We are pleased to share with you this Supplement No. 41. When this supplement reaches your desks or screens, we will be close to celebrating the 14th birthday of the treatise. The first edition of the GPAS was published in September 2009. So much has changed in the world of data law in the past fourteen years! The number of countries having adopted privacy or data protection laws has grown at a rapid pace, from less than 50 countries to nearly 150. The size of the treatise itself has grown, as well, from approximately 2,000 pages to over 6,500 pages.
Throughout Europe, the EU/EEA is actively working on third or fourth generation data laws, drafting and adopting news regulations and directives that take into account the changes in technologies used to process personal data, and in the ways personal data is used or captured, in order to provide better, clearer, or more efficient structures and improve the protection of privacy and security. Concurrently, EU/EEA Member States are keeping the pace, willingly or begrudgingly, at the national level.
Outside Europe, the first adopters are updating their existing laws, while numerous countries are adopting their first national laws. In both cases, this is most frequently an attempt to meet the EU gold standard. The GDPR, EU’s General Data Protection Regulation, continues to be a major source of inspiration for numerous countries.
Throughout the world, the concepts of data protection, privacy or cybersecurity are no longer a novelty, known or understood by just a few. In many countries, there is a clear effort towards enforcement. The number of fines issued, and their amounts, are clearly increasing. In a few other countries, however, while laws exist, reality and practices are . . . different.
Data location and the ability to transfer personal data across borders continue to be critical points of friction. In both case, the problem is as traitorous as an iceberg. On the surface, the issue is that of the protection of personal data after its transfer to a third country. Deep under the surface, however, there is also a tug-of-war, a struggle for power, economic growth, or perhaps some form of supremacy.
The recent creation of the Global Cross-Border Privacy Rules Forum (or Global CBPR Forum) which was established in April 2022, could be related to this tug-of-war. To acknowledge this recent “fork” or “work around”, we have created a new chapter, Ch 16 Global Cross-Border Privacy Rules Forum. The Global Forum was developed at the initiative of seven founding members: Canada, Japan, South Korea, the Philippines, Singapore, Chinese Taipei, and the United States, all APEC economies. The United Kingdom has recently applied for membership. The goal of the Global Forum is to establish principles and objective that would facilitate cross border data transfer such as through the use of recognition of certifications issued under other regimes.
In addition, we have updated several of the general chapters.
Chapter 03 Genesis, which provides an overview of the history of the development of data protection laws, contains new, additional details on the most significant milestones of the past 75 years.
Chapter 07 EU General Data Protection Regulation has been significantly revised and provides links to the numerous documents issued by the European Data Protection Board and the European Data Protection Supervisor regarding the interpretation of the major provisions of the GDPR.
Chapter 10 Transfer of Personal Data Out of the EU/EEA continues to evolve and address the never-ending tug-of-war created by the barriers to transfer of personal data out of the EU/EEA. The most recent attempt at agreeing to the terms of a new transatlantic privacy framework is still in limbo despite significant efforts on both sides. Meanwhile, the EDPB is focusing its attention on updating the regime in place for binding corporate rules. Little guidance has been published in this area since the enactment of the GDPR. At long last, after spending significant efforts on developing the new Standard Contractual Clauses, the EDPB has published draft Recommendations on the Application for Approval and on the Elements to be Found in Controller Binding Corporate Rules.
There are several country updates of note, as well.
In Canada, the most important components of Bill 64, which updates Quebec law on the protection of personal information will enter into effect in September 2023. Other aspects of the law – such as the breach notification – came into effect in September 2022. As of September 2023, the Quebec Privacy Act will require privacy impact assessment before communicating personal information out of Quebec, even to another Canadian province.
As an example of the increased efforts of the national supervisory authorities to enforce the GDPR and conduct enforcement actions the Denmark chapter has been supplemented with a comprehensive survey of enforcement actions and related penalties.
India continues its effort at adopting a comprehensive data protection law. The India chapter provides an update on the Draft Digital Personal Data Protection Bill 2022. The draft bill introduces the concept of trust. It refers to data controllers as “data fiduciaries”. There are also “significant data fiduciaries”, who are identified by the government to have additional obligations, which would depend on several factors, such as the volume and sensitivity of data processed.
The United Kingdom chapter provides an update on the evolution of the country’s efforts at modifying its current data protection law which is based on the GDPR to adapt it more closely to the culture and expectations of the UK political system.
The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.
If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at firstname.lastname@example.org or by text at +1-650-804-1235.