Updates

Supplement #33

Sent to subscribers in September 2020

The COVID pandemic has drastically changed the way each of us lives, works or communicates. Less than a year into it, and with dim prospects for the months or years to come, businesses are struggling to respond to conditions and restrictions that are unlike anything else they anticipated or experienced previously. Entire industry segments, such as travel, hospitality, food or entertainment are more-or-less in a state of coma. Employers who used to discourage telecommuting are now requiring their staff to work from home. Businesses are trying to reinvent themselves. Little by little, each country is attempting to adapt to the new reality, and address the variety of issues presented by the havoc caused by the magnitude and intensity of the attack on people’s health and condition. 

Personal data has not been spared by the pandemic. In a world knocked down by a powerful, destructive virus, sensitive personal information is relevant and necessary (or is it really?) to almost every aspect of a person’s public and personal life. Very sensitive information about each individual is often a key element in addressing the care of that person, in avoiding contagion, in analyzing the effects of a drug, in gathering data about the death toll or other statistics, and much more. Governments and their agencies, at time too slowly, are realizing that in the fight against the virus, privacy and the protection of privacy rights are at risk if limits are not set to how much information can be collected and what can be done with that information. 

In this Supplement #33, you will find out, among other things, how some countries have reacted to the effects that the pandemic is having on the use and potential misuse of personal data. As is often the case, there are times where privacy rights and security and safety end-up on opposite sides, and both aspects must be balanced. In this case, the privacy and data protection laws and principles may serve to guide governments, legislators and other who collect, use or share personal data.  

In the past few months, numerous countries have recognized this tension and developed guidelines for their constituencies on different aspects of the response to the pandemic as it relates to the protection of personal data.  For example, in this Supplement #33 you can read about:

Government Regulations

  • Israel passed temporary, emergency regulations to permit the tracking of data that in other circumstances would be considered extremely sensitive, such as people’s names, identification number, health status and location.  These measures were justified to the extent that they meet the principles of good faith, reasonability and proportionality.

Guidelines

  • In Greece, the data protection authority published guidelines regarding the use of personal data by employers.
  • In Slovakia, the data protection authority published a series of opinions and guidelines regarding the measurement of temperature for employees and visitors to the workplace, guidelines for ensuring the security of employees’ laptops used when working from home, and guidelines on the use of location data and contract tracking tools in the context of the COVID outbreak. 
  • In the Philippines, the data supervisor authority issued guidelines regarding the collection of personal data, to ensure that only data that was “necessary” be collected, and that it be disclosed “only to the proper authority”. It also issued guidelines for health institutions and their data protection officers regarding the use and disclosure of sensitive data.  The data protection authority also published guidelines on general security measures to organization operating under a Work from Home arrangement (WFH), to be applied both during the pandemic and whenever any telecommuting arrangement is implemented.

Enforcement Actions

  • In Norway, the data protection authority blocked the use of a contact tracing app launched by the Norwegian Institute of Public Health, which required users to provide personal data both for contact tracing and for analysis and research without giving the opportunity to consent to only one of the purposes separately.
  • In Chile, the Ministry of Health and the Ministry of Transport and Telecommunications announced that the use of GPS technology on cellphones would be analyzed to observe the population’s mobility during the pandemic.  However, the Transparency Council stated that it wants to review the detail of the initiative because it may be inappropriate. As of the date of this writing no rules on the subject has been published. 

Legal Moratorium

  • Brazil postponed the date of entry into force of its new data protection law, the LGPD.  The entry into force of the law is postponed to May 3, 2021 and the administrative penalties provisions will enter into force in August 2021.

Despite the grim times, Supplement #33 also brings good news.  

After 7 years in a holding pattern, the data protection law of South Africa is now in effect!  Enacted by the South Africa Parliament in July 2013, the Protection of Personal Information Act (or POPIA) was approved by the President and became a law in November 2013.  After many years of waiting and pressure from the Information Regulator for the commencement of the law, the South Africa President proclaimed the commencement date of POPIA to be July 1, 2020.  The law is now fully in effect and organizations have a one-year grace period (computed from July 1, 2020) to ensure that all of their processing of personal data comply with the new law.  Thus, on July 1, 2021, all processing of personal data in South Africa must comply with POPIA.

