Updates

To be sent January 2022

Happy Holidays and Happy New Year! We wish you a terrific new year, filled with joy, love, exciting discoveries and interesting projects. Good luck and good health to all of you, and your respective families, loved ones and friends.

One of the last things I do when putting together the package of updates to the numerous chapters of this treatise is to prepare these highlights. Of course, it is a time of great joy and pride. It makes me happy that our team has completed a difficult task on time, and to see that, in the end, all the pieces work together. 

On top of that, the true pleasure I get is when I can at long last, sit, stop, and look at all these chapter updates, observe their contents at the thousand feet level, and compare what each country or each region has done and how it integrates in the larger whole. I enjoy reading through the tea leaves and observing the trends of the time.

• Throughout the world, Covid and its variants continue to provide substantial material for legislators. The pandemic and the new risks we discover each week raise thorny legal issues, including those concerning the interaction between data protection and vaccination requirements and other public health issues. Many of the countries participating in this Release No. 37 have adopted new guidance, guidelines, and laws focusing on some aspects of the pandemic and its risks. There are frequent interrogations on how to address the variants or how to handle mass vaccinations. There is also a common concern about privacy in the workplace, how to protect the privacy of an employee while also ensuring the safety of the others. 
• Numerous countries are increasingly interested in physical privacy, and in particular the different forms of invasion caused by drones and other unmanned vehicles. There have been several efforts at enacting laws that regulate the use of drones.
• The invasion and potential infringement of privacy rights caused by the use of drones has even escalated at the Executive level. In France, CNIL, the French data protection authority has sanctioned the Ministry of Interior for having used drones equipped with cameras to monitor compliance with the COVID-19 lockdown measures in Paris. CNIL enjoined the Ministry to stop all drone flights until an order authorizes them.
• Information collected through drones and other aircrafts are raising new issues in India. There, Guidelines for Acquiring and Producing Geospatial Data and Geospatial Services including maps, were recently issued. They are intended to govern the collection, use and dissemination of geospatial data and maps. Among other things the Guidelines require, in specified circumstances, that the collected data be stored and processed solely within India.  
• In the European Union and the European Economic Area, the EU General Data Protection Regulation (GDPR) is settling in. The Regulation is slowly permeating the legal systems and the cultures of the Member States. It feels like the engine is beginning to run a little more smoothly, and the “poketa, poketa, poketa” issues of the early days are slowly vanishing or being fixed.
• While the implementation into national laws seems to have made good progress, and the usual pains of fitting a square peg in a round whole are fading, we are beginning to see more clearly how the new national laws derived from the GDPR are being applied, and the numerous cases being brought to court. 
• Most EU/EEA chapters describe recent cases, and the resulting penalties. Overall, more complaints are being filed, and the amount of the penalties assessed is increasing. While there is still an occasional consideration for a company’s efforts and willingness to cooperate with government authorities after an incident has been discovered, it is not always the case. Fines and penalties are being assessed more frequently; their amount is occasionally higher than in prior years. It seems that the informal transition period or unwritten moratorium is over, and regulators are increasingly taking a hard line, and expecting the regulated entities to get their act together.
• It seems however that EU Member States are putting more energy in implementing the GDPR or litigating GDPR issues than developing new legislation. The Whistleblower Protection Directive has only few followers. The Member States have until the end of December 2021 to transpose the directive in their national laws, but so far, we see little progress in its implementation. 
• Finally, one of the major events of 2021 occurred in June 2021, as we were putting the last touches to Release #36.  The EU Commission issued a group of modernized Standard Contractual Clauses to supersede the obsolete and aging original Standard Contractual Clauses, created during the years 2000’s, which were based on the 1995 EU Data Protection Directive, Directive 95/46 (EC). The new 2021 Standard Contractual Clauses address some of the crossborder transfer requirements raised by GDPR Article 46(2), and another template is intended to assist in meeting the requirements of GDPR Article 28, concerning written contracts between data controllers and their service providers.  

More than ever, the field of privacy, cybersecurity and data protection is in constant evolution. This supplement will be more than 1,500 pages, I am told. Almost as many pages as the very first version of the entire treatise, published twelve years ago, in September 2009. A testimony of the dramatic expansion of privacy, data protection law, cybersecurity, and related disciplines in the last twelve years. 

We hope that you will enjoy the many changes and updates brought in this Supplement #37 of our Global Privacy and Security Law treatise, and thank you for your continued support of our work.

