Updates

Supplement #42

To Be Sent January 2024

There is no doubt that one of most significant legal developments of the past 30 years on a global scale has been the adoption of laws that govern the collection, use and misuse of personal data. Since the beginning of the new millennium, the number of countries having data protection laws has skyrocketed from about 30 at the turn of the millennium to more than 160 now, which makes it a little over 80% of the United Nations members.

Personal data has become a key tool for growth and security. Businesses want access to personal data so that they can better target their potential customers. Governments want control over personal data as a way to control the movement of goods, services, and people; they also want access to information for law enforcement and national security purposes. 

Most of the data protection laws follow trends, standards, or global or regional guidance. It is not surprising that similar themes and obstacles usually appear in each of these laws. However, their substance or the barriers they create may vary significantly depending on history, culture or political regimes. 

When I look back at the supplement that we have created over the past 14 years since the original publication of the Global Privacy & Security Law Treatise, it is clear that the movement of personal data across the planet has been a major issue, with numerous cases, reports, litigation, or new laws. A major disruption for businesses, and a major financial drain.

The transfer of personal data across borders (or remote access from a third country) is a common concern because of the loss of control. When national laws address access or processing of their citizen’s personal data in a third country, they tend to impose stringent prerequisites to find a way to keep control. Obstacles range from data localization (i.e., no processing of personal data outside the country) to restrictions of the transfer of data to only those countries that are deemed to provide “adequate protection”. 

So far, the European Union and the United States have been taking center stage. In this supplement #42, there is, again, major news concerning the transfer of personal data across the Atlantic ocean, and the publication of long-awaited documents. Two good news, and one bad news.

First, seven years after the adoption of the EU GDPR, the EDPB has finalized its views on the content of the BCR and the approval process in its Recommendations 01/2022 for the Preparation of the Applications for Approval and Elements to be Found in Controller Binding Corporate Rules. This document may help ease the burden of large multinational organizations in preparing their BCR and taking them through the related administrative maze for their approval.

Second, with the EU Commission adoption of the Implementing Decision concerning the adequacy of the EU-US Data Privacy Framework (2023) (“DPF”), entities that do business with US based organizations will, at long last, be able to take advantage of the new Data Privacy Framework (DPF) as a legal basis for the transfer of personal data out of the EEA to the United States. Since 2000, the DPF is the third version of the attempt by the EU and the U.S. administration to find a way to facilitate the crossborder transfer of personal data to each side of the Atlantic Ocean for commercial purposes while taking into account the restrictions and requirements imposed by the EU data protection laws.

Unfortunately, this not the happy ending that many would have hoped. The DPF is already in danger. NOYB, the organization driven by Max Schrems (a key player in the Schrems I and Schrems II decisions of the EU Court of Justice) has announced that it will challenge the EU Commission Adequacy Decision because it believes that the Data Privacy Framework is largely a copy of the Privacy Shield and that it fails to address the same concerns related to “fundamental” surveillance issues. What this means in practice, is that we expect another period of rocky times for cross-border data transfers of personal data of EU citizens. More litigation and appeals, and a new decision by the European Court of Justice in a few years.

Chapter 10 explains the details of the EDPB’s Recommendations 01/2022 on the Binding Corporate Rule for Controllers, and those of the EU Commission Implementing Decision on the EU-US Data Privacy Framework (“DPF”). With these structures in place, and – hopefully – valid for a few years, organizations that receive (or have remote access to) personal data of EEA citizens can focus on rebuilding their templates to accommodate the new regime. It is not clear, however, whether a DPF + SCC belt-and-suspender approach similar to that used in the recent past will be sufficient to withstand the upcoming hurdles and uncertainties. Would a more drastic change be a more successful course of action?

The European Commission has been very active, and not just in the area of the protection of personal data and privacy rights in crossborder transfers. Among other news, there is a proposal for a new regulation that would supplement the GDPR. Chapter 5 discusses a recent initiative by the European Commission that would create a supplement to the GDPR in the form of a new regulation. The working title for proposed new regulation is Regulation Laying Down Additional Procedural Rules Relating to the Enforcement of the GDPR. The proposed regulation would define specific rules for the review of complaints pertaining to issues currently raised concurrently in several Member States, the requirements for the content of those complaints, and the methods for resolving disputes among DPAs on the handling of the case.

Outside Europe, there are interesting developments, as well. The hurdles and obstacles arising from attempts a developing a workable framework for the crossborder transfers of personal data are trickling out of the European Economic Area and spreading in the rest of the world. The need to ensure that personal data, once transferred to a foreign country, will be treated with the same care and restraints as while in their country of origin is becoming a general concern, as governments are becoming increasingly aware of the aggressive practices of certain countries. In Supplement #41, we welcomed the formation of the Global CBPR Forum in 2022, created at the initiative of several APEC Member Economies, and dedicated a new Chapter 15 to this new global organization. With Supplement #42, Chapter 15 is expanded to provide additional details on the proposed operation of the Global CBPR Forum. We also provide new information on its legal structure and organization, including a report on the acceptance of the United Kingdom as the first Associate Member.

