Supplement #37

To be sent January 2022

Happy Holidays and Happy New Year! We wish you a terrific new year, filled with joy, love, exciting discoveries and interesting projects. Good luck and good health to all of you, and your respective families, loved ones and friends.

One of the last things I do when putting together the package of updates to the numerous chapters of this treatise is to prepare these highlights. Of course, it is a time of great joy and pride. It makes me happy that our team has completed a difficult task on time, and to see that, in the end, all the pieces work together. 

On top of that, the true pleasure I get is when I can at long last, sit, stop, and look at all these chapter updates, observe their contents at the thousand feet level, and compare what each country or each region has done and how it integrates in the larger whole. I enjoy reading through the tea leaves and observing the trends of the time.

• Throughout the world, Covid and its variants continue to provide substantial material for legislators. The pandemic and the new risks we discover each week raise thorny legal issues, including those concerning the interaction between data protection and vaccination requirements and other public health issues. Many of the countries participating in this Release No. 37 have adopted new guidance, guidelines, and laws focusing on some aspects of the pandemic and its risks. There are frequent interrogations on how to address the variants or how to handle mass vaccinations. There is also a common concern about privacy in the workplace, how to protect the privacy of an employee while also ensuring the safety of the others. 
• Numerous countries are increasingly interested in physical privacy, and in particular the different forms of invasion caused by drones and other unmanned vehicles. There have been several efforts at enacting laws that regulate the use of drones.
• The invasion and potential infringement of privacy rights caused by the use of drones has even escalated at the Executive level. In France, CNIL, the French data protection authority has sanctioned the Ministry of Interior for having used drones equipped with cameras to monitor compliance with the COVID-19 lockdown measures in Paris. CNIL enjoined the Ministry to stop all drone flights until an order authorizes them.
• Information collected through drones and other aircrafts are raising new issues in India. There, Guidelines for Acquiring and Producing Geospatial Data and Geospatial Services including maps, were recently issued. They are intended to govern the collection, use and dissemination of geospatial data and maps. Among other things the Guidelines require, in specified circumstances, that the collected data be stored and processed solely within India.  
• In the European Union and the European Economic Area, the EU General Data Protection Regulation (GDPR) is settling in. The Regulation is slowly permeating the legal systems and the cultures of the Member States. It feels like the engine is beginning to run a little more smoothly, and the “poketa, poketa, poketa” issues of the early days are slowly vanishing or being fixed.
• While the implementation into national laws seems to have made good progress, and the usual pains of fitting a square peg in a round whole are fading, we are beginning to see more clearly how the new national laws derived from the GDPR are being applied, and the numerous cases being brought to court. 
• Most EU/EEA chapters describe recent cases, and the resulting penalties. Overall, more complaints are being filed, and the amount of the penalties assessed is increasing. While there is still an occasional consideration for a company’s efforts and willingness to cooperate with government authorities after an incident has been discovered, it is not always the case. Fines and penalties are being assessed more frequently; their amount is occasionally higher than in prior years. It seems that the informal transition period or unwritten moratorium is over, and regulators are increasingly taking a hard line, and expecting the regulated entities to get their act together.
• It seems however that EU Member States are putting more energy in implementing the GDPR or litigating GDPR issues than developing new legislation. The Whistleblower Protection Directive has only few followers. The Member States have until the end of December 2021 to transpose the directive in their national laws, but so far, we see little progress in its implementation. 
• Finally, one of the major events of 2021 occurred in June 2021, as we were putting the last touches to Release #36.  The EU Commission issued a group of modernized Standard Contractual Clauses to supersede the obsolete and aging original Standard Contractual Clauses, created during the years 2000’s, which were based on the 1995 EU Data Protection Directive, Directive 95/46 (EC). The new 2021 Standard Contractual Clauses address some of the crossborder transfer requirements raised by GDPR Article 46(2), and another template is intended to assist in meeting the requirements of GDPR Article 28, concerning written contracts between data controllers and their service providers.  

More than ever, the field of privacy, cybersecurity and data protection is in constant evolution. This supplement will be more than 1,500 pages, I am told. Almost as many pages as the very first version of the entire treatise, published twelve years ago, in September 2009. A testimony of the dramatic expansion of privacy, data protection law, cybersecurity, and related disciplines in the last twelve years. 

We hope that you will enjoy the many changes and updates brought in this Supplement #37 of our Global Privacy and Security Law treatise, and thank you for your continued support of our work.