To be sent September 2021

With the publication of this Supplement No. 36, we celebrate the 12^th anniversary of the Global Privacy and Security Law treatise. The size of the manuscript has more than tripled as compared to the original version of September 2009. The volume and length of the laws and regulations we analyze have grown exponentially. We have added so much material and so many new chapters that it has become necessary to revise the way in which country chapters are organized.  You will find some changes in the look of some of the chapters.

Concurrently, the way in which countries approach the protection of personal data has changed significantly. The field of privacy and cybersecurity is evolving and maturing. One of the major triggering event occurred a little over three years ago: the EU General Data Protection Regulation (GDPR) became enforceable as of May 26, 2018. At the time, it was an event of tsunami magnitude.  

The adoption of GDPR made room for a modern legal framework that takes better account of the new information processing technologies.  GDPR prompted the repeal of the aging 1995 EU data Protection Directive and gave a facelift to the way personal data was protected in the EU. Three years later, the GDPR and its interpretation continue to appear regularly on the news headlines, and to make waves throughout the world. The facelift is not limited to Europe.  The ripple effects resulting from the launch of the GDPR are becoming clearly visible on all continents.

First, in the last years of the 2010’s, the members of the European Union and the European Economic Area modified or adjusted their laws to implement the GDPR in their national privacy and data protection frameworks. They also had to modify or update their other national laws, for example their labor laws, to ensure that all pieces of the puzzle fit harmoniously with each other.  Managing the reform of 31 sets of national laws^[1] at the same time was no small feat.

A second wave started when countries for which the European Commission had determined that they offered an adequate level of protection, embarked in their own reforms.  That was the case, for example, for Uruguay, Argentina, or Switzerland. To preserve their adequacy status, they needed to update their privacy frameworks so that it would be consistent with the new rules and framework created by GDPR. This was the case, for example, with Argentina and Uruguay, which have recently completed their updates.  Other countries are still working on their reform projects. This is the case of Switzerland and Canada, for instance.  Switzerland is close to completion and working on the last details. Canada is behind, but actively preparing for a reform. Meanwhile, other countries with adequacy status, such as Israel, are not showing any signs or hints that a reform is in the works.  It will take several years before this phase is completed.

A third wave is ongoing, while the influence of the GDPR is growing on all continents.  Numerous countries outside the EU/EEA and those with adequacy status, are showing a deep and clear interest in adopting privacy or data protection laws that use principles laid out in the GDPR.  This is the case, for instance, for several Middle Eastern countries.  The financial centers in the Dubai and Abu Dhabi emirates, for instance, have recently updated their data protection regulations to include provisions resembling those of the GDPR.  A similar wave can be seen in Asia, with the recent updates of the Singapore laws, which adopted the concept of data portability, among other things. Next door, Malaysia is also contemplating changes to its Data Protection Act of 2010 as hinted in a recent public consultation paper concerning potential changes. According to the consultation, in the near future, the concept of consent might be clarified, the conditions for crossborder data transfers might be updated, some entities might be required to appoint a data protection officer, and there may be a requirement to report data breaches.

The United States is not exempt from the effect of the GDPR. In several US States, new consumer privacy laws are being passed or evaluated.  These laws and bills clearly show numerous similarities with the GDPR.  See, for example, the provisions that make the publication of a privacy notice mandatory, or those expand on the rights of individuals and clarify the powers of data subjects.

More than ever, the field of privacy, cybersecurity and data protection is in constant evolution.  We hope that you will enjoy the many changes and updates brought in this Supplement No. 36 of our Global Privacy and Security Law treatise.   

---

^[1] The UK was still an EU member state at that time.

To be sent January 2021

The world will remember 2020 as a year of major events of drastic consequences in so many respects. While the Covid pandemic affected so directly and so massively people, minds, families and economies, it also prompted the adoption of new laws or regulations, including some that touched directly on the collection and use of personal data.  Several of the chapter supplements provided today describe those new rules, adopted throughout the world, to address the many ways in which the pandemic changed the way in which we live, work, or communicate. These changes affected the protection of the privacy and security of personal and business data in so many ways.

There was more than just the tsunami of tragedies and disruptions caused by the pandemic. The global Data Privacy and Security legal framework was also significantly rattled and shattered. The consequences of certain events that occurred in 2020 will be felt for many years to come. 

Several initiatives centered in the European Union are toughening the conditions for access to, and exchange of personal data, hampering the movement of people, goods and services, creating uncertainty and havoc in global business, and causing unnecessary compliance expenses. The July 2020 decision of the Court of Justice of the European Union in the Schrems II case did not just shatter the EU US Privacy Shield program. It is also drastically changing the way in which personal data may be transferred out of the European Economic Area to most of the rest of world.  The uncertainty and havoc created by, or expected from, the ripple effects of the EUCJ Schrems II decision and its aftermaths will be felt for several months or years until a new balance can be developed.