Of the numerous country updates, there are several country updates of note, for instance.

AUSTRALIA

While Australia is amid making changes to its law, most of these changes are not yet finalized. Meanwhile, the Australia chapter provides information on important requirements regarding the disposal of files containing personal information. In the State of Victoria, amendments to the Occupational Health and Safety Law require the deletion of all vaccination information collected during the COVID 19 pandemic period. Conversely, two states have adopted laws requiring the retention of health information for specified periods. In addition, the chapter reflects recent key amendments adopted to the Australian Privacy Act concerning extraterritorial application, penalties, and the ability of the data protection commissioner to share information acquired during an investigation where that information is in the public interest. 

INDIA

At long last India has adopted a national data protection the Digital Personal Data Protection Act 2023. This new law is result of years of efforts. The final version as adopted by India’s President provides a law with numerous structures that are similar to the traditional model that we see in numerous jurisdictions, including an obligation to report personal data breaches. However, there are also idiosyncrasies. There is no clear indication concerning the rules or restrictions to the transfer of personal data out of the country. Informed consent is required for the collection and processing of personal data, but the effect of the consent is limited to only those personal data and activities that are related to the original reason for the consent request. Further, the law introduces new concepts, such as the “Consent Manager” which acts as a single point of contact to give and manage consent. The concept of “Data Fiduciary” (equivalent to data controller) is supplemented by that of “Significant Data Fiduciary”. 

JAPAN

In 2022, Japan worked diligently on the update of its national data protection law, the APPI, and it was recently announced that the European Commission and Japan had successfully completed the first periodic review of the Japan-EU Adequacy arrangement adopted in 2019. Our update also reviews the requirement of Japan’s new Cookie Regulation, which was adopted as an update to the country’s Telecom Act. It also provides a detailed report on the activities of the PPC, the Japanese data protection authority, and an overview of recent enforcement actions initiated by the PPC. 

SOUTH AFRICA

South Africa is actively developing its structures surrounding the enforcement of POPIA, its new data protection law. A new Enforcement Committee, established by the country’s Information Regulator has been created to review all the complaints that it will receive regarding infringements of the POPIA and/or the PAIA. Rules for the operation of the Enforcement Committee are being prepared. The chapter update also provides summaries of recent enforcement actions by the country’s Enforcement Regulator.

SOUTH KOREA (Republic of Korea)

In 2023, the Republic of Korea adopted numerous changes to its data protection law. Several provisions relating to consent have been changed. The number of situations where prior consent is not necessary has increased, making the range of exceptions available similar to those provided in the EU’s GDPR. There must be a specific, separate consent to the use of personal data for marketing purposes. The 2023 amendment introduces the concept of “visual data processing devices”, which is divided into “Fixed Visual Data Processing Devices” and “Mobile Data Processing Devices”. The amendment defines specific rules for the operation of each category of devices. The amendment contains numerous provisions that apply primarily to the data processors or other third parties that receive access to personal data. Numerous provisions that applied only to data controllers will now apply also to data processors (or “outsourcee”). For instance, data processors may now be imposed fines for violations of PIPA. 

TURKEY

The Republic of Türkiye has adopted a new a new spelling for its name, and the United has Nations has acknowledged this change, and it now using the new spelling. So is our chapter on the country. The update to the chapter also provides information on the recent enforcement actions. Of note also, the changes to the amount of penalties for certain violations, which has been significantly increased to take into account significant inflation in the country.

The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.

If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at fgilbert@globalprivacybook.com or by text at +1-650-804-1235.

Thank you

Francoise Gilbert

Read More

Supplement #41

Dear Subscribers,

We are pleased to share with you this Supplement No. 41. When this supplement reaches your desks or screens, we will be close to celebrating the 14th birthday of the treatise. The first edition of the GPAS was published in September 2009. So much has changed in the world of data law in the past fourteen years! The number of countries having adopted privacy or data protection laws has grown at a rapid pace, from less than 50 countries to nearly 150. The size of the treatise itself has grown, as well, from approximately 2,000 pages to over 6,500 pages.

Throughout Europe, the EU/EEA is actively working on third or fourth generation data laws, drafting and adopting news regulations and directives that take into account the changes in technologies used to process personal data, and in the ways personal data is used or captured, in order to provide better, clearer, or more efficient structures and improve the protection of privacy and security. Concurrently, EU/EEA Member States are keeping the pace, willingly or begrudgingly, at the national level. 

