To Be Sent January 2024
There is no doubt that one of most significant legal developments of the past 30 years on a global scale has been the adoption of laws that govern the collection, use and misuse of personal data. Since the beginning of the new millennium, the number of countries having data protection laws has skyrocketed from about 30 at the turn of the millennium to more than 160 now, which makes it a little over 80% of the United Nations members.
Personal data has become a key tool for growth and security. Businesses want access to personal data so that they can better target their potential customers. Governments want control over personal data as a way to control the movement of goods, services, and people; they also want access to information for law enforcement and national security purposes.
Most of the data protection laws follow trends, standards, or global or regional guidance. It is not surprising that similar themes and obstacles usually appear in each of these laws. However, their substance or the barriers they create may vary significantly depending on history, culture or political regimes.
When I look back at the supplement that we have created over the past 14 years since the original publication of the Global Privacy & Security Law Treatise, it is clear that the movement of personal data across the planet has been a major issue, with numerous cases, reports, litigation, or new laws. A major disruption for businesses, and a major financial drain.
The transfer of personal data across borders (or remote access from a third country) is a common concern because of the loss of control. When national laws address access or processing of their citizen’s personal data in a third country, they tend to impose stringent prerequisites to find a way to keep control. Obstacles range from data localization (i.e., no processing of personal data outside the country) to restrictions of the transfer of data to only those countries that are deemed to provide “adequate protection”.
So far, the European Union and the United States have been taking center stage. In this supplement #42, there is, again, major news concerning the transfer of personal data across the Atlantic ocean, and the publication of long-awaited documents. Two good news, and one bad news.
First, seven years after the adoption of the EU GDPR, the EDPB has finalized its views on the content of the BCR and the approval process in its Recommendations 01/2022 for the Preparation of the Applications for Approval and Elements to be Found in Controller Binding Corporate Rules. This document may help ease the burden of large multinational organizations in preparing their BCR and taking them through the related administrative maze for their approval.
Second, with the EU Commission adoption of the Implementing Decision concerning the adequacy of the EU-US Data Privacy Framework (2023) (“DPF”), entities that do business with US based organizations will, at long last, be able to take advantage of the new Data Privacy Framework (DPF) as a legal basis for the transfer of personal data out of the EEA to the United States. Since 2000, the DPF is the third version of the attempt by the EU and the U.S. administration to find a way to facilitate the crossborder transfer of personal data to each side of the Atlantic Ocean for commercial purposes while taking into account the restrictions and requirements imposed by the EU data protection laws.
Unfortunately, this not the happy ending that many would have hoped. The DPF is already in danger. NOYB, the organization driven by Max Schrems (a key player in the Schrems I and Schrems II decisions of the EU Court of Justice) has announced that it will challenge the EU Commission Adequacy Decision because it believes that the Data Privacy Framework is largely a copy of the Privacy Shield and that it fails to address the same concerns related to “fundamental” surveillance issues. What this means in practice, is that we expect another period of rocky times for cross-border data transfers of personal data of EU citizens. More litigation and appeals, and a new decision by the European Court of Justice in a few years.
Chapter 10 explains the details of the EDPB’s Recommendations 01/2022 on the Binding Corporate Rule for Controllers, and those of the EU Commission Implementing Decision on the EU-US Data Privacy Framework (“DPF”). With these structures in place, and – hopefully – valid for a few years, organizations that receive (or have remote access to) personal data of EEA citizens can focus on rebuilding their templates to accommodate the new regime. It is not clear, however, whether a DPF + SCC belt-and-suspender approach similar to that used in the recent past will be sufficient to withstand the upcoming hurdles and uncertainties. Would a more drastic change be a more successful course of action?
The European Commission has been very active, and not just in the area of the protection of personal data and privacy rights in crossborder transfers. Among other news, there is a proposal for a new regulation that would supplement the GDPR. Chapter 5 discusses a recent initiative by the European Commission that would create a supplement to the GDPR in the form of a new regulation. The working title for proposed new regulation is Regulation Laying Down Additional Procedural Rules Relating to the Enforcement of the GDPR. The proposed regulation would define specific rules for the review of complaints pertaining to issues currently raised concurrently in several Member States, the requirements for the content of those complaints, and the methods for resolving disputes among DPAs on the handling of the case.