To our subscribers:  Thank you for subscribing to this treatise

To all contributors to this Supplement #33:  Thank you for your timely reports.

To the Wolters Kluwer and CCH  teams who make this treatise happen and work tirelessly to deliver each supplement on time: Thank you for your hard work.

To everyone:  Keep safe! Keep healthy!

Read More

Supplement #32

Sent to subscribers in May 2020

As I am writing this note, the global tsunami effect of the Coronavirus is shaking, affecting, or perhaps destroying public health, businesses, work life, and family reunions. COVID-19 news and the defense against the Coronavirus have become the central part of our daily preoccupations. The outbreak and spreading of the virus on a global scale present challenging issues to which a significant number of public and private entities appear to have been ill-prepared.

While most of the updates to the chapters that are part of this Supplement #32 were written at a time when the threat and global effects of the virus in a particular country were not yet felt or anticipated, some of our contributors were living and working in difficult conditions under strict lockdown orders.

Special thanks to Marissa Xiao Dong and Guo Jinghe (China) and Raffaele Zallone (Italy) for producing their country updates while their respective countries and healthcare systems were deeply shaken by the effect of the destructive contagion. They worked on their country updates during their respective “lockdown,” “confinement,” “self-isolation,” or “retrenchment” periods. Thank you for your team spirit and the gift of your time in such dramatic circumstances.

The seriousness and intensity of the attack on people’s health and the dramatic consequences for countries’ healthcare ecosystems have significant business and legal implications involving almost every possible area: advertising, admiralty, bankruptcy, children, commercial, contracts, education, employment, health, insurance, telecommunications, telemarketing, torts, trademarks, trade secrets, and much more.

Privacy and information security are among the legal and practical issues to take into account. Privacy is highly vulnerable in a time  when public health concerns may not be consistent with personal interest or civil liberties. Consider, for example, the civil rights concerns related to the collection of location data to track the path of the virus.

Most existing privacy and data protection laws do not address, or only at the highest level, how to handle personal information in case of a major event. How much information should be disclosed when an employer faces the fact that one employee has been infected? Who should be provided with the information? When looking at the interests of the community, providing transparency and disclosing the details of the effect of the virus may help save lives. Collecting or sharing personal details that may allow tracking an individual’s whereabout might help identify useful information or trends that help fight against the spread of the virus but also opens the door to monitoring and surveillance and provides a means of encroaching on civil liberties, the future effect of which might not be stopped.

Significant security concerns are also at the forefront. The quarantine or isolation strategies require businesses and government agencies to send their personnel home to be shielded from contagion. While they help reduce the risk of infection, these strategies may put at risk the security shield that protects files and data. What level of security is provided to the confidential or strategic business records or the highly sensitive personal information that are now processed on a family computer, on the proverbial “kitchen table”? How is the security of the information preserved? What is the level of awareness of the potential risks to the confidentiality and security of all the contracts, reports, customer lists that are transferred among co-workers, or between a worker and the company’s headquarters where internal measures, physical and technical security might be lacking or deficient, and there is little experience or training on how to protect the company’s crown jewels, or those of its clients or customer?

I hope that our next Supplement will be produced in less dramatic and concerning circumstances.

Keep safe! Keep healthy!

Read More

Supplement #31

Sent to subscribers in January 2020

Happy 10th Anniversary! With the delivery of Supplement #30, which we completed during the fourth quarter of 2019, we celebrated the 10th anniversary of the publication of the first issue of the Global Privacy and Security Law treatise. Wow! Back in 2005 when I started designing the concept and outlining the treatise, I never imagined that I would be writing about the 10thanniversary of its publication now, a few days before Thanksgiving 2019. 

Anniversaries are a time to reflect on accomplishments and thank those who contributed to the realization of those accomplishments.

First, I want to thank all subscribers for their continued interest in, and enthusiasm for, the Global Privacy and Security Lawtreatise over the years. Thank you for your support! It is your enthusiasm for our work that pushes us, for each supplement, to bring you the best we can write, and inform you of the most recent developments we can identify or upcoming ones. Parts of this treatise were written because of questions from subscribers who had a particular interest in a topic or a country. Thank you for these questions! They have provided incentives for exploring further the world of privacy and security, and sharing these laws and trends with each other. Please feel free to write to me at fgilbert@globalprivacybook.com with more ideas, questions or challenges.