2020 also saw ripple effects of other initiatives of the European Union in the domain of the protection of personal data.  As you recall, the adoption of the 1995 EU Data Protection Directive (95/46/EC) and its implementation in the national laws of the EU and EEA member states caused a dozen of countries, over time, to request to be recognized as providing “adequate protection” to personal data, meaning a protection similar to that which was offered to EU/EEA citizens in accordance with the principles defined in Directive 95/46/EC. With the adoption of the EU General Data Protection Regulation (GDPR), which significantly modifies the concepts laid down in Directive 95/46/EC, those countries that have been recognized as providing “adequate protection” are now adopting or preparing to adopt new laws or amendments to their existing privacy and data protection laws so that they can ensure that they will also be deemed to provide “adequate protection” when their laws are compared against GDPR, the new EU/EEA base data protection law. This is the case for Argentina, Uruguay, New Zealand, Switzerland, Japan, and Canada, for example. Some of these new laws or bills are described in this supplement, and the remainder will be provided in the next supplements.

In the United States, California continues to lead the development of personal data protection laws, and has again been in the limelight for its attempt to increase the protection of consumers’ personal data.  After the chaotic adoption of the controversial California Consumer Privacy Act of 2018 (CCPA) by the California legislature, in November 2020, California citizens voted to adopt a ballot whose ultimate effect with be the replacement of CCPA by a new law, effective as of January 1, 2023, the CPRA or California Privacy Rights Act.  CPRA will expand and toughen the CCPA. Like CCPA, the CPRA has some common elements with GDPR and other data protection laws of the world but takes a drastically different approach. WARNING:  Compliance with GDPR does not mean that all aspects of CCPA or CPRA are covered.  To meet CCPA or CPRA, companies must go back to the drawing board and conduct a careful gap analysis.

This Global Privacy and Security Law treatise is now over 5,000-page long.  While the number of data protection laws has drastically increased over the years, are consumers receiving better protection for their personal data? While the length of privacy and cookie notices has also significantly increased, and new laws grant consumers a wide variety of “privacy rights”, does the average consumer, in any country blessed with a 50- to 150- page privacy or data protection law, understand his/her rights or take advantage of the options offered to them?  Is there a better way to raise consumers’ awareness of the uses and misuses of their personal data? Are there better means to prevent data hogs and unscrupulous entities from misusing or monetizing the details of an individual’s life? 

Sent to subscribers in September 2020

The COVID pandemic has drastically changed the way each of us lives, works or communicates. Less than a year into it, and with dim prospects for the months or years to come, businesses are struggling to respond to conditions and restrictions that are unlike anything else they anticipated or experienced previously. Entire industry segments, such as travel, hospitality, food or entertainment are more-or-less in a state of coma. Employers who used to discourage telecommuting are now requiring their staff to work from home. Businesses are trying to reinvent themselves. Little by little, each country is attempting to adapt to the new reality, and address the variety of issues presented by the havoc caused by the magnitude and intensity of the attack on people’s health and condition. 

Personal data has not been spared by the pandemic. In a world knocked down by a powerful, destructive virus, sensitive personal information is relevant and necessary (or is it really?) to almost every aspect of a person’s public and personal life. Very sensitive information about each individual is often a key element in addressing the care of that person, in avoiding contagion, in analyzing the effects of a drug, in gathering data about the death toll or other statistics, and much more. Governments and their agencies, at time too slowly, are realizing that in the fight against the virus, privacy and the protection of privacy rights are at risk if limits are not set to how much information can be collected and what can be done with that information. 

In this Supplement #33, you will find out, among other things, how some countries have reacted to the effects that the pandemic is having on the use and potential misuse of personal data. As is often the case, there are times where privacy rights and security and safety end-up on opposite sides, and both aspects must be balanced. In this case, the privacy and data protection laws and principles may serve to guide governments, legislators and other who collect, use or share personal data.  

In the past few months, numerous countries have recognized this tension and developed guidelines for their constituencies on different aspects of the response to the pandemic as it relates to the protection of personal data.  For example, in this Supplement #33 you can read about:

Government Regulations

• Israel passed temporary, emergency regulations to permit the tracking of data that in other circumstances would be considered extremely sensitive, such as people’s names, identification number, health status and location.  These measures were justified to the extent that they meet the principles of good faith, reasonability and proportionality.

