Dear Subscribers,

I am pleased to present this Supplement #38 to our Global Privacy & Security Law treatise, and I take this opportunity to thank the many contributors who have participated in the preparation of the chapters being updated, as well as the administrative and editorial staff at Wolters Kluwers and their service providers.

I am delighted to welcome two new contributors:

United Kingdom: Leonard W. N. Hawkes

Leonard W.N. Hawkes, of the Flinn law firm, who will be in charge of the United Kingdom chapter. Len practices English law as well as EU law and International law from Brussels. Among other things, Len lectures regularly on comparative law issues. His deep and broad experience in matters related to UK Law and his deep experience with the European Union are especially useful in helping us understand that unique aspects and broad consequences of the departure of the United Kingdom from the European Union.

Ecuador: Rafael Serrano Barrona

Rafael Serrano practices as an attorney at Corral Rosales where he heads the Data Protection department, with special emphasis on the protection of personal data, electronic commerce, and electronic and IT contracts. In addition, Rafael is a tenured professor at Universidad de las Américas, where he teaches New Technologies Law, among other subjects. He is Vice-President of the Ecuadorian Association for Data Protection (AEPD), and is an active member of international organizations focusing on technology and data protection, including ITechLaw and the International Association of Privacy Professionals (IAPP).

Recurring Themes

In this Supplement, we continue to see numerous countries updating or supplementing, or planning to update or supplement their data protection laws to add guidance and direction with respect to the disruptions caused by the pandemic.

Chile, for instance, is evaluating amendments to provisions concerning the principle of Limitation of Purpose, where the collection of personal information in connection with credit application would be limited, when such collection is made in the context of a pandemic or similar public calamity.

In the Philippines, several bulletins and guidelines have been issued by the National Privacy Commission, in the context of the pandemic, including for example, concerning the limitation to the collection of personal information (e.g., collecting only what is necessary), protecting the patient from unauthorized disclosures, or security measures to be adopted when employees are commuting or working from home.

Other Additions of Note

Numerous have been updated with new laws or amendments to existing laws.

The chapter on Switzerland has been extensively updated in view of the upcoming entry of the new Swiss federal data protection law, which will enter into effect on January 1, 2023. The new Federal Act on Data Protection (2020) has numerous similarities with the EU General Data Protection Regulation (GDPR). For example, it includes new categories of sensitive personal information: genetic data and biometric data that uniquely identify an individual. It grants additional rights to data subjects: the right to data portability and right to object to automated decisions making. It also increases the obligations of data controllers and data processors, including, for instance, the obligation to maintain a record of processing, conduct data protection impact assessments, or obligations to disclose security breaches. 

The chapter on China has been significantly updated in view of the adoption of PIPL, the Chinese Personal Information Protection Law. The law came into effect on November 1, 2021. It consists of 74 articles in eight chapters. It integrates the rights and obligations already found in the Civil Code, the Cybersecurity Law, the Information Security Technology  (Personal Information Security Specification) and other laws and regulations.

The chapter on German laws has also been significantly due to the update of the Telemedia Act of 2007. The new law, named “Telecommunications and Telemedia Data Protection Act (TTDSG) (2021) entered into effect as of December 1, 2021. 

South Africa has adopted a new Cybercrimes Act, which commenced as of December 1, 2021. Only a portion of the chapters are fully in effect so far, including provisions giving extensive investigation and search powers to the police, and reporting obligations. 

The Czech Republic has updated its direct marketing laws to adopt an opt-in requirement, effective as of July 2022. The transition to an opt-in principle significantly affects how businesses may use telephone numbers acquired from public subscribers’ lists. Anyone who collects personal data (with telephone number) for publishing them in the subscribers’ lists is required to obtain an informed consent to such publication. Anyone who wants to use for direct marketing purposes a telephone number acquired from these public subscribers’ list, may do so only if the subscriber’s opt-in for direct marketing is recorded with that number. 

The Spain chapter now provides information about the regional data supervisory authorities, which operate in addition to the national data protection authority, the AEPD or Agencia Española de Protección de Datos. This includes the Data Protection Authorities of Catalunya and of the Basque Country. The specific, limited powers of these agencies are described in this supplement. 

Slovakia has also updated its laws, with the enactment of the Electronic Communications Act of 2022, which updates its cookie law. The updated law defines new rules for the use of cookies. It prohibits the use of technical or strictly necessary cookies without the prior provable (verifiable) consent of the concerned user. 

The additions to the Finland chapter describe, among others, several decisions of the country’s Sanctions Board that might be of interest both to those practicing in that country but also to others who are doing business in other countries subject to GPDR. For example, a university was sanctioned for collecting employees’ location information as part of the collection of working hours. The application worked in a way that required saving location data during working hours, and the application would not record working hours without location data.

Lithuania adopted amendments to its Whistleblower Protection Law, which came into force on February 15, 2022, making the country one of the few who have met the requirements of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons who Report Breaches of Union law (Whistleblower Protection Directive). The Directive entered in force on 16 December 2019, and required all EU Member States to update their existing laws, or adopt new legislation to transpose the Directive into their national laws by December 17, 2021. 

We hope that you will enjoy the many changes and updates brought in this Supplement #38 of our Global Privacy and Security Law treatise, and thank you for your continued support of our work.