Outside Europe, the first adopters are updating their existing laws, while numerous countries are adopting their first national laws. In both cases, this is most frequently an attempt to meet the EU gold standard. The GDPR, EU’s General Data Protection Regulation, continues to be a major source of inspiration for numerous countries.

Throughout the world, the concepts of data protection, privacy or cybersecurity are no longer a novelty, known or understood by just a few. In many countries, there is a clear effort towards enforcement. The number of fines issued, and their amounts, are clearly increasing. In a few other countries, however, while laws exist, reality and practices are . . . different. 

Data location and the ability to transfer personal data across borders continue to be critical points of friction. In both case, the problem is as traitorous as an iceberg. On the surface, the issue is that of the protection of personal data after its transfer to a third country. Deep under the surface, however, there is also a tug-of-war, a struggle for power, economic growth, or perhaps some form of supremacy. 

The recent creation of the Global Cross-Border Privacy Rules Forum (or Global CBPR Forum) which was established in April 2022, could be related to this tug-of-war. To acknowledge this recent “fork” or “work around”, we have created a new chapter, Ch 16 Global Cross-Border Privacy Rules Forum. The Global Forum was developed at the initiative of seven founding members: Canada, Japan, South Korea, the Philippines, Singapore, Chinese Taipei, and the United States, all APEC economies. The United Kingdom has recently applied for membership. The goal of the Global Forum is to establish principles and objective that would facilitate cross border data transfer such as through the use of recognition of certifications issued under other regimes. 

In addition, we have updated several of the general chapters.

Chapter 03 Genesis, which provides an overview of the history of the development of data protection laws, contains new, additional details on the most significant milestones of the past 75 years. 

Chapter 07 EU General Data Protection Regulation has been significantly revised and provides links to the numerous documents issued by the European Data Protection Board and the European Data Protection Supervisor regarding the interpretation of the major provisions of the GDPR.

Chapter 10 Transfer of Personal Data Out of the EU/EEA continues to evolve and address the never-ending tug-of-war created by the barriers to transfer of personal data out of the EU/EEA. The most recent attempt at agreeing to the terms of a new transatlantic privacy framework is still in limbo despite significant efforts on both sides. Meanwhile, the EDPB is focusing its attention on updating the regime in place for binding corporate rules. Little guidance has been published in this area since the enactment of the GDPR. At long last, after spending significant efforts on developing the new Standard Contractual Clauses, the EDPB has published draft Recommendations on the Application for Approval and on the Elements to be Found in Controller Binding Corporate Rules. 

There are several country updates of note, as well.

In Canada, the most important components of Bill 64, which updates Quebec law on the protection of personal information will enter into effect in September 2023. Other aspects of the law – such as the breach notification – came into effect in September 2022. As of September 2023, the Quebec Privacy Act will require privacy impact assessment before communicating personal information out of Quebec, even to another Canadian province.

As an example of the increased efforts of the national supervisory authorities to enforce the GDPR and conduct enforcement actions the Denmark chapter has been supplemented with a comprehensive survey of enforcement actions and related penalties. 

India continues its effort at adopting a comprehensive data protection law. The India chapter provides an update on the Draft Digital Personal Data Protection Bill 2022. The draft bill introduces the concept of trust. It refers to data controllers as “data fiduciaries”. There are also “significant data fiduciaries”, who are identified by the government to have additional obligations, which would depend on several factors, such as the volume and sensitivity of data processed. 

The United Kingdom chapter provides an update on the evolution of the country’s efforts at modifying its current data protection law which is based on the GDPR to adapt it more closely to the culture and expectations of the UK political system.

The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.

If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at fgilbert@globalprivacybook.com or by text at +1-650-804-1235.

Thank you

Francoise Gilbert

Read More

Supplement #40

Highlights to Supplement #40

Dear Subscribers,

We are pleased to share with you this Supplement No. 40. In our survey of the changes made both in the essential cornerstone structures (EU laws, Data Transfer restrictions), as well as in the countries, for this supplement, we are observing several interesting trends. 

– Within the EU/EEA area, the EU agencies and regulators are continuing to drive change, and creating new regulations or directives to provide better structure and improve the protection of privacy and security, as well as the means for such protection. 

– Outside Europe, the GDPR continues to be a major driver and a guide for the update of existing laws. An increasing number of countries are trying to adapt their laws to meet the new rules that were set in the EU GDPR. 

– Finally, throughout the world, we also observe a trend towards more enforcement and stricter fines. Numerous countries are increasing the amount of fines assessed against violators either by applying their existing laws, or by updating their laws to increase penalties. 

Specific examples of these trends are provided below.

Development of EU Laws

Our chapter on the key data directives and regulations has been significantly updated and supplemented to show both the historical and the current drivers of the development of the privacy and data protection laws in the EU,  We also describe the most recent directives and regulations that are building a comprehensive security ecosystem. The current and upcoming directives and regulations in this area have an increasingly wider scope, and cover a wider variety of industry sectors and wider variety of potential attacks to networks and information systems. 