Many thanks to all those who have contributed their time and knowledge, and made this work progress, expand and remain up-to-date and relevant. Our treatise was the first to identify the variety and breath of issues related to the protection of personal data and privacy rights. It provides a unique tool for understanding the complex nuances of the numerous data privacy and security laws in 68 countries on all continents. Additional countries will be included in the upcoming versions. Today, the treatise remains, by far, the most comprehensive and complete work and analysis of global privacy and data security issues worldwide. We owe it to our team of attorneys around the world and their respective associates and administrative assistants who regularly supplement the country chapters, conduct research, and draft supplemental sections or proofread them. I am thankful to have been able to gather such an outstanding team.

Many thanks, as well, to the team at Wolters Kluwer, especially Kate Brady and Mallika Krishnan, and their respective colleagues. Thank you for keeping us on schedule. Thank you for following up, for your careful and meticulous work, for catching inconspicuous typos, and making each chapter look good.

And thank you, Jacques, my wonderful husband, for participating in the editing and proofreading the 100+ documents that form the treatise, especially when my full time job as an attorney competes with editing responsibilities and publishing deadlines. Thank you for designing and maintaining the successive versions of the website for the treatise, at www.globalprivacybook.com. Thank you for your encouragements, and your unconditional support of my initiatives.

Anniversaries are also a time to look at the past and prepare for the future. As I reflect on the past few years, I am amazed at the trajectory that privacy and data security laws have taken. When I decided to write the first version of this treatise, it felt like a quixotic adventure. Few companies appreciated the strategic value of personal data and few attorneys were aware that privacy and data security laws existed. The United States had a patchwork of federal and state laws that addressed the protection of some categories of personal data, but law schools did not yet offer classes on the topic. 

At the global level, only about 25% of the United Nation Members had adopted a national data protection law. Most of these laws emanated from countries within Western Europe, and derived from a handful of seminal documents such as the OECD Privacy and Security Guidelines, Convention 108 of the Council of Europe, or the 1995 Data Protection Directive. There was limited compliance and little enforcement. Outside Western Europe, several countries had adopted national data protection laws that tracked European data protection laws. In Asia, for example, early adopters included members of the former British Empire, Hong Kong, Australia and New Zealand. In the northern part of Asia, South Korea and Japan had developed their own laws, but little was happening in China or India. Asia was only tiptoeing into regulating the use of personal data as a regional initiative. The APEC Privacy Framework, considered a response to the work of the European Union and the OECD, had just been launched in 2004.

As we reach the end of 2019, more than 130 countries have passed and are enforcing comprehensive privacy and data protection laws. China has now a wide range of laws addressing the protection of personal data. Brazil’s data protection law will enter into effect on February 14, 2020. On the corporate front, two major acquisitions or divestitures by some of the major entities providing services to related to personal data protection and compliance were just announced. And, unfortunately, the rate of misuse or illegal use of personal data has risen exponentially. 

In the meantime, the United States, despite having more than one thousand federal or state laws addressing the protection of specific categories of personal data, is still viewed, worldwide, as lacking laws that provide “adequate protection” of personal data or privacy rights. US companies are plagued by the “GDPR effect” and the “CCPA Tsunami”. There is little hope that the United States Congress will soon pass a national, comprehensive law addressing the privacy and security of all personal data in all circumstances and applying uniformly throughout the United Stated.

As we embark on another ten-year adventure in privacy and data security, it is exciting to see the wide range of issues and nuances raised by the myriad ways in which information relating to individuals can be collected, used or distilled to be associated to individuals, in order to create profiles and identifying patterns. There is still so much to explore about the protection, use and secondary uses of personal data. Artificial Intelligence, the Internet of Things ecosystem and the development of blockchain technologies, among others, are paving the way to new technologies and new concepts that push the limits of exploration, and invite our Global Privacy and Security Law treatise team to investigate and analyze. 

And . . .  one more thing! I am also embarking into another personal adventure. In August 2019, I launched a new company: DataMinding whose website is located at www.dataminding.com. With DataMinding, I will continue to work with my clients, while exploring the new frontiers of data privacy and security law, and addressing or anticipating the upcoming uses – or misuses – of personal data.

