Supplement #39

Dear Subscribers,

When this Supplement No. 39 is distributed worldwide to subscribers, in September 2022, we will be celebrating the 13^th anniversary of the first publication of the Global Privacy and Security Law treatise. Since September 2009, so much has changed in the world of personal data, privacy rights, data protection and cybersecurity! Over that period, a large number of countries and economies have become aware of the critical importance of personal data as a fuel for their economies. More than ever, they appreciate the value of legal structures and enforcement mechanisms to govern the collection, use, protection, and crossborder transfer of personal data as a means to boost their international presence. Meanwhile, the size of this treatise has tripled, and its scope and number of chapters have also significantly increased.

As I look back at those 13 years, I am proud of what our team have accomplished, and where we stand now. When designing this treatise and shaping its outline, I aimed to provide, for each country or economy, the broadest possible range of practical information on the rules (or absence thereof), that governed personal data, focusing on those issues that would be relevant to private, commercial entities doing business internationally. I also thought it was important to explain these laws both in their local and international ecosystem, as well as in combination with the most significant legal, economic and cultural drivers that shaped them. Finally, I wanted each chapter to contain ample footnotes and references to help readers understand the intent and purpose of these laws, and provide them with useful tools to make informed decisions. Today, the treatise remains true to these objectives. 

Global Privacy and Security Law remains by far the most complete, practical, documented and detailed compilation of summaries and analyses of the key data laws of the world, providing a look at both local laws and regulations, and the national and international structures in which they are created or implemented, such as constitutions, international or regional treaties, or decisions of international courts and organizations.

Most countries or economies have several data laws, national or sectoral, because personal data comes in many forms and formats. There is no “one size fits all” magic formula. While the most commonly known forms of personal data in the context of commerce or business concern information about a person’s identity or profile as a consumer or an employee, there are many other “flavors” with their idiosyncrasies, their sensitivity levels, or their uniqueness. Think, for instance, about location data, biometrics and genetic data, images, sounds, video recordings, cookies, communications (telephone, text, or emails), financial data, healthcare information, data about children or data about deceased persons. Think about the origin of these data, as well; they may be collected directly, indirectly, from the street or from the sky, may be derived from other personal data, and much more.

With this plethora of data and data uses, personal data cannot be governed by a single national law. There are many nuances. In each country or economy, beyond national, omnibus privacy or personal data protection laws (if any), there are sectoral laws, and related regulations and guidelines. There are constitutional rules and international treaties. There is jurisprudence. All of the pieces of this complex puzzle influence, supplement, modify, or at times supersede, the general laws, creating an everchanging ecosystem. To properly plan and maintain its operations in a foreign country, an enterprise must constantly keep aware of all these factors and the relevant laws, regulations, jurisprudence and guidelines. It would be shortsighted or foolish to rely on brief synopsis or highlights, which are too superficial and incomplete, to make an informed decision and anticipate the likely pitfalls of a foreign implementation.

For each country or economy featured in Global Privacy and Security Law, the chapter – often over 100-page and several hundred footnotes long – describes a wide variety of data laws that are relevant to business entities. Not just the omnibus data protection law, if any. These other laws and regulations include, for instance, those that pertain to the collection and use of personal data in marketing, consumer profiling, cookies, banking and credit, biometrics and genetics, employment, telecommunications, CCTV, the use of drone in populated areas, the anti-spam laws or the use of artificial intelligence to evaluate personal data. Many chapters also look beyond the text of the laws and provide summaries of recent cases interpreting the laws, and comment on the lessons to be drawn from the decisions.

Local laws are only half of the story. A country does not function in a vacuum. It is frequently subject to rules created elsewhere, at the regional or international level. Thus, before delving into the country chapters, the first part of Global Privacy and Security Law provides detailed, critical background information about the numerous drivers that have been shaping data laws, worldwide, for over 60 years: the Privacy Guidelines of the Organization for Economic Co-operation and Development (OECD), the Privacy Framework of the Asia Pacific Economic Cooperation (APEC), or the European Union (EU) Regulations, Directives and Guidelines, to name a few. Some of these building blocks are part of what the privacy and data protection field has become today. And, because they are constantly evolving and being supplemented or updated, they are also part of the future. In all cases, they help explain the intent of the laws and other legal structures that are at the heart of this treatise. 

Businesses and their advisors must understand why laws exist and what they are intended to achieve to be able to design the products, services, contracts, policies and procedures that meet, in the most efficient and practical manner, the applicable legal requirements. 

In this Supplement No. 39, for example, we provide an update of the chapter on Transferring Personal Data out of the EU/EEA, with recent developments concerning both sets of the new Standard Contractual Clauses (2021). We have also extended our coverage of the Asia Pacific Region and the work of the key regional organizations that have helped shape personal data laws both in Asia Pacific and around the Pacific Rim and are currently actively promoting the adoption or improvement of privacy and data protection laws.

With this Supplement, we also welcome a new country, Saudi Arabia, which has recently adopted its first national data protection law and is in the midst of completing its regulations. In the prior Supplement, we welcomed Ecuador.

As always, much has happened in many countries since our last supplement, as well. Examples of recent local developments of note discussed in Supplement No. 39 include:

• Italy has issued new rules on the use of cookies, which switch from an opt-out regime to a regime primarily relying on opt-in. 
•  Japan has significantly updated its privacy and data protection framework, through a series of amendments to its national law, secondary laws, and guidelines. Among other things the updated privacy framework introduces news concepts: “pseudonymously processed information,” “anonymously processed information,” and “personally referable information.” There are also extensive additions concerning security, security breaches responses, and crossborder data transfers.
•  Malta and other countries are reporting on the implementation of the Whistleblower Protection Directive into their local laws, which requires companies, among other things, businesses to implement specific programs to facilitate the reporting of fraudulent activities in enterprises, while protecting and keeping highly confidential all information that might help identify the person reporting the activity. 
•  Uruguay has issued new guidelines on the preparation of Data Protection Impact Assessments
•  The Greece chapter provides summaries of recent enforcement actions related to the alleged misuse of personal data, including in the employment setting, in direct marketing practices, or in connection with security breaches.
•  The United Arab Emirates, has supplemented its federal legal framework with its first Federal Data Protection Law. The law, adopted in 2021, is not yet in effect due to the delay in the completion of the related Executive Regulations. The UAE chapter update provides a full analysis of the Federal law as adopted. 

We hope that you will enjoy the many changes and updates brought in this Supplement #39 of our Global Privacy and Security Law treatise, and thank you for your continued support of, and interest in, our work.

The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.

If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at fgilbert@globalprivacybook.com or by text at +1-650-804-1235.

Thank you

Best regards,

Francoise Gilbert