Outside Europe, there are interesting developments, as well. The hurdles and obstacles arising from attempts a developing a workable framework for the crossborder transfers of personal data are trickling out of the European Economic Area and spreading in the rest of the world. The need to ensure that personal data, once transferred to a foreign country, will be treated with the same care and restraints as while in their country of origin is becoming a general concern, as governments are becoming increasingly aware of the aggressive practices of certain countries. In Supplement #41, we welcomed the formation of the Global CBPR Forum in 2022, created at the initiative of several APEC Member Economies, and dedicated a new Chapter 15 to this new global organization. With Supplement #42, Chapter 15 is expanded to provide additional details on the proposed operation of the Global CBPR Forum. We also provide new information on its legal structure and organization, including a report on the acceptance of the United Kingdom as the first Associate Member.
Of the numerous country updates, there are several country updates of note, for instance.
While Australia is amid making changes to its law, most of these changes are not yet finalized. Meanwhile, the Australia chapter provides information on important requirements regarding the disposal of files containing personal information. In the State of Victoria, amendments to the Occupational Health and Safety Law require the deletion of all vaccination information collected during the COVID 19 pandemic period. Conversely, two states have adopted laws requiring the retention of health information for specified periods. In addition, the chapter reflects recent key amendments adopted to the Australian Privacy Act concerning extraterritorial application, penalties, and the ability of the data protection commissioner to share information acquired during an investigation where that information is in the public interest.
At long last India has adopted a national data protection the Digital Personal Data Protection Act 2023. This new law is result of years of efforts. The final version as adopted by India’s President provides a law with numerous structures that are similar to the traditional model that we see in numerous jurisdictions, including an obligation to report personal data breaches. However, there are also idiosyncrasies. There is no clear indication concerning the rules or restrictions to the transfer of personal data out of the country. Informed consent is required for the collection and processing of personal data, but the effect of the consent is limited to only those personal data and activities that are related to the original reason for the consent request. Further, the law introduces new concepts, such as the “Consent Manager” which acts as a single point of contact to give and manage consent. The concept of “Data Fiduciary” (equivalent to data controller) is supplemented by that of “Significant Data Fiduciary”.
In 2022, Japan worked diligently on the update of its national data protection law, the APPI, and it was recently announced that the European Commission and Japan had successfully completed the first periodic review of the Japan-EU Adequacy arrangement adopted in 2019. Our update also reviews the requirement of Japan’s new Cookie Regulation, which was adopted as an update to the country’s Telecom Act. It also provides a detailed report on the activities of the PPC, the Japanese data protection authority, and an overview of recent enforcement actions initiated by the PPC.
South Africa is actively developing its structures surrounding the enforcement of POPIA, its new data protection law. A new Enforcement Committee, established by the country’s Information Regulator has been created to review all the complaints that it will receive regarding infringements of the POPIA and/or the PAIA. Rules for the operation of the Enforcement Committee are being prepared. The chapter update also provides summaries of recent enforcement actions by the country’s Enforcement Regulator.
SOUTH KOREA (Republic of Korea)
In 2023, the Republic of Korea adopted numerous changes to its data protection law. Several provisions relating to consent have been changed. The number of situations where prior consent is not necessary has increased, making the range of exceptions available similar to those provided in the EU’s GDPR. There must be a specific, separate consent to the use of personal data for marketing purposes. The 2023 amendment introduces the concept of “visual data processing devices”, which is divided into “Fixed Visual Data Processing Devices” and “Mobile Data Processing Devices”. The amendment defines specific rules for the operation of each category of devices. The amendment contains numerous provisions that apply primarily to the data processors or other third parties that receive access to personal data. Numerous provisions that applied only to data controllers will now apply also to data processors (or “outsourcee”). For instance, data processors may now be imposed fines for violations of PIPA.
The Republic of Türkiye has adopted a new a new spelling for its name, and the United has Nations has acknowledged this change, and it now using the new spelling. So is our chapter on the country. The update to the chapter also provides information on the recent enforcement actions. Of note also, the changes to the amount of penalties for certain violations, which has been significantly increased to take into account significant inflation in the country.
The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.
If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at email@example.com or by text at +1-650-804-1235.