I look forward to continuing to lead our Global Privacy and Data Security law adventure, and to exchanging questions, sharing ideas, and responding to challenges from subscribers, colleagues and everyone else.

Read More

Supplement #30

Sent to subscribers in September 2019

2019 continues to be a year of intense activity around the protection of personal data. The adoption and implementation of the EU General Data Protection Regulation (GDPR) are having a viral effect around the world. Several countries have recently adopted their first data protection laws, for example, Brazil (during the summer of 2018) and, more recently, Thailand and Uzbekistan (to be added to this treatise in upcoming supplements). Elsewhere, countries are updating or amending their laws or supplementing them with additional laws. Below are examples of some of the recent developments that are described in further detail in the chapters of this 30th Supplement of the Global Privacy and Security Law treatise.

Argentina

Argentina passed it first Personal Data Protection Act years ago. It is one of the few countries that the European Commission has determined provides an adequate level of protection of personal data. In its Disposition 47/18, issued by the National Directorate of Personal Data Protection in July 2018, Argentina expands the scope of its provisions regarding information security. Disposition 47/18 identifies a series of suggestions regarding security requirements. The suggestions follow the international standards, especially the ones of the European Union. Among other things, Disposition 47/18 suggests that entities affected by a breach of security report the breach to the Application Authority and appoint a security officer who will be in charge of reporting data breaches and to be the liaison with the Application Authority.

Austria

In Austria, the Austrian Data Protection Authority and the courts have actively prosecuted violations of the GDPR. The first decision of the DSB (the Austrian Data Protection authority) applying the GDPR was published on June 26, 2018. It determined that GDPR Art. 15 covers a customer’s request to obtain his or her historical bank account statements free of charge if no third-party rights are endangered. The DSB issued several decisions on the formalities of a data subject’s request. It has also ruled that the use of dash-cams is generally not in line with the legal data protection framework. In a rare case involving GDPR Art. 85, the DSB ruled on the availability of information to individuals and the privilege of “freedom of information.”

Brazil

Brazil amended its recently adopted Privacy Act (which becomes effective on February 14, 2020) to formerly provide for the existence of a National Data Protection Authority (NDPA). While the Privacy Act originally approved by the Brazilian Congress created the NDPA as an independent federal agency linked to the Ministry of Justice, the concept was vetoed by the President of Brazil on constitutional grounds in the law-making process. The NDPA itself and its rules of operation have been reintroduced by the President by means of a provisional measure, and the existence of the NDPA was confirmed through the enactment of Federal Law 13,853, on July 9, 2019. The NDPA in turn will draft and issue other rules and provisions concerning specific requirements and guidelines to data collectors that are generally addressed in the Privacy Act, as well as the rules applicable to administrative procedures.

Brazil also adopted the Positive Credit Rating Law. The law sets out several obligations for the data controllers and conditions applicable to the collection, use, and sharing of financial information of the data subjects (individuals or legal entities) with other databases, as well as general access, amendment, cancellation, and opt-out rights for the data subjects.

India

While India is finalizing its national data protection law, its central government passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Ordinance, 2019 (the Aadhaar Ordinance) amending the Aadhaar Act in February 2019. The Aadhaar Ordinance introduces the method of offline verification of an individual’s identity using their Aadhaar in the manner provided by Unique Identification Authority of India. The ordinance further proposes that individuals may voluntarily use Aadhaar to establish their identities using authentication or offline verification with another private entity if that private entity complies with the applicable security and privacy safeguards and is permitted to carry out Aadhaar authentication by law or is seeking authentication for a purpose that the central government has prescribed to be in the interest of the state.

Italy

In the second quarter of 2019, the Italian Data Protection Authority (DPA) issued a number of significant decisions. It ordered Mediamarket, a subsidiary of the retailer Mediaworld, to cease and desist the processing of large amounts of personal data of customers collected before the GDPR and used for massive mailing of marketing materials. It found that the information notice and the consent did not comply with the law, but that they both had been changed after the effectiveness of the GDPR. There was no fine assessed, but the company received a cease-and-desist order.

The DPA did impose a fine of one million euros on Facebook with respect to the Cambridge Analytica case. The Italian DPA issued the fine against both Facebook Ireland and Facebook Italy, as co-processors. The procedure was under the old Italian law and not under the GDPR, which explains the amount of the fine.