Guidelines

• In Greece, the data protection authority published guidelines regarding the use of personal data by employers.
• In Slovakia, the data protection authority published a series of opinions and guidelines regarding the measurement of temperature for employees and visitors to the workplace, guidelines for ensuring the security of employees’ laptops used when working from home, and guidelines on the use of location data and contract tracking tools in the context of the COVID outbreak. 
• In the Philippines, the data supervisor authority issued guidelines regarding the collection of personal data, to ensure that only data that was “necessary” be collected, and that it be disclosed “only to the proper authority”. It also issued guidelines for health institutions and their data protection officers regarding the use and disclosure of sensitive data.  The data protection authority also published guidelines on general security measures to organization operating under a Work from Home arrangement (WFH), to be applied both during the pandemic and whenever any telecommuting arrangement is implemented.

Enforcement Actions

• In Norway, the data protection authority blocked the use of a contact tracing app launched by the Norwegian Institute of Public Health, which required users to provide personal data both for contact tracing and for analysis and research without giving the opportunity to consent to only one of the purposes separately.
• In Chile, the Ministry of Health and the Ministry of Transport and Telecommunications announced that the use of GPS technology on cellphones would be analyzed to observe the population’s mobility during the pandemic.  However, the Transparency Council stated that it wants to review the detail of the initiative because it may be inappropriate. As of the date of this writing no rules on the subject has been published. 

Legal Moratorium

• Brazil postponed the date of entry into force of its new data protection law, the LGPD.  The entry into force of the law is postponed to May 3, 2021 and the administrative penalties provisions will enter into force in August 2021.

Despite the grim times, Supplement #33 also brings good news.  

After 7 years in a holding pattern, the data protection law of South Africa is now in effect!  Enacted by the South Africa Parliament in July 2013, the Protection of Personal Information Act (or POPIA) was approved by the President and became a law in November 2013.  After many years of waiting and pressure from the Information Regulator for the commencement of the law, the South Africa President proclaimed the commencement date of POPIA to be July 1, 2020.  The law is now fully in effect and organizations have a one-year grace period (computed from July 1, 2020) to ensure that all of their processing of personal data comply with the new law.  Thus, on July 1, 2021, all processing of personal data in South Africa must comply with POPIA.

To our subscribers:  Thank you for subscribing to this treatise

To all contributors to this Supplement #33:  Thank you for your timely reports.

To the Wolters Kluwer and CCH  teams who make this treatise happen and work tirelessly to deliver each supplement on time: Thank you for your hard work.

To everyone:  Keep safe! Keep healthy!

Sent to subscribers in May 2020

As I am writing this note, the global tsunami effect of the Coronavirus is shaking, affecting, or perhaps destroying public health, businesses, work life, and family reunions. COVID-19 news and the defense against the Coronavirus have become the central part of our daily preoccupations. The outbreak and spreading of the virus on a global scale present challenging issues to which a significant number of public and private entities appear to have been ill-prepared.

While most of the updates to the chapters that are part of this Supplement #32 were written at a time when the threat and global effects of the virus in a particular country were not yet felt or anticipated, some of our contributors were living and working in difficult conditions under strict lockdown orders.

Special thanks to Marissa Xiao Dong and Guo Jinghe (China) and Raffaele Zallone (Italy) for producing their country updates while their respective countries and healthcare systems were deeply shaken by the effect of the destructive contagion. They worked on their country updates during their respective “lockdown,” “confinement,” “self-isolation,” or “retrenchment” periods. Thank you for your team spirit and the gift of your time in such dramatic circumstances.

The seriousness and intensity of the attack on people’s health and the dramatic consequences for countries’ healthcare ecosystems have significant business and legal implications involving almost every possible area: advertising, admiralty, bankruptcy, children, commercial, contracts, education, employment, health, insurance, telecommunications, telemarketing, torts, trademarks, trade secrets, and much more.

Privacy and information security are among the legal and practical issues to take into account. Privacy is highly vulnerable in a time  when public health concerns may not be consistent with personal interest or civil liberties. Consider, for example, the civil rights concerns related to the collection of location data to track the path of the virus.

Most existing privacy and data protection laws do not address, or only at the highest level, how to handle personal information in case of a major event. How much information should be disclosed when an employer faces the fact that one employee has been infected? Who should be provided with the information? When looking at the interests of the community, providing transparency and disclosing the details of the effect of the virus may help save lives. Collecting or sharing personal details that may allow tracking an individual’s whereabout might help identify useful information or trends that help fight against the spread of the virus but also opens the door to monitoring and surveillance and provides a means of encroaching on civil liberties, the future effect of which might not be stopped.

