Highlights to Supplement #40

Dear Subscribers,

We are pleased to share with you this Supplement No. 40. In our survey of the changes made both in the essential cornerstone structures (EU laws, Data Transfer restrictions), as well as in the countries, for this supplement, we are observing several interesting trends. 

– Within the EU/EEA area, the EU agencies and regulators are continuing to drive change, and creating new regulations or directives to provide better structure and improve the protection of privacy and security, as well as the means for such protection. 

– Outside Europe, the GDPR continues to be a major driver and a guide for the update of existing laws. An increasing number of countries are trying to adapt their laws to meet the new rules that were set in the EU GDPR. 

– Finally, throughout the world, we also observe a trend towards more enforcement and stricter fines. Numerous countries are increasing the amount of fines assessed against violators either by applying their existing laws, or by updating their laws to increase penalties. 

Specific examples of these trends are provided below.

Development of EU Laws

Our chapter on the key data directives and regulations has been significantly updated and supplemented to show both the historical and the current drivers of the development of the privacy and data protection laws in the EU,  We also describe the most recent directives and regulations that are building a comprehensive security ecosystem. The current and upcoming directives and regulations in this area have an increasingly wider scope, and cover a wider variety of industry sectors and wider variety of potential attacks to networks and information systems. 

While these new laws have a broader scope than the regulations and directives focusing on personal data because they focus on data security in general (as opposed to being limited to the security of personal data), they are, nevertheless, also part of the general privacy and data protection landscape. The security measures, mandates and structures mandated by these directives and regulation concern both to the personal data held in those systems, as well as data other than personal data. 

On another note, there is progress in the never-ending saga of the legal for data transfers between the EU/EEA and the United States. Our chapter on Crossborder Data Transfers discusses the recent Executive Order issued by US President J. Biden related to the preparation of the package of agreements that are intended to form the Trans-Atlantic Data Privacy Framework, as needed to replace the defunct EU-US Privacy Shield.

Amendments to Existing Laws

The Argentina chapter describes the recent efforts to improve the data protection landscape, such as with the appointment of a new data protection commissioner and significant progress in the development of an updated privacy law.

Australia is also making efforts to supplement and expand its data protection landscape. In a recent case, the court found that the Privacy Commissioner had jurisdiction over a company registered and located in the United States because that entity placed cookies on users’ computers or devices located in Australia. because the use of those cookies. The court found that,through the use of cookies, the foreign based was carrying on business in Australia,” which in turn was creating the “Australian Link” required under Australian privacy law to establish jurisdiction over a foreign entity. This decision is of great importance to foreign entities doing business in Australia. Their online practices might create the “Australian Link” sufficient to bring them within the jurisdiction of Australian courts.

Israel is also working on amendments to its data protection laws, with changes that would align with some of the requirements brought in by the EU General Data Protection Regulation. For example, the proposed amendments would increase the amount of fines imposed on violators; the scope of registration obligations would be reduced to give regulators more time to focus on databases that pose significant threats to privacy, as well as monitoring and enforcement.

Now that the Brexit agreements have been finalized, it is not surprising that the United Kingdom would try to disentangle itself from some of the structures that were imposed by their EU membership and try to re-invent itself. The UK chapter provides a description of proposed amendments to the UK GDPR. Among amendments of note, the modified UK data protection law would be removing barriers to responsible innovation; reducing burdens on businesses and delivering better outcomes for people; boosting trade and removing barriers to data flows; improve public safety and national security; and create new rules for digital identity and smart data.

Increased Penalties

The Slovakia chapter provides numerous summaries of recent cases. They provide excellent practical examples of situations where businesses can find themselves stumbling on a slippery situation such as forwarding an anonymous submission to a third party which happens to have sufficient information to re-identify the author of the anonymous complaint, or the liability of an employer for violations of the laws caused by unauthorized actions by employees initiated by those employees in the course of their employment. 

The chapter on the Philippines provides an overview of the fines to be assessed to both data controllers and data processors (PICs and PIPs in the Philippine law) in case of violation of the law. The new fine structure distinguishes “Grave infractions,” Major infractions” and “other infractions.”  For the most serious infractions, the fine can reach up to 3% (three percent) of the entity’s annual gross income for the year preceding the year in which the infraction occurred, a level consistent with the fines under the EU GDPR. 

The chapter on the Philippines also describes the country’s recent efforts at modernizing the systems used for the disclosure of security breaches. The new system is available online, and allows personal data controllers to submit their Personal Data Breach Notifications, and their Annual Security Incidents Reports online. 

Finally, Portugal, which was one of the first countries to issue large size penalties shortly after the entry into force of the EU GDPR, is continuing with this trend. In the update to the Portugal Chapter for this update No. 40, we note a fine of 1.25 million euros against the Municipality of Lisbon for multiple violation of the law, including aggressive data processing practices concerning personal data of protestors.    

The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.

If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at fgilbert@globalprivacybook.com or by text at +1-650-804-1235.

Thank you.

Best regards,

Francoise Gilbert

Editor and Lead Author