Uruguay

Like Argentina, Uruguay was one the first countries that the European Commission determined provides adequate protection for personal data and privacy rights. In late 2018, Uruguay adopted an amendment to its original data protection law in the form of Ley de Presupuesto Nacional que modifica la Ley No. 18.331 (October 25, 2018) (National Budget Law Amending Law 18.331). The purpose of the law is to align Uruguay’s data protection law, Law 18.331, to the GDPR. The  amendment extends the geographic scope of the data protection law to data controllers that are not established in Uruguay but target Uruguayan inhabitants for the purpose of selling them goods or services and collect their personal information to analyze their behavior. It also adds the obligation to immediately report a data breach, the principle of proactive responsibility, and the obligation to appoint a Data Protection Officer in certain cases.

Read More

Supplement #29

Sent to subscribers in May 2019

Almost one year after GDPR Day, the European Union Member States have not yet fully completed their implementation of the EU General Data Protection Regulation (GDPR) into their national laws. While the GDPR became applicable as of May 25, 2018, and is fully in effect throughout the European Union, each Member State has the opportunity to make changes or additions to approximately 50 clauses of the GDPR. Some Member States have already done so, but a few are behind. In Supplement #29, we provide new information about changes in several Member States. 

In the meantime, the EU data supervisory authorities have begun enforcement actions against violators. These actions have resulted in a wide range of fines. The smallest fine so far is approximatively €5,000. The largest fine was assessed in January 2019 by CNIL, the French data supervisory authority, against Google and amounts to €50 million. A summary of the Googleopinion is provided in Chapter 06A. Google is appealing the decision primarily on jurisdictional grounds.

In addition to the GDPR, a new law has become “the talk of the town”: The California Consumer Privacy Act (CCPA). The CCPA was passed in California at the end of June 2018 and amended in August 2018. More than 40 amending bills have been filed in an attempt to amend it further. The CCPA is expected to take effect on January 1, 2020, unless a federal omnibus data protection law is passed in the U.S. Congress that supersedes the CCPA. As it stands currently, the CCPA grants California residents rights of information, access, erasure, and objection that have significant similarities with those provided to EU residents under the GDPR. The CCPA is of interest to all companies worldwide that do   business with California residents or are located in California. It also applies to companies that control a business that is subject to the CCPA. The scope of the law and its requirements are described in Chapter 65.

As we are approaching the 10th anniversary of this treatise, it is fascinating to look back and evaluate the significant changes, evolution, and expansion of the law of the protection of personal information.


Read More

Supplement #28

Sent to subscribers in January 2019

As 2018 is ending, the enforcement of the General Data Protection Regulation (GDPR) remains the most important event of the year. The GDPR will be remembered as a significant paradigm shift throughout the world because of its extensive scope. The entire world has become “GDPR-ized.” In this supplement, we provide a number of updates to chapters pertaining to activities throughout the European Union and European Economic Area (EEA) resulting from the switch to the GDPR.

During the middle part of 2018, a series of official documents regarding the interpretation of the GDPR were finalized. The Article 29 Working Party, under its new name—EU Data Protection Board (EDPB)—and its slightly different composition, has officially replaced the Article 29 Working Party. As part of its first activities, the EDPB endorsed numerous guidelines and opinions that were prepared under the Article 29 Working Party. The EDPB has a new website, and this supplement provides numerous new links to the guidelines managed by the EDPB.

As provided in and throughout the GDPR, the Member States are slowly implementing the GDPR in their own laws. This is being done both by integrating the GDPR in their own legal frameworks and by adopting additional provisions. As expected, each country is implementing the GDPR in its own way. In this supplement, we provide updates from Belgium, Estonia, Finland, Lithuania, Malta, the Netherlands, Slovakia, and Sweden.

Switzerland, which is not part of the EEA, is also attempting to update its laws to retain consistency with the GDPR but has not yet agreed to a final draft of its updates. We provide a short summary of its efforts and projects.