Significant security concerns are also at the forefront. The quarantine or isolation strategies require businesses and government agencies to send their personnel home to be shielded from contagion. While they help reduce the risk of infection, these strategies may put at risk the security shield that protects files and data. What level of security is provided to the confidential or strategic business records or the highly sensitive personal information that are now processed on a family computer, on the proverbial “kitchen table”? How is the security of the information preserved? What is the level of awareness of the potential risks to the confidentiality and security of all the contracts, reports, customer lists that are transferred among co-workers, or between a worker and the company’s headquarters where internal measures, physical and technical security might be lacking or deficient, and there is little experience or training on how to protect the company’s crown jewels, or those of its clients or customer?

I hope that our next Supplement will be produced in less dramatic and concerning circumstances.

Keep safe! Keep healthy!

Sent to subscribers in January 2020

Happy 10^th Anniversary! With the delivery of Supplement #30, which we completed during the fourth quarter of 2019, we celebrated the 10^th anniversary of the publication of the first issue of the Global Privacy and Security Law treatise. Wow! Back in 2005 when I started designing the concept and outlining the treatise, I never imagined that I would be writing about the 10^thanniversary of its publication now, a few days before Thanksgiving 2019. 

Anniversaries are a time to reflect on accomplishments and thank those who contributed to the realization of those accomplishments.

First, I want to thank all subscribers for their continued interest in, and enthusiasm for, the Global Privacy and Security Lawtreatise over the years. Thank you for your support! It is your enthusiasm for our work that pushes us, for each supplement, to bring you the best we can write, and inform you of the most recent developments we can identify or upcoming ones. Parts of this treatise were written because of questions from subscribers who had a particular interest in a topic or a country. Thank you for these questions! They have provided incentives for exploring further the world of privacy and security, and sharing these laws and trends with each other. Please feel free to write to me at fgilbert@globalprivacybook.com with more ideas, questions or challenges.

Many thanks to all those who have contributed their time and knowledge, and made this work progress, expand and remain up-to-date and relevant. Our treatise was the first to identify the variety and breath of issues related to the protection of personal data and privacy rights. It provides a unique tool for understanding the complex nuances of the numerous data privacy and security laws in 68 countries on all continents. Additional countries will be included in the upcoming versions. Today, the treatise remains, by far, the most comprehensive and complete work and analysis of global privacy and data security issues worldwide. We owe it to our team of attorneys around the world and their respective associates and administrative assistants who regularly supplement the country chapters, conduct research, and draft supplemental sections or proofread them. I am thankful to have been able to gather such an outstanding team.

Many thanks, as well, to the team at Wolters Kluwer, especially Kate Brady and Mallika Krishnan, and their respective colleagues. Thank you for keeping us on schedule. Thank you for following up, for your careful and meticulous work, for catching inconspicuous typos, and making each chapter look good.

And thank you, Jacques, my wonderful husband, for participating in the editing and proofreading the 100+ documents that form the treatise, especially when my full time job as an attorney competes with editing responsibilities and publishing deadlines. Thank you for designing and maintaining the successive versions of the website for the treatise, at www.globalprivacybook.com. Thank you for your encouragements, and your unconditional support of my initiatives.

Anniversaries are also a time to look at the past and prepare for the future. As I reflect on the past few years, I am amazed at the trajectory that privacy and data security laws have taken. When I decided to write the first version of this treatise, it felt like a quixotic adventure. Few companies appreciated the strategic value of personal data and few attorneys were aware that privacy and data security laws existed. The United States had a patchwork of federal and state laws that addressed the protection of some categories of personal data, but law schools did not yet offer classes on the topic. 

At the global level, only about 25% of the United Nation Members had adopted a national data protection law. Most of these laws emanated from countries within Western Europe, and derived from a handful of seminal documents such as the OECD Privacy and Security Guidelines, Convention 108 of the Council of Europe, or the 1995 Data Protection Directive. There was limited compliance and little enforcement. Outside Western Europe, several countries had adopted national data protection laws that tracked European data protection laws. In Asia, for example, early adopters included members of the former British Empire, Hong Kong, Australia and New Zealand. In the northern part of Asia, South Korea and Japan had developed their own laws, but little was happening in China or India. Asia was only tiptoeing into regulating the use of personal data as a regional initiative. The APEC Privacy Framework, considered a response to the work of the European Union and the OECD, had just been launched in 2004.