While these new laws have a broader scope than the regulations and directives focusing on personal data because they focus on data security in general (as opposed to being limited to the security of personal data), they are, nevertheless, also part of the general privacy and data protection landscape. The security measures, mandates and structures mandated by these directives and regulation concern both to the personal data held in those systems, as well as data other than personal data. 

On another note, there is progress in the never-ending saga of the legal for data transfers between the EU/EEA and the United States. Our chapter on Crossborder Data Transfers discusses the recent Executive Order issued by US President J. Biden related to the preparation of the package of agreements that are intended to form the Trans-Atlantic Data Privacy Framework, as needed to replace the defunct EU-US Privacy Shield.

Amendments to Existing Laws

The Argentina chapter describes the recent efforts to improve the data protection landscape, such as with the appointment of a new data protection commissioner and significant progress in the development of an updated privacy law.

Australia is also making efforts to supplement and expand its data protection landscape. In a recent case, the court found that the Privacy Commissioner had jurisdiction over a company registered and located in the United States because that entity placed cookies on users’ computers or devices located in Australia. because the use of those cookies. The court found that,through the use of cookies, the foreign based was carrying on business in Australia,” which in turn was creating the “Australian Link” required under Australian privacy law to establish jurisdiction over a foreign entity. This decision is of great importance to foreign entities doing business in Australia. Their online practices might create the “Australian Link” sufficient to bring them within the jurisdiction of Australian courts.

Israel is also working on amendments to its data protection laws, with changes that would align with some of the requirements brought in by the EU General Data Protection Regulation. For example, the proposed amendments would increase the amount of fines imposed on violators; the scope of registration obligations would be reduced to give regulators more time to focus on databases that pose significant threats to privacy, as well as monitoring and enforcement.

Now that the Brexit agreements have been finalized, it is not surprising that the United Kingdom would try to disentangle itself from some of the structures that were imposed by their EU membership and try to re-invent itself. The UK chapter provides a description of proposed amendments to the UK GDPR. Among amendments of note, the modified UK data protection law would be removing barriers to responsible innovation; reducing burdens on businesses and delivering better outcomes for people; boosting trade and removing barriers to data flows; improve public safety and national security; and create new rules for digital identity and smart data.

Increased Penalties

The Slovakia chapter provides numerous summaries of recent cases. They provide excellent practical examples of situations where businesses can find themselves stumbling on a slippery situation such as forwarding an anonymous submission to a third party which happens to have sufficient information to re-identify the author of the anonymous complaint, or the liability of an employer for violations of the laws caused by unauthorized actions by employees initiated by those employees in the course of their employment. 

The chapter on the Philippines provides an overview of the fines to be assessed to both data controllers and data processors (PICs and PIPs in the Philippine law) in case of violation of the law. The new fine structure distinguishes “Grave infractions,” Major infractions” and “other infractions.”  For the most serious infractions, the fine can reach up to 3% (three percent) of the entity’s annual gross income for the year preceding the year in which the infraction occurred, a level consistent with the fines under the EU GDPR. 

The chapter on the Philippines also describes the country’s recent efforts at modernizing the systems used for the disclosure of security breaches. The new system is available online, and allows personal data controllers to submit their Personal Data Breach Notifications, and their Annual Security Incidents Reports online. 

Finally, Portugal, which was one of the first countries to issue large size penalties shortly after the entry into force of the EU GDPR, is continuing with this trend. In the update to the Portugal Chapter for this update No. 40, we note a fine of 1.25 million euros against the Municipality of Lisbon for multiple violation of the law, including aggressive data processing practices concerning personal data of protestors.    

The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.

If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at fgilbert@globalprivacybook.com or by text at +1-650-804-1235.

Thank you.

Best regards,

Francoise Gilbert

Editor and Lead Author

Read More

Supplement #39

Dear Subscribers,

When this Supplement No. 39 is distributed worldwide to subscribers, in September 2022, we will be celebrating the 13th anniversary of the first publication of the Global Privacy and Security Law treatise. Since September 2009, so much has changed in the world of personal data, privacy rights, data protection and cybersecurity! Over that period, a large number of countries and economies have become aware of the critical importance of personal data as a fuel for their economies. More than ever, they appreciate the value of legal structures and enforcement mechanisms to govern the collection, use, protection, and crossborder transfer of personal data as a means to boost their international presence. Meanwhile, the size of this treatise has tripled, and its scope and number of chapters have also significantly increased.