Outside the European region, there are changes in Latin America. The most significant one was Brazil’s adoption of its first data protection law, which occurred during the summer and was reported in our prior supplement. In this supplement, we provide an update on activities in Chile. Chile was the first Latin American country to adopt a data protection law in the 1990s. It is now inching toward modernization of its legal framework to keep up with developments in the privacy/cybersecurity area so that it can provide protections that are consistent with those provided by its neighbors in Latin America.

By the time this supplement is completed and shipped to our subscribers, it will be 2019. Our team of writers, contributors, editors, and technical assistants wishes all subscribers a very happy new year. Many thanks to all of you for your interest in our work.

Finally, a personal note on behalf of our team. 2019 will be a special year for us. In September 2019, we will celebrate the 10th anniversary of the first publication of our two-volume Global Privacy and Security Law treatise! The privacy/cybersecurity world has changed so much in 10 years.

Read More

Supplement #27

Sent to subscribers in September 2018

At long last, the GDPR is in force.  It has been a long process.  I still remember reviewing the first draft of a GDPR in November 2011, and after that, all the successive drafts, wondering how long it would take to get to launch.

Here we are, almost 7 years later, GDPR is in effect! When you receive this set of supplements, GDPR will be celebrating the four-month anniversary of its enforcement date. It is still taking baby steps.  In the meantime, the first sets of lawsuits claiming violation of individuals’ rights under GDPR were filed on the inaugural day, May 25, 2018.

The GDPR grants Member States the ability to supplement some of its provisions. It was hoped that EU Member States would take advantage of the two-year period between signature of the law and the enforcement date to take the measures necessary to implement the GDPR into their national laws and take advantage of their ability to supplement it.  Some did take advantage of this opportunity. Germany and Austria were the first to have completed the process. Nevertheless, a significant number of EEA Member States are still struggling.  In numerous cases, bills are pending and still being discussed. Others are almost done; for example, Italy

While not a member of the European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR as part of its agreements with the EEA Member States.  The Swiss parliament is said to be working on a draft.

Outside the EEA region, countries are actively working on the improvement or development of their data protection laws.  On August 14, 2018, the president of Brazil signed the country first data protection law.  That laws contains numerous references to the GDPR.  Across the Andes, Chile is also working actively on developing further its existing data protection law, to bring it to current international standards.

At end of June 2018, California passed the California Consumer Privacy Act (CCPA).  Like the GDPR, the statute has a very broad reach. It applies to most business entities that collect personal information of California residents and operate in California. In the next Supplement, we will provide a summary of the CCPA, and describe the circumstances of its very turbulent launch.

According to its terms, the statute becomes effective as of January 1, 2020. However, because of its controversial content, the statute has been attacked for a variety of reasons, and the launch date is becoming uncertain.  Since its signature by the California Governor, numerous activities have been ongoing in California to attempt to amend the statute and delay its enforcement date. There are also discussions at the Federal level, which are aiming at drafting a federal law that would supersede the California statute.

One of the most amazing features of the CCPA is its definition of “personal information.” It is probably the longest of all definitions of that term, worldwide. It is 345 word-long and extends over 13 paragraphs.

While the CCPA has been presented by some as a “mini GDPR,” it is much more liminted than the GDPR.  For example, unlike the GDPR, it does not contain general data processing principles and does not require a legal basis for the processing of personal information. CalCPA focuses primarily on providing consumers with a number of rights, such as a right of access and right of portability, in a manner similar to the GDPR. It also grants consumers the right to obtain from businesses that they cease selling, sharing or disclosing their personal information with or to third parties for commercial purposes.

CCPA grants a private right of action to California residents whose personal information was compromised in a breach of security. This addition to the existing California security breach landscape is likely to significantly increase litigation.

Read More

Supplement #26

Sent to subscribers in May 2018

It is just a few weeks before the May 25, 2018, deadline to implement the General Data Protection Regulation (GDPR), and it seems that the privacy and data protection world is frozen. The Member States of the European Union and European Economic Area have not done much to take advantage of the numerous GDPR provisions that allow Member States to draft additions and adaptations to the GDPR. Austria, Germany, and Belgium are the exceptions.

Germany has added numerous changes to the GDPR. One of the most significant additions is the obligation for companies to appoint a data protection officer if (1) at least 10 persons in the organization deal with automated processing of personal data or (2) the company is required to conduct data protection impact assessments. The German additions to the GDPR also grant significant supplemental powers to the supervisory authorities. Austria has expanded the scope of the provisions that give individuals the ability to be represented by a non-profit organization that focuses on data protection issues to allow such mechanism to be used for actions not only against organizations but also against the supervisory authority.  Austria has also identified 14 as the age of consent.