As we reach the end of 2019, more than 130 countries have passed and are enforcing comprehensive privacy and data protection laws. China has now a wide range of laws addressing the protection of personal data. Brazil’s data protection law will enter into effect on February 14, 2020. On the corporate front, two major acquisitions or divestitures by some of the major entities providing services to related to personal data protection and compliance were just announced. And, unfortunately, the rate of misuse or illegal use of personal data has risen exponentially. 

In the meantime, the United States, despite having more than one thousand federal or state laws addressing the protection of specific categories of personal data, is still viewed, worldwide, as lacking laws that provide “adequate protection” of personal data or privacy rights. US companies are plagued by the “GDPR effect” and the “CCPA Tsunami”. There is little hope that the United States Congress will soon pass a national, comprehensive law addressing the privacy and security of all personal data in all circumstances and applying uniformly throughout the United Stated.

As we embark on another ten-year adventure in privacy and data security, it is exciting to see the wide range of issues and nuances raised by the myriad ways in which information relating to individuals can be collected, used or distilled to be associated to individuals, in order to create profiles and identifying patterns. There is still so much to explore about the protection, use and secondary uses of personal data. Artificial Intelligence, the Internet of Things ecosystem and the development of blockchain technologies, among others, are paving the way to new technologies and new concepts that push the limits of exploration, and invite our Global Privacy and Security Law treatise team to investigate and analyze. 

And . . .  one more thing! I am also embarking into another personal adventure. In August 2019, I launched a new company: DataMinding whose website is located at www.dataminding.com. With DataMinding, I will continue to work with my clients, while exploring the new frontiers of data privacy and security law, and addressing or anticipating the upcoming uses – or misuses – of personal data.

I look forward to continuing to lead our Global Privacy and Data Security law adventure, and to exchanging questions, sharing ideas, and responding to challenges from subscribers, colleagues and everyone else.

Sent to subscribers in September 2019

2019 continues to be a year of intense activity around the protection of personal data. The adoption and implementation of the EU General Data Protection Regulation (GDPR) are having a viral effect around the world. Several countries have recently adopted their first data protection laws, for example, Brazil (during the summer of 2018) and, more recently, Thailand and Uzbekistan (to be added to this treatise in upcoming supplements). Elsewhere, countries are updating or amending their laws or supplementing them with additional laws. Below are examples of some of the recent developments that are described in further detail in the chapters of this 30th Supplement of the Global Privacy and Security Law treatise.

Argentina

Argentina passed it first Personal Data Protection Act years ago. It is one of the few countries that the European Commission has determined provides an adequate level of protection of personal data. In its Disposition 47/18, issued by the National Directorate of Personal Data Protection in July 2018, Argentina expands the scope of its provisions regarding information security. Disposition 47/18 identifies a series of suggestions regarding security requirements. The suggestions follow the international standards, especially the ones of the European Union. Among other things, Disposition 47/18 suggests that entities affected by a breach of security report the breach to the Application Authority and appoint a security officer who will be in charge of reporting data breaches and to be the liaison with the Application Authority.

Austria

In Austria, the Austrian Data Protection Authority and the courts have actively prosecuted violations of the GDPR. The first decision of the DSB (the Austrian Data Protection authority) applying the GDPR was published on June 26, 2018. It determined that GDPR Art. 15 covers a customer’s request to obtain his or her historical bank account statements free of charge if no third-party rights are endangered. The DSB issued several decisions on the formalities of a data subject’s request. It has also ruled that the use of dash-cams is generally not in line with the legal data protection framework. In a rare case involving GDPR Art. 85, the DSB ruled on the availability of information to individuals and the privilege of “freedom of information.”

Brazil

Brazil amended its recently adopted Privacy Act (which becomes effective on February 14, 2020) to formerly provide for the existence of a National Data Protection Authority (NDPA). While the Privacy Act originally approved by the Brazilian Congress created the NDPA as an independent federal agency linked to the Ministry of Justice, the concept was vetoed by the President of Brazil on constitutional grounds in the law-making process. The NDPA itself and its rules of operation have been reintroduced by the President by means of a provisional measure, and the existence of the NDPA was confirmed through the enactment of Federal Law 13,853, on July 9, 2019. The NDPA in turn will draft and issue other rules and provisions concerning specific requirements and guidelines to data collectors that are generally addressed in the Privacy Act, as well as the rules applicable to administrative procedures.