As I look back at those 13 years, I am proud of what our team have accomplished, and where we stand now. When designing this treatise and shaping its outline, I aimed to provide, for each country or economy, the broadest possible range of practical information on the rules (or absence thereof), that governed personal data, focusing on those issues that would be relevant to private, commercial entities doing business internationally. I also thought it was important to explain these laws both in their local and international ecosystem, as well as in combination with the most significant legal, economic and cultural drivers that shaped them. Finally, I wanted each chapter to contain ample footnotes and references to help readers understand the intent and purpose of these laws, and provide them with useful tools to make informed decisions. Today, the treatise remains true to these objectives. 

Global Privacy and Security Law remains by far the most complete, practical, documented and detailed compilation of summaries and analyses of the key data laws of the world, providing a look at both local laws and regulations, and the national and international structures in which they are created or implemented, such as constitutions, international or regional treaties, or decisions of international courts and organizations.

Most countries or economies have several data laws, national or sectoral, because personal data comes in many forms and formats. There is no “one size fits all” magic formula. While the most commonly known forms of personal data in the context of commerce or business concern information about a person’s identity or profile as a consumer or an employee, there are many other “flavors” with their idiosyncrasies, their sensitivity levels, or their uniqueness. Think, for instance, about location data, biometrics and genetic data, images, sounds, video recordings, cookies, communications (telephone, text, or emails), financial data, healthcare information, data about children or data about deceased persons. Think about the origin of these data, as well; they may be collected directly, indirectly, from the street or from the sky, may be derived from other personal data, and much more.

With this plethora of data and data uses, personal data cannot be governed by a single national law. There are many nuances. In each country or economy, beyond national, omnibus privacy or personal data protection laws (if any), there are sectoral laws, and related regulations and guidelines. There are constitutional rules and international treaties. There is jurisprudence. All of the pieces of this complex puzzle influence, supplement, modify, or at times supersede, the general laws, creating an everchanging ecosystem. To properly plan and maintain its operations in a foreign country, an enterprise must constantly keep aware of all these factors and the relevant laws, regulations, jurisprudence and guidelines. It would be shortsighted or foolish to rely on brief synopsis or highlights, which are too superficial and incomplete, to make an informed decision and anticipate the likely pitfalls of a foreign implementation.

For each country or economy featured in Global Privacy and Security Law, the chapter – often over 100-page and several hundred footnotes long – describes a wide variety of data laws that are relevant to business entities. Not just the omnibus data protection law, if any. These other laws and regulations include, for instance, those that pertain to the collection and use of personal data in marketing, consumer profiling, cookies, banking and credit, biometrics and genetics, employment, telecommunications, CCTV, the use of drone in populated areas, the anti-spam laws or the use of artificial intelligence to evaluate personal data. Many chapters also look beyond the text of the laws and provide summaries of recent cases interpreting the laws, and comment on the lessons to be drawn from the decisions.

Local laws are only half of the story. A country does not function in a vacuum. It is frequently subject to rules created elsewhere, at the regional or international level. Thus, before delving into the country chapters, the first part of Global Privacy and Security Law provides detailed, critical background information about the numerous drivers that have been shaping data laws, worldwide, for over 60 years: the Privacy Guidelines of the Organization for Economic Co-operation and Development (OECD), the Privacy Framework of the Asia Pacific Economic Cooperation (APEC), or the European Union (EU) Regulations, Directives and Guidelines, to name a few. Some of these building blocks are part of what the privacy and data protection field has become today. And, because they are constantly evolving and being supplemented or updated, they are also part of the future. In all cases, they help explain the intent of the laws and other legal structures that are at the heart of this treatise. 

Businesses and their advisors must understand why laws exist and what they are intended to achieve to be able to design the products, services, contracts, policies and procedures that meet, in the most efficient and practical manner, the applicable legal requirements. 

In this Supplement No. 39, for example, we provide an update of the chapter on Transferring Personal Data out of the EU/EEA, with recent developments concerning both sets of the new Standard Contractual Clauses (2021). We have also extended our coverage of the Asia Pacific Region and the work of the key regional organizations that have helped shape personal data laws both in Asia Pacific and around the Pacific Rim and are currently actively promoting the adoption or improvement of privacy and data protection laws.

With this Supplement, we also welcome a new country, Saudi Arabia, which has recently adopted its first national data protection law and is in the midst of completing its regulations. In the prior Supplement, we welcomed Ecuador.

As always, much has happened in many countries since our last supplement, as well. Examples of recent local developments of note discussed in Supplement No. 39 include:

  • Italy has issued new rules on the use of cookies, which switch from an opt-out regime to a regime primarily relying on opt-in. 
  •  Japan has significantly updated its privacy and data protection framework, through a series of amendments to its national law, secondary laws, and guidelines. Among other things the updated privacy framework introduces news concepts: “pseudonymously processed information,” “anonymously processed information,” and “personally referable information.” There are also extensive additions concerning security, security breaches responses, and crossborder data transfers.
  •  Malta and other countries are reporting on the implementation of the Whistleblower Protection Directive into their local laws, which requires companies, among other things, businesses to implement specific programs to facilitate the reporting of fraudulent activities in enterprises, while protecting and keeping highly confidential all information that might help identify the person reporting the activity. 
  •  Uruguay has issued new guidelines on the preparation of Data Protection Impact Assessments
  •  The Greece chapter provides summaries of recent enforcement actions related to the alleged misuse of personal data, including in the employment setting, in direct marketing practices, or in connection with security breaches.
  •  The United Arab Emirates, has supplemented its federal legal framework with its first Federal Data Protection Law. The law, adopted in 2021, is not yet in effect due to the delay in the completion of the related Executive Regulations. The UAE chapter update provides a full analysis of the Federal law as adopted. 