In addition to Germany and Austria, Belgium has developed its local additions to the GDPR.  In the case of Belgium, the changes have focused on establishing a Data Protection Supervisory Authority and providing it with supervisory powers and punitive functions.  The Belgian additions to the GDPR grant the Supervisory Authority the power to give warnings, work on investigations, and impose administrative fines.

A few other Member States have developed drafts but, as we go to press, have not achieved finalization. These include, for example, France, Ireland, Latvia, the Netherlands, Spain, and the United Kingdom. The remainder of the European Union and European Economic Area Member States have not made any tangible progress.

While not a member of the European Union or European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR and that affect the remainder of Western Europe.  The Swiss parliament, however, has not yet published a draft. The word is that a draft should be coming soon.

Read More

Supplement #25

Sent to subscribers in January 2018

Supplement #25 to our two-volume treatise Global Privacy and Security Lawreflects a period of significant transition in the European Union and European Economic Area where the Member States are still working on integrating the EU General Data Protection Regulation (GDPR) into their laws. Few countries have published any tangible information about their views on the transition to the new regime under the GDPR.

The Article 29 Working Party has been prolific and has published several guidelines, which are detailed in Chapter 6A. The Article 29 Working Party has already published Guidelines on Data Protection Officers, Data Portability, Lead Supervisory Authority, Data Protection Impact Assessments, and Administrative Fines. It has also published, for consultation, Guidelines on Data Security Breach and Guidelines on Automated Decision-Making and Profiling. Guidelines on the concept of consent, and cross border data transfers are expected to be published by the end of 2017 or early 2018.
The Asia Pacific Region, China continues to make made significant changes to its laws governing the protection of personal information.

The global privacy and security framework keeps evolving. The effect of the EU General Data Protection is clear.  Countries outside the EU/EEA block, such Switzerland are looking at potential changes to their own data protection framework are looking at the challenges posed by the EU General Data Protection Regulation, and exploring how to keep up with the changes to the data protection framework that the GDPR is bringing.

Best regards

Read More

Supplement #24

Sent to subscribers in September 2017

This Supplement #24 to our two-volume treatise Global Privacy and Security Law reflects a period significant transition in the European Union and European Economic Area where the member states are still working on interpreting the EU General Data Protection Regulation (GDPR) into their laws. Few countries have published any tangible information about their views on the transition to the new regime under the GDPR.

On the other hand, the Article 29 Working Party has been prolific and has published several guidelines which are detailed in our Chapter 06A. The Article 29 Working Party has already published on Guidelines on Data Protection Officers, Data Portability, and Lead Supervisory Authority. It has also published for consultation Guidelines on Data Protection Impact Assessment, and is working on additional Guidelines on the concept of Consent, which are expected to be published by the end of 2017. Details on these Guidelines are provided in Chapter 06A.

In the Middle East, Israel has significant updated its Information Security Regulations, to expand upon the old regulations to prevent the misuse of data. The new Regulations are intended to realize the objectives of the original law and include several innovations, of which the most significant are intended to protect the privacy of registered users in a computerized database.
The Asia Pacific Region has also seen sig

nificant developments. For example, in June 2017, South Korea became the fifth country to join the CBPR system. Japan and China have made significant changes to their laws governing the protection of personal information.

In Latin and South America, Uruguay has welcome the EU-US Privacy Shield and now recognizes as providing “adequate protection” the US companies that are listed on the EU-US Privacy Shield list. In Colombia, The Superintendence of Industry and Commerce of Colombia (SIC) has prepared a draft regulation with a series of dispositions, that would clarify the obligations of managers and controllers in connection with the transfer and transmission of data to thirds Countries. Chile is working on a bill that would update its current privacy law and would increase the level of privacy protection to meet the guidelines of the Organization for Economic Cooperation and Development (OECD), which Chile joined in 2010.

The global privacy and security framework keeps evolving. While technology evolves faster than laws, throughout the world, legislators and litigators are paying attention to the many uses and potential misuses of personal information.

Read More