Brazil also adopted the Positive Credit Rating Law. The law sets out several obligations for the data controllers and conditions applicable to the collection, use, and sharing of financial information of the data subjects (individuals or legal entities) with other databases, as well as general access, amendment, cancellation, and opt-out rights for the data subjects.

India

While India is finalizing its national data protection law, its central government passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Ordinance, 2019 (the Aadhaar Ordinance) amending the Aadhaar Act in February 2019. The Aadhaar Ordinance introduces the method of offline verification of an individual’s identity using their Aadhaar in the manner provided by Unique Identification Authority of India. The ordinance further proposes that individuals may voluntarily use Aadhaar to establish their identities using authentication or offline verification with another private entity if that private entity complies with the applicable security and privacy safeguards and is permitted to carry out Aadhaar authentication by law or is seeking authentication for a purpose that the central government has prescribed to be in the interest of the state.

Italy

In the second quarter of 2019, the Italian Data Protection Authority (DPA) issued a number of significant decisions. It ordered Mediamarket, a subsidiary of the retailer Mediaworld, to cease and desist the processing of large amounts of personal data of customers collected before the GDPR and used for massive mailing of marketing materials. It found that the information notice and the consent did not comply with the law, but that they both had been changed after the effectiveness of the GDPR. There was no fine assessed, but the company received a cease-and-desist order.

The DPA did impose a fine of one million euros on Facebook with respect to the Cambridge Analytica case. The Italian DPA issued the fine against both Facebook Ireland and Facebook Italy, as co-processors. The procedure was under the old Italian law and not under the GDPR, which explains the amount of the fine.

Uruguay

Like Argentina, Uruguay was one the first countries that the European Commission determined provides adequate protection for personal data and privacy rights. In late 2018, Uruguay adopted an amendment to its original data protection law in the form of Ley de Presupuesto Nacional que modifica la Ley No. 18.331 (October 25, 2018) (National Budget Law Amending Law 18.331). The purpose of the law is to align Uruguay’s data protection law, Law 18.331, to the GDPR. The  amendment extends the geographic scope of the data protection law to data controllers that are not established in Uruguay but target Uruguayan inhabitants for the purpose of selling them goods or services and collect their personal information to analyze their behavior. It also adds the obligation to immediately report a data breach, the principle of proactive responsibility, and the obligation to appoint a Data Protection Officer in certain cases.

Sent to subscribers in May 2019

Almost one year after GDPR Day, the European Union Member States have not yet fully completed their implementation of the EU General Data Protection Regulation (GDPR) into their national laws. While the GDPR became applicable as of May 25, 2018, and is fully in effect throughout the European Union, each Member State has the opportunity to make changes or additions to approximately 50 clauses of the GDPR. Some Member States have already done so, but a few are behind. In Supplement #29, we provide new information about changes in several Member States. 

In the meantime, the EU data supervisory authorities have begun enforcement actions against violators. These actions have resulted in a wide range of fines. The smallest fine so far is approximatively €5,000. The largest fine was assessed in January 2019 by CNIL, the French data supervisory authority, against Google and amounts to €50 million. A summary of the Googleopinion is provided in Chapter 06A. Google is appealing the decision primarily on jurisdictional grounds.

In addition to the GDPR, a new law has become “the talk of the town”: The California Consumer Privacy Act (CCPA). The CCPA was passed in California at the end of June 2018 and amended in August 2018. More than 40 amending bills have been filed in an attempt to amend it further. The CCPA is expected to take effect on January 1, 2020, unless a federal omnibus data protection law is passed in the U.S. Congress that supersedes the CCPA. As it stands currently, the CCPA grants California residents rights of information, access, erasure, and objection that have significant similarities with those provided to EU residents under the GDPR. The CCPA is of interest to all companies worldwide that do   business with California residents or are located in California. It also applies to companies that control a business that is subject to the CCPA. The scope of the law and its requirements are described in Chapter 65.

As we are approaching the 10th anniversary of this treatise, it is fascinating to look back and evaluate the significant changes, evolution, and expansion of the law of the protection of personal information.

---

Sent to subscribers in January 2019

As 2018 is ending, the enforcement of the General Data Protection Regulation (GDPR) remains the most important event of the year. The GDPR will be remembered as a significant paradigm shift throughout the world because of its extensive scope. The entire world has become “GDPR-ized.” In this supplement, we provide a number of updates to chapters pertaining to activities throughout the European Union and European Economic Area (EEA) resulting from the switch to the GDPR.

