014, to supplement the provisions of the Personal Data Protection Act 2012. These regulations deal with matters such as data access and correction requests, the transfer of data out of Singapore and the Do Not Call Registry.

Chapter 57—South Korea: In South Korea, the Act on the Promotion of Information and Communications Network Utilization and Data Protection has been amended to enable the Korea Communication Commission to impose higher fines on those companies that fail to comply with the Act.

Chapter 61—Taiwan: In August 2014, a further five specific industries were designated, under Article 27 of the Personal Data Protection Act, by the relevant government authorities to establish security measures for the protection and disposal of personal data.


Chapter 6A—Proposed EU Data Protection Regulation: Little has happened in the European Union regarding the proposed General Data Protection Regulation or the Proposed Directive, since the legislative elections of May 2014. However, in the meantime, the focus of attention, analysis, and comments has turned to recent developments concerning the “right to be forgotten” or “right of erasure.” The right of erasure can be found in the 1995 Data Protection Directive. The proposed General Data Protection Regulation contains a modernized version of the right of erasure, also called “right to be forgotten,” which has been the subject of much lobbying. Until recently, requests for removal or blocking of certain material—especially material available through the Internet—had met significant resistance from publishers and search engines. A May 2014 ruling of the Court of Justice of the European Union reversed the trend by requiring a search engine to deactivate links to press reports relating to certain events that occurred over ten years ago and that had finally resolved legally. The publication of this decision caused a revival of the “right of erasure” or “right to be forgotten.” Tens of thousands of requests were made under the “right to be forgotten” and have flooded the major search engines. The updates also examine the work being done by the Article 29 Working Party on proposed guidelines on the implementation of the right to be forgotten.

Chapter 7—2002 EU Directive on Privacy and Electronic Communications: This chapter has been supplemented by the inclusion of an overview of the Article 29 Working Party’s Guidance on the Cookie Consent Provisions (WP 208). The updates to the chapter examine the Working Party’s Guidance on Obtaining Consent for Cookies and its Opinion on Cookie Consent Exemptions.

Chapter 8—2006 EU Data Retention Directive: The update to this chapter examines the opinion by Advocate General Pedro Cruz Villalón regarding the lack of compatibility of the 2006 Data Retention Directive with the EU Charter of Fundamental Rights.

Chapter 9—Transferring Personal Data: In 2014, the Article 29 Working Party issued proposed contractual clauses for cross-border data transfers between an EU-based data processor and a non-EU subprocessor. In addition, experts from the Article 29 Working Group, in conjunction with their counterparts from the APEC economies, developed a “Referential for Requirements for Binding Corporate Rules Submitted to National Data Protection Authorities in the EU and Cross Border Privacy Rules Submitted to APEC CBPR Accountability Agents,” which allows a comparison between the two legal regimes. The updates to this chapter look at the main provisions of the proposed contractual clauses and examine the genesis of the Referential.

Chapter 21—Cyprus: The responsibilities of the Data Protection Commissioner have been extended to deal with those provisions of the Law Regulating Electronic Communications and Postal Services of 2004 that govern the secrecy of communications, traffic and location data, telephone directories, and unsolicited communications. Consequently, this chapter has also been updated to provide additional information regarding commercial communications and on the operation of the relevant provisions of the Law Regulating Electronic Communications and Postal Services of 2004.

Chapter 28—France: The updates to the France chapter cover a number of issues, such as the right of access to data stored on Intelligence Agency databases, IP tracking, the use of drones, the right to be forgotten, recently issued CNIL Guidelines, and developments in the financial and insurance sectors pertaining to the processing of personal data.

Chapter 35—Ireland: In Ireland, the Protected Disclosure Act 2014 was enacted in July 2014. Interestingly, the provisions of the new Act are retrospective and, therefore, any disclosure made before its enactment will be regarded as a “protected disclosure.” The chapter has also been updated to reflect the coming into force of Section 4(13) of the Data Protection (Amendment) Act 2003, which makes “enforced subject access” an offense.

Chapter 37Italy: In May 2014, Italy published a regulation that will give effect to Section 5(3) of the 2002 e-Privacy Directive (the “Cookie provisions”) once it becomes effective in June 2015. This regulation, “Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies,” follows the guidelines established in the Article 29 Working Party’s WP 208 Guidance on how to obtain consent for cookies. This updated chapter provides a detailed overview of this new regulation.

Chapter 44—Malta: This updated chapter examines the enactment, under the Employment and Training Services Act, of the controversial “Data Concerning Persons in Educational Institutions Regulations 2014.”

Chapter 47—Norway: In Norway, there is no longer a requirement to seek permission from the Norwegian Data Inspectorate for the transfer of personal information outside the EEA area following an amendment to secondary legislation, implemented on July 1, 2014. It is now sufficient to notify the Data Protection Authority by sending it a signed copy of the EU’s standard contractual clauses. This updated chapter also details the impact that the decision of the European Court of Justice with respect to the Data Retention Directive has had on the applicable Norwegian laws.

Chapter 59—Sweden: This chapter has been updated with details regarding the significant legal debate in Sweden pertaining to the launch of a website that enables users to search public records of criminal and civil rulings. The updates also detail how the findings of the European Court of Justice on the Data Retention Directive have affected Sweden.


Four new appendices were added. They provide copies of the two sets of texts of the proposed General Data Protection Regulation, and the proposed Directive regarding the processing of personal data by government authorities for the prosecution of crimes.

  • Appendix P: European Union—Proposal for a General Data Protection Regulation 2012/0011 (COD) (2012)
  • Appendix Q: European Union—Proposal for General Data Protection Regulation (presented by EU Commission) (2012)
  • Appendix R: European Union—Proposed Amendments to Draft General Data Protection Regulation (as voted by EU Parliament) (2014)
  • Appendix S: European Union—Proposed Amendments to Draft Data Protection Directive Regarding the Processing of Personal Data by Competent Authorities for the Prosecution of Crimes (as voted by EU Parliament) (2014)