Sent to subscribers in September 2015

This Supplement is dedicated to the memories of Antonio Millé and Santiago Jaramillo-Caro, both of whom were contributors to Global Privacy and Security Law. Both Antonio and Santiago were highly accomplished and distinguished attorneys, and were involved with Global Privacy and Security Law from the early days of its creation.

We would like to offer our heart felt condolences to their family, friends, and colleagues. They will be missed.

An overview of the updates in Supplement 18 is provided below.


  • Chapter 11—Argentina: The Argentine update examines new legislative measures that will have an impact on the processing of personal data. For example, Section 53 of the Civil and Commercial Code, which came into force in August, provides that a data subject’s permission must be obtained in order to take his/her picture or record his/her voice.
  • Chapter 17—Canada: The main updates to the Canada chapter are in relation to Parliament’s passing of Digital Privacy Act (Senate Bill S-4) in June 2015. The Digital Privacy Act provides for more incremental changes to Canadian privacy law, including a minimal mandatory breach notification provision (to come into force once implementing regulations are adopted), more latitude to use personal information in a business context, and additional use and disclosure exemptions.
  • Chapter 24—Dominican Republic: A new criminal code, due to enter into force in December 2015, has been enacted in the Dominican Republic. The Code contains a number of provisions that deal specifically with breach of privacy, violation of mail correspondence, and provisions related to the field of genetics and the issue of the consent. The update to this chapter, discusses these provisions, amongst others, in greater deal.

Asia Pacific

  • Chapter 10—The Asia-Pacific Region: The number of countries certified under the APEC Cross-Border Privacy Rules System (CBPR) continues to grow; 11 companies have now been certified as having met the certification requirements. In April 2015, Canada became the fourth country to join the CBPR System.
  • Chapter 38—Japan: Japan has decided to implement the My Number System. The System will result in individuals being assigned a 12-digit identification number, which will be used for social security and tax administration purposes. It is anticipated that individuals will be notified of their identification numbers in October and that the system will go live in January 2016.
  • Chapter 57—South Korea: An amendment to the Credit Information Act was ratified in March 2015; it will take effect in September 2015. The chapter update contains a summary of the major changes to the Credit Information Act, which include an obligation for larger credit information users to appoint a credit information user and the requirement for financial institutions to notify aggrieved parties of data breaches.
  • Chapter 61—Taiwan: Government authorities continue to designate, under Article 27 of the Personal Information Act, specific sectors requiring them to establish security measures for the protection and disposal of personal data. The most recent sectors to be designated are the civil air transport industry, electric and public gas enterprise, short-term “cram” schools, and private junior colleges and private academic and research institutions.


  • Chapter 10A—Albania: The updated chapter on Albania includes new sections on health information, financial information, and on breach notification requirements. Other sections of the chapter have been supplemented with an analysis of the relevant Instructions of the Commissioner for the Right to Information and the Protection of Personal Data.
  • Chapter 10B—Andorra: The Andorra chapter has been updated with an overview of the main provisions and requirements of Decree 09-06-2010 approving the Regulations of the Andorran Data Protection Agency. These Regulations further supplement the detail of the Andorra Data Protection Act.
  • Chapter 27—Finland: The update to the Finnish chapter examines the Finish Data Protection Ombudsman’s first decision concerning a “right to be forgotten” request.
  • Chapter 28—France: The updated France chapter provides an overview of the conformity pack, issued by the CNIL in order to simplify data processing formalities and notification requirements for the insurance sector. It also includes information on the CNIL’s announcement that it is simplifying the data transfer notification process for companies that have adopted approved binding corporate rules. Under the simplified regime, such companies will only require a single authorization for data transfers outside the European Union.
  • Chapter 33—Iceland: Sections of the Icelandic chapter have been supplemented with an analysis of the amendments to Rule No 698/2004 on the Obligation to Notify any processing that requires an authorization.
  • Chapter 35—Ireland: The update to the Irish chapter considers the judgment of the ECHR in Copland v. United Kingdom. The judgment found that the collection and storage of personal information of an employee relating to her telephone, e-mail, and Internet usage, without her knowledge, amounted to an interference with her right to respect for her private life within the meaning of Article 8 of the European Convention for the Protection of Human Rights.
  • Chapter 35A—Isle of Man: A new section on employee information has been included as part of the updates to the Isle of Man chapter. Numerous other sections, such as the section on security breach disclosure, have been expanded to incorporate analysis of the specific guidance notes published by the Data Protection Supervisor.
  • Chapter 42—Luxembourg: The updated chapter examines a case, and the subsequent appeal, regarding the ability of an employer to consult and access an employee’s e-mail, which was recently considered by the Luxembourg courts.
  • Chapter 46—Netherlands: The most significant updates to the Netherlands chapter examine the main provisions of the new law that introduced a mandatory data breach notification obligation for data controllers and provided for enhanced powers for the Dutch Data Protection Authority. These provisions are due to come into force on January 1, 2016.
  • Chapter 49—Poland: The Polish chapter has been updated to include a new section on security breach notification and additional material on the implementation of Article 5(3) of the 2009 Directive. The chapter has also been updated to reflect that there is no longer a requirement to register non-sensitive databases once an Information Security Administrator has been appointed by a data controller.
  • Chapter 50—Portugal: The chapter on Portugal has been supplemented with additional information regarding notification requirements and procedures, and the processing of employee information.
  • Chapter 58—Spain: The chapter on Spain has been rewritten in its entirety by our new Spanish contributor, Marc Gallardo. We welcome Marc to the team!
  • Chapter 59—Sweden: The main update to the Swedish chapter pertains to recent judgments by the Supreme Court on what constitutes “structured form” with respect to the application of the Personal Data Act.
  • Chapter 64—United Kingdom: The United Kingdom chapter has been supplemented with information on the recent enforcement actions of the Information Commissioner.