We hope that you will enjoy the many changes and updates brought in this Supplement #39 of our Global Privacy and Security Law treatise, and thank you for your continued support of, and interest in, our work.

The Global Privacy and Security Law treatise is now available only in electronic form. For information on electronic subscriptions, please contact your Wolters Kluwer sales representative, or call Wolters Kluwer Customer Service at 1-800-638-8437.

If you are unable to order the online version of the Global Privacy and Security Law treatise, please contact Francoise Gilbert at fgilbert@globalprivacybook.com or by text at +1-650-804-1235.

Thank you

Best regards,

Francoise Gilbert

Read More

Supplement #38

Dear Subscribers,

I am pleased to present this Supplement #38 to our Global Privacy & Security Law treatise, and I take this opportunity to thank the many contributors who have participated in the preparation of the chapters being updated, as well as the administrative and editorial staff at Wolters Kluwers and their service providers.

I am delighted to welcome two new contributors:

United Kingdom: Leonard W. N. Hawkes

Leonard W.N. Hawkes, of the Flinn law firm, who will be in charge of the United Kingdom chapter. Len practices English law as well as EU law and International law from Brussels. Among other things, Len lectures regularly on comparative law issues. His deep and broad experience in matters related to UK Law and his deep experience with the European Union are especially useful in helping us understand that unique aspects and broad consequences of the departure of the United Kingdom from the European Union.

Ecuador: Rafael Serrano Barrona

Rafael Serrano practices as an attorney at Corral Rosales where he heads the Data Protection department, with special emphasis on the protection of personal data, electronic commerce, and electronic and IT contracts. In addition, Rafael is a tenured professor at Universidad de las Américas, where he teaches New Technologies Law, among other subjects. He is Vice-President of the Ecuadorian Association for Data Protection (AEPD), and is an active member of international organizations focusing on technology and data protection, including ITechLaw and the International Association of Privacy Professionals (IAPP).

Recurring Themes

In this Supplement, we continue to see numerous countries updating or supplementing, or planning to update or supplement their data protection laws to add guidance and direction with respect to the disruptions caused by the pandemic.

Chile, for instance, is evaluating amendments to provisions concerning the principle of Limitation of Purpose, where the collection of personal information in connection with credit application would be limited, when such collection is made in the context of a pandemic or similar public calamity.

In the Philippines, several bulletins and guidelines have been issued by the National Privacy Commission, in the context of the pandemic, including for example, concerning the limitation to the collection of personal information (e.g., collecting only what is necessary), protecting the patient from unauthorized disclosures, or security measures to be adopted when employees are commuting or working from home.

Other Additions of Note

Numerous have been updated with new laws or amendments to existing laws.

The chapter on Switzerland has been extensively updated in view of the upcoming entry of the new Swiss federal data protection law, which will enter into effect on January 1, 2023. The new Federal Act on Data Protection (2020) has numerous similarities with the EU General Data Protection Regulation (GDPR). For example, it includes new categories of sensitive personal information: genetic data and biometric data that uniquely identify an individual. It grants additional rights to data subjects: the right to data portability and right to object to automated decisions making. It also increases the obligations of data controllers and data processors, including, for instance, the obligation to maintain a record of processing, conduct data protection impact assessments, or obligations to disclose security breaches. 

The chapter on China has been significantly updated in view of the adoption of PIPL, the Chinese Personal Information Protection Law. The law came into effect on November 1, 2021. It consists of 74 articles in eight chapters. It integrates the rights and obligations already found in the Civil Code, the Cybersecurity Law, the Information Security Technology  (Personal Information Security Specification) and other laws and regulations.

The chapter on German laws has also been significantly due to the update of the Telemedia Act of 2007. The new law, named “Telecommunications and Telemedia Data Protection Act (TTDSG) (2021) entered into effect as of December 1, 2021. 

South Africa has adopted a new Cybercrimes Act, which commenced as of December 1, 2021. Only a portion of the chapters are fully in effect so far, including provisions giving extensive investigation and search powers to the police, and reporting obligations. 

