Sent to subscribers in September 2016

After a lengthy drafting process, the EU General Data Protection Regulation, which replaces Directive 95/46/EC, was formally approved by the EU Parliament in April 2016. It was published in the EU Official Journal in May 2016. Following a two-year transition period, the General Data Protection Regulation will apply and enforcement will commence through the European Union from late May 2018.

The General Data Protection Regulation is not just simply an update of a 20-year-old directive that was drafted at the dawn of the Internet era. The approval of the General Data Protection Regulation is a seminal development in the shaping of the data protection law throughout the EU Member States as a cohesive, homogenous whole, where one single law becomes the primary vehicle governing the activities of very diverse countries. The General Data Protection Regulation attempts in different ways to increase the consistency among the legal regimes of the EU Member States in order to reduce several of the current obstacles that companies face when they carry out business in numerous countries in the European Union.

Although the General Data Protection Regulation is intended to bring uniformity, we should not lose sight of the fact that a number of its provisions give leeway to Member States to enact additional measures beyond those stipulated in the Regulation.

Over the next two years, companies that fall under the jurisdiction of the General Data Protection Regulation are expected to modify their practices to ensure compliance. This is a significant task, not only for the companies impacted, but also for the Member State’s respective data protection regulators and governments as they seek to integrate and enforce a uniform law within their own legal frameworks. The next two years are going to be a very interesting time, requiring close collaboration between private companies and public institutions, both at the Member State and at European levels, in order to successfully implement the General Data Protection Regulation.

An overview of the other updates in Supplement 21 is provided below.


  • Chapter 17Canada: A 2015 amendment has clarified that the PIPEDA privacy provisions do not apply to an organization in respect of the business contact information of an individual that the organization collects, uses, or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business, or profession.
  • Chapter 24Dominican Republic: The new Criminal Code, which was expected to enter into force in December 2015, was declared unconstitutional by the Constitutional Court. The chapter has been updated with an overview of the Constitutional Court decision pertaining to Resolution No.086-11. This decision provides, among other measures, that the interception of communications carried out under Resolution No.086-11 must be authorized by a competent judge.

Asia Pacific

  • Chapter 10The Asia-Pacific Region: The number of countries certified under the APEC Cross-Border Privacy Rules System (CBPR) continues to grow; 14 companies have now been certified as having met the certification requirements. The chapter has been updated to provide an overview of the Privacy Recognition for Processors System, which was adopted by APEC in 2015.
  • Chapter 34—India: The chapter on India has been updated with a new section dealing with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act. The Aadhaar Act was enacted during 2016 to provide for the efficient and targeted delivery of subsidies, benefits, and services to individuals by assigning unique identity numbers to each individual residing in India.


  • Chapter 6A—EU Data Protection Regulation: The new EU General Data Protection Regulation was formally approved by the EU Parliament in April 2016. It was published in the EU Official Journal on May 28, 2016. Following a two-year transition period, the General Data Protection Regulation will apply throughout the EU from May 25, 2018. Chapter 6A has been completely rewritten to include an in-depth analysis of the new EU Data Projection Regulation.
  • Chapter 27—Finland: The Ministry of Justice has appointed a committee to investigate and assess the national legislative actions that are required by the EU General Data Protection Regulation. It is anticipated that this committee will provide its proposals on the necessary amendments by the end of May 2017.
  • Chapter 32—Hungary: The Privacy Act was amended in 2015 to regulate the procedure for the approval, by the Hungarian Data Protection Authority, of binding corporate rules to transfer data. The 2015 amendment also requires that data controllers maintain a register of any data breaches that occur. The updated Hungary chapter also provides a brief overview of the decision of the CJEU in Case C-230/14, the Weltimmo
  • Chapter 46—The Netherlands: As of July 2016, a new whistleblower law, known as Wet Huis voor klokkenluiders, entered into force. The new law applies to both employees in the public and private sectors. The updated chapter also discusses the new security breach notification obligations for data controllers that have been effective since January 2016.
  • Chapter 47—Norway: A regulation on the national core medical record entered into force January 1, 2016. This regulation establishes the legal basis for establishing a journal electronically available for health care providers, containing significant health information on patients. Access to the information contained in the core medial record requires the patient’s consent, except for emergency situations.


  • Chapter 63—Turkey: A new omnibus data protection law entered into force on April 7, 2016. The Turkey chapter has been updated to provide an overview of the main provisions of the omnibus law on the protection of personal data.