To be sent September 2021

With the publication of this Supplement No. 36, we celebrate the 12th anniversary of the Global Privacy and Security Law treatise. The size of the manuscript has more than tripled as compared to the original version of September 2009. The volume and length of the laws and regulations we analyze have grown exponentially. We have added so much material and so many new chapters that it has become necessary to revise the way in which country chapters are organized.  You will find some changes in the look of some of the chapters.

Concurrently, the way in which countries approach the protection of personal data has changed significantly. The field of privacy and cybersecurity is evolving and maturing. One of the major triggering event occurred a little over three years ago: the EU General Data Protection Regulation (GDPR) became enforceable as of May 26, 2018. At the time, it was an event of tsunami magnitude.  

The adoption of GDPR made room for a modern legal framework that takes better account of the new information processing technologies.  GDPR prompted the repeal of the aging 1995 EU data Protection Directive and gave a facelift to the way personal data was protected in the EU. Three years later, the GDPR and its interpretation continue to appear regularly on the news headlines, and to make waves throughout the world. The facelift is not limited to Europe.  The ripple effects resulting from the launch of the GDPR are becoming clearly visible on all continents.

First, in the last years of the 2010’s, the members of the European Union and the European Economic Area modified or adjusted their laws to implement the GDPR in their national privacy and data protection frameworks. They also had to modify or update their other national laws, for example their labor laws, to ensure that all pieces of the puzzle fit harmoniously with each other.  Managing the reform of 31 sets of national laws[1] at the same time was no small feat.

A second wave started when countries for which the European Commission had determined that they offered an adequate level of protection, embarked in their own reforms.  That was the case, for example, for Uruguay, Argentina, or Switzerland. To preserve their adequacy status, they needed to update their privacy frameworks so that it would be consistent with the new rules and framework created by GDPR. This was the case, for example, with Argentina and Uruguay, which have recently completed their updates.  Other countries are still working on their reform projects. This is the case of Switzerland and Canada, for instance.  Switzerland is close to completion and working on the last details. Canada is behind, but actively preparing for a reform. Meanwhile, other countries with adequacy status, such as Israel, are not showing any signs or hints that a reform is in the works.  It will take several years before this phase is completed.

A third wave is ongoing, while the influence of the GDPR is growing on all continents.  Numerous countries outside the EU/EEA and those with adequacy status, are showing a deep and clear interest in adopting privacy or data protection laws that use principles laid out in the GDPR.  This is the case, for instance, for several Middle Eastern countries.  The financial centers in the Dubai and Abu Dhabi emirates, for instance, have recently updated their data protection regulations to include provisions resembling those of the GDPR.  A similar wave can be seen in Asia, with the recent updates of the Singapore laws, which adopted the concept of data portability, among other things. Next door, Malaysia is also contemplating changes to its Data Protection Act of 2010 as hinted in a recent public consultation paper concerning potential changes. According to the consultation, in the near future, the concept of consent might be clarified, the conditions for crossborder data transfers might be updated, some entities might be required to appoint a data protection officer, and there may be a requirement to report data breaches.

The United States is not exempt from the effect of the GDPR. In several US States, new consumer privacy laws are being passed or evaluated.  These laws and bills clearly show numerous similarities with the GDPR.  See, for example, the provisions that make the publication of a privacy notice mandatory, or those expand on the rights of individuals and clarify the powers of data subjects.

More than ever, the field of privacy, cybersecurity and data protection is in constant evolution.  We hope that you will enjoy the many changes and updates brought in this Supplement No. 36 of our Global Privacy and Security Law treatise.   

[1] The UK was still an EU member state at that time.