The Czech Republic has updated its direct marketing laws to adopt an opt-in requirement, effective as of July 2022. The transition to an opt-in principle significantly affects how businesses may use telephone numbers acquired from public subscribers’ lists. Anyone who collects personal data (with telephone number) for publishing them in the subscribers’ lists is required to obtain an informed consent to such publication. Anyone who wants to use for direct marketing purposes a telephone number acquired from these public subscribers’ list, may do so only if the subscriber’s opt-in for direct marketing is recorded with that number. 

The Spain chapter now provides information about the regional data supervisory authorities, which operate in addition to the national data protection authority, the AEPD or Agencia Española de Protección de Datos. This includes the Data Protection Authorities of Catalunya and of the Basque Country. The specific, limited powers of these agencies are described in this supplement. 

Slovakia has also updated its laws, with the enactment of the Electronic Communications Act of 2022, which updates its cookie law. The updated law defines new rules for the use of cookies. It prohibits the use of technical or strictly necessary cookies without the prior provable (verifiable) consent of the concerned user. 

The additions to the Finland chapter describe, among others, several decisions of the country’s Sanctions Board that might be of interest both to those practicing in that country but also to others who are doing business in other countries subject to GPDR. For example, a university was sanctioned for collecting employees’ location information as part of the collection of working hours. The application worked in a way that required saving location data during working hours, and the application would not record working hours without location data.

Lithuania adopted amendments to its Whistleblower Protection Law, which came into force on February 15, 2022, making the country one of the few who have met the requirements of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons who Report Breaches of Union law (Whistleblower Protection Directive). The Directive entered in force on 16 December 2019, and required all EU Member States to update their existing laws, or adopt new legislation to transpose the Directive into their national laws by December 17, 2021. 

We hope that you will enjoy the many changes and updates brought in this Supplement #38 of our Global Privacy and Security Law treatise, and thank you for your continued support of our work.

Read More

Supplement #37

To be sent January 2022

Happy Holidays and Happy New Year! We wish you a terrific new year, filled with joy, love, exciting discoveries and interesting projects. Good luck and good health to all of you, and your respective families, loved ones and friends.

One of the last things I do when putting together the package of updates to the numerous chapters of this treatise is to prepare these highlights. Of course, it is a time of great joy and pride. It makes me happy that our team has completed a difficult task on time, and to see that, in the end, all the pieces work together. 

On top of that, the true pleasure I get is when I can at long last, sit, stop, and look at all these chapter updates, observe their contents at the thousand feet level, and compare what each country or each region has done and how it integrates in the larger whole. I enjoy reading through the tea leaves and observing the trends of the time.

  • Throughout the world, Covid and its variants continue to provide substantial material for legislators. The pandemic and the new risks we discover each week raise thorny legal issues, including those concerning the interaction between data protection and vaccination requirements and other public health issues. Many of the countries participating in this Release No. 37 have adopted new guidance, guidelines, and laws focusing on some aspects of the pandemic and its risks. There are frequent interrogations on how to address the variants or how to handle mass vaccinations. There is also a common concern about privacy in the workplace, how to protect the privacy of an employee while also ensuring the safety of the others. 
  • Numerous countries are increasingly interested in physical privacy, and in particular the different forms of invasion caused by drones and other unmanned vehicles. There have been several efforts at enacting laws that regulate the use of drones.
  • The invasion and potential infringement of privacy rights caused by the use of drones has even escalated at the Executive level. In France, CNIL, the French data protection authority has sanctioned the Ministry of Interior for having used drones equipped with cameras to monitor compliance with the COVID-19 lockdown measures in Paris. CNIL enjoined the Ministry to stop all drone flights until an order authorizes them.
  • Information collected through drones and other aircrafts are raising new issues in India. There, Guidelines for Acquiring and Producing Geospatial Data and Geospatial Services including maps, were recently issued. They are intended to govern the collection, use and dissemination of geospatial data and maps. Among other things the Guidelines require, in specified circumstances, that the collected data be stored and processed solely within India.  
  • In the European Union and the European Economic Area, the EU General Data Protection Regulation (GDPR) is settling in. The Regulation is slowly permeating the legal systems and the cultures of the Member States. It feels like the engine is beginning to run a little more smoothly, and the “poketa, poketa, poketa” issues of the early days are slowly vanishing or being fixed.
  • While the implementation into national laws seems to have made good progress, and the usual pains of fitting a square peg in a round whole are fading, we are beginning to see more clearly how the new national laws derived from the GDPR are being applied, and the numerous cases being brought to court. 
  • Most EU/EEA chapters describe recent cases, and the resulting penalties. Overall, more complaints are being filed, and the amount of the penalties assessed is increasing. While there is still an occasional consideration for a company’s efforts and willingness to cooperate with government authorities after an incident has been discovered, it is not always the case. Fines and penalties are being assessed more frequently; their amount is occasionally higher than in prior years. It seems that the informal transition period or unwritten moratorium is over, and regulators are increasingly taking a hard line, and expecting the regulated entities to get their act together.
  • It seems however that EU Member States are putting more energy in implementing the GDPR or litigating GDPR issues than developing new legislation. The Whistleblower Protection Directive has only few followers. The Member States have until the end of December 2021 to transpose the directive in their national laws, but so far, we see little progress in its implementation. 
  • Finally, one of the major events of 2021 occurred in June 2021, as we were putting the last touches to Release #36.  The EU Commission issued a group of modernized Standard Contractual Clauses to supersede the obsolete and aging original Standard Contractual Clauses, created during the years 2000’s, which were based on the 1995 EU Data Protection Directive, Directive 95/46 (EC). The new 2021 Standard Contractual Clauses address some of the crossborder transfer requirements raised by GDPR Article 46(2), and another template is intended to assist in meeting the requirements of GDPR Article 28, concerning written contracts between data controllers and their service providers.  