During the middle part of 2018, a series of official documents regarding the interpretation of the GDPR were finalized. The Article 29 Working Party, under its new name—EU Data Protection Board (EDPB)—and its slightly different composition, has officially replaced the Article 29 Working Party. As part of its first activities, the EDPB endorsed numerous guidelines and opinions that were prepared under the Article 29 Working Party. The EDPB has a new website, and this supplement provides numerous new links to the guidelines managed by the EDPB.

As provided in and throughout the GDPR, the Member States are slowly implementing the GDPR in their own laws. This is being done both by integrating the GDPR in their own legal frameworks and by adopting additional provisions. As expected, each country is implementing the GDPR in its own way. In this supplement, we provide updates from Belgium, Estonia, Finland, Lithuania, Malta, the Netherlands, Slovakia, and Sweden.

Switzerland, which is not part of the EEA, is also attempting to update its laws to retain consistency with the GDPR but has not yet agreed to a final draft of its updates. We provide a short summary of its efforts and projects.

Outside the European region, there are changes in Latin America. The most significant one was Brazil’s adoption of its first data protection law, which occurred during the summer and was reported in our prior supplement. In this supplement, we provide an update on activities in Chile. Chile was the first Latin American country to adopt a data protection law in the 1990s. It is now inching toward modernization of its legal framework to keep up with developments in the privacy/cybersecurity area so that it can provide protections that are consistent with those provided by its neighbors in Latin America.

By the time this supplement is completed and shipped to our subscribers, it will be 2019. Our team of writers, contributors, editors, and technical assistants wishes all subscribers a very happy new year. Many thanks to all of you for your interest in our work.

Finally, a personal note on behalf of our team. 2019 will be a special year for us. In September 2019, we will celebrate the 10th anniversary of the first publication of our two-volume Global Privacy and Security Law treatise! The privacy/cybersecurity world has changed so much in 10 years.

Sent to subscribers in September 2018

At long last, the GDPR is in force.  It has been a long process.  I still remember reviewing the first draft of a GDPR in November 2011, and after that, all the successive drafts, wondering how long it would take to get to launch.

Here we are, almost 7 years later, GDPR is in effect! When you receive this set of supplements, GDPR will be celebrating the four-month anniversary of its enforcement date. It is still taking baby steps.  In the meantime, the first sets of lawsuits claiming violation of individuals’ rights under GDPR were filed on the inaugural day, May 25, 2018.

The GDPR grants Member States the ability to supplement some of its provisions. It was hoped that EU Member States would take advantage of the two-year period between signature of the law and the enforcement date to take the measures necessary to implement the GDPR into their national laws and take advantage of their ability to supplement it.  Some did take advantage of this opportunity. Germany and Austria were the first to have completed the process. Nevertheless, a significant number of EEA Member States are still struggling.  In numerous cases, bills are pending and still being discussed. Others are almost done; for example, Italy

While not a member of the European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR as part of its agreements with the EEA Member States.  The Swiss parliament is said to be working on a draft.

Outside the EEA region, countries are actively working on the improvement or development of their data protection laws.  On August 14, 2018, the president of Brazil signed the country first data protection law.  That laws contains numerous references to the GDPR.  Across the Andes, Chile is also working actively on developing further its existing data protection law, to bring it to current international standards.

At end of June 2018, California passed the California Consumer Privacy Act (CCPA).  Like the GDPR, the statute has a very broad reach. It applies to most business entities that collect personal information of California residents and operate in California. In the next Supplement, we will provide a summary of the CCPA, and describe the circumstances of its very turbulent launch.

According to its terms, the statute becomes effective as of January 1, 2020. However, because of its controversial content, the statute has been attacked for a variety of reasons, and the launch date is becoming uncertain.  Since its signature by the California Governor, numerous activities have been ongoing in California to attempt to amend the statute and delay its enforcement date. There are also discussions at the Federal level, which are aiming at drafting a federal law that would supersede the California statute.

One of the most amazing features of the CCPA is its definition of “personal information.” It is probably the longest of all definitions of that term, worldwide. It is 345 word-long and extends over 13 paragraphs.

While the CCPA has been presented by some as a “mini GDPR,” it is much more liminted than the GDPR.  For example, unlike the GDPR, it does not contain general data processing principles and does not require a legal basis for the processing of personal information. CalCPA focuses primarily on providing consumers with a number of rights, such as a right of access and right of portability, in a manner similar to the GDPR. It also grants consumers the right to obtain from businesses that they cease selling, sharing or disclosing their personal information with or to third parties for commercial purposes.

CCPA grants a private right of action to California residents whose personal information was compromised in a breach of security. This addition to the existing California security breach landscape is likely to significantly increase litigation.