Sent to subscribers in May 2015

We are pleased to announce that Supplement 17 of Global Privacy and Security Law is now available. We would also like to welcome Rahul Matthan as our new contributor for the chapter on India privacy and security laws. The India chapter has been rewritten in its entirety for this Supplement.

In total, Supplement 17 contains updates to 18 chapters. Following on from developments detailed in recent supplements, Russia enacted legislation, in December 2014, to bring forward the effective date of the legal obligation for companies doing business in Russia to process and store the personal data of Russian citizens on servers located within the Russian Federation.

A number of European countries have introduced legislation that impacts on data protection matters. The updated Slovakia Chapter provides an overview of its new “Whistleblowing” legislation while updates to the chapter on Turkey examine the main provisions of the new E-Commerce Code, which addresses the issue of unsolicited commercial communications. A new Cybernetic Security Law came into force in Lithuania in January 2015, the main elements of this piece of legislation are addressed in the updates to the Lithuania chapter.

An overview of the other updates in Supplement 17 is provided below.


  • Chapter 15—Brazil: In January 2015, the Brazilian Ministry of Justice commenced two public consultations that are set to run until April 2015. One of the consultations deals with elements of the Marco Civil da Internet law while the other is in relation to the introduction of a new draft bill on data privacy. The update to the chapter contains an overview of the main elements of this new draft privacy bill.


  • Chapter 56—South Africa: The chapter on South Africa has been updated to reflect the fact that the anticipated 2014 commencement of the Protection of Personal Information Act has not occurred.

Asia Pacific

  • Chapter 10—The Asia-Pacific Region: The number of companies that have been certified under the APEC Cross-Border Privacy Rules System (CBPR) continues to grow. To date, 10 companies have been certified as having met the APEC CBPR requirements.
  • Chapter 12—Australia: The updated Australia chapter provides an overview of the updated “Guide to Securing Personal Information,” published by the Office of the Australian Information Commissioner. It also examines the Australian Government’s decision to disband the Office of the Australian Information Commissioner and how this will impact the privacy landscape there.
  • Chapter 19—China: The update to the China chapter discusses a recent interpretation of the Supreme People’s Court, regarding the application of law in civil disputes over the use of information networks to infringe upon an individual’s personal rights and interests, and how it has strengthened the right to privacy in China.
  • Chapter 31—Hong Kong: Throughout 2014, the Privacy Commissioner published numerous guidelines regarding the processing of personal data. The updated chapter on Hong Kong contains an overview of the guidelines issued for data users on the collection and use of personal data through the Internet, and on the erasure and anonymization of personal data. It also examines the Privacy Commissioner’s guidance, published in December 2014 in anticipation of the enactment of Section 33 of the Personal Data (Privacy) Ordinance, on the transfer of personal data out of Hong Kong.
  • Chapter 34—India: The chapter has undergone a change in contributors. The new chapter provides an overview of recent developments in India. It analyses the legal basis for India’s Privacy Rules, codified in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. It also describes the measures taken by the Department of Information Technology to clarify certain aspects of the Privacy Rules, including the applicability of certain provisions.
  • Chapter 52—Russia: In July 2014, Russia passed amendments to its existing laws to require companies doing business in Russia to process and store the personal data of Russian Federation citizens on servers located within the Russian Federation. The Russia chapter has been updated to reflect the fact that the effective date of this legislation, which was originally meant to be September 2016, has been advanced to September 2015 following the enactment of legislation in December 2014.


  • Chapter 22—Czech Republic: The updated Czech Republic chapter examines a 2014 decision of the EU Court of Justice regarding the applicability of the “household exemption” with respect to the processing of data for personal purposes.
  • Chapter 23—Denmark: The Danish Ministry of Justice has established a new Cyber Crime Center, under the remit of the National Danish Police, to fight against and prevent Internet-based crime.
  • Chapter 27—Finland: The Information Society Code entered into force, in Finland, in January 2015. The Code replaces the previous Act on the Protection of Privacy in Electronic Communications and combines a number of technology, media, and telecommunications laws under one single code. The update to the Finnish chapter provides an overview of this new Information Society Code.
  • Chapter 29—Germany: The update to the Germany chapter provides an overview of additional sample cases.
  • Chapter 32—Hungary: Updates to the Hungary chapter discuss the recommendation of the Hungarian Data Protection and Freedom of Information Agency on the privacy implications of the use of drones with cameras and the request by the Hungarian Curia for a preliminary ruling of the CJEU on the jurisdictional scope of the application of the Data Protection Act.
  • Chapter 41—Lithuania: In Lithuania, the Cybernetic Security Law came into force in January 2015. The law introduces a system of cybernetic security organization, management and control, and provides additional powers to the Data Protection Inspectorate where cybernetic incidents impact on personal data. The chapter update reviews the main elements of the new law.
  • Chapter 47—Norway: The update to the Norway chapter examines the Patient Journal Act 2015 and how it applies to the processing of health data.
  • Chapter 44—Malta: The Malta chapter provides an update on developments regarding the controversial Data Concerning Persons in Education Institutions Regulation (2014). Redrafted regulations were published in 2015, as subsidiary legislation under the Data Protection Act, and the previously offending provisions regarding the valid identification number requirement have been removed. The chapter updates also include an interesting overview of the fallout from the publication of the Vodafone Group’s Law Enforcement Disclosure Report.
  • Chapter 54—Slovakia: In Slovakia, Act No. 307/2014 Coll. on certain aspects relating to reporting of antisocial activities was introduced in January 2015. The so-called “Whistleblowing Act” affords greater protection to individuals that report on their employers. Employees who file a report directly with state authorities are protected from potential specific legal action of the employer, such as termination of employment, etc. The updated Slovakia chapter examines the new Act.
  • Chapter 63—Turkey: The new E-Commerce Code, which comes into force in May 2015, addresses unsolicited commercial messages and personal data protection, among other things. The updated Turkey chapter highlights the main provisions of the E-Commerce code and examines other regulations that were enacted throughout 2014, such as the Regulation on Security of Network and Information in the Electronic Communications Sector and the Regulation for Recording and Sharing of Social Welfare Data.