More than ever, the field of privacy, cybersecurity and data protection is in constant evolution. This supplement will be more than 1,500 pages, I am told. Almost as many pages as the very first version of the entire treatise, published twelve years ago, in September 2009. A testimony of the dramatic expansion of privacy, data protection law, cybersecurity, and related disciplines in the last twelve years. 

We hope that you will enjoy the many changes and updates brought in this Supplement #37 of our Global Privacy and Security Law treatise, and thank you for your continued support of our work.

Read More

Supplement #36

To be sent September 2021

With the publication of this Supplement No. 36, we celebrate the 12th anniversary of the Global Privacy and Security Law treatise. The size of the manuscript has more than tripled as compared to the original version of September 2009. The volume and length of the laws and regulations we analyze have grown exponentially. We have added so much material and so many new chapters that it has become necessary to revise the way in which country chapters are organized.  You will find some changes in the look of some of the chapters.

Concurrently, the way in which countries approach the protection of personal data has changed significantly. The field of privacy and cybersecurity is evolving and maturing. One of the major triggering event occurred a little over three years ago: the EU General Data Protection Regulation (GDPR) became enforceable as of May 26, 2018. At the time, it was an event of tsunami magnitude.  

The adoption of GDPR made room for a modern legal framework that takes better account of the new information processing technologies.  GDPR prompted the repeal of the aging 1995 EU data Protection Directive and gave a facelift to the way personal data was protected in the EU. Three years later, the GDPR and its interpretation continue to appear regularly on the news headlines, and to make waves throughout the world. The facelift is not limited to Europe.  The ripple effects resulting from the launch of the GDPR are becoming clearly visible on all continents.

First, in the last years of the 2010’s, the members of the European Union and the European Economic Area modified or adjusted their laws to implement the GDPR in their national privacy and data protection frameworks. They also had to modify or update their other national laws, for example their labor laws, to ensure that all pieces of the puzzle fit harmoniously with each other.  Managing the reform of 31 sets of national laws[1] at the same time was no small feat.

A second wave started when countries for which the European Commission had determined that they offered an adequate level of protection, embarked in their own reforms.  That was the case, for example, for Uruguay, Argentina, or Switzerland. To preserve their adequacy status, they needed to update their privacy frameworks so that it would be consistent with the new rules and framework created by GDPR. This was the case, for example, with Argentina and Uruguay, which have recently completed their updates.  Other countries are still working on their reform projects. This is the case of Switzerland and Canada, for instance.  Switzerland is close to completion and working on the last details. Canada is behind, but actively preparing for a reform. Meanwhile, other countries with adequacy status, such as Israel, are not showing any signs or hints that a reform is in the works.  It will take several years before this phase is completed.

A third wave is ongoing, while the influence of the GDPR is growing on all continents.  Numerous countries outside the EU/EEA and those with adequacy status, are showing a deep and clear interest in adopting privacy or data protection laws that use principles laid out in the GDPR.  This is the case, for instance, for several Middle Eastern countries.  The financial centers in the Dubai and Abu Dhabi emirates, for instance, have recently updated their data protection regulations to include provisions resembling those of the GDPR.  A similar wave can be seen in Asia, with the recent updates of the Singapore laws, which adopted the concept of data portability, among other things. Next door, Malaysia is also contemplating changes to its Data Protection Act of 2010 as hinted in a recent public consultation paper concerning potential changes. According to the consultation, in the near future, the concept of consent might be clarified, the conditions for crossborder data transfers might be updated, some entities might be required to appoint a data protection officer, and there may be a requirement to report data breaches.

The United States is not exempt from the effect of the GDPR. In several US States, new consumer privacy laws are being passed or evaluated.  These laws and bills clearly show numerous similarities with the GDPR.  See, for example, the provisions that make the publication of a privacy notice mandatory, or those expand on the rights of individuals and clarify the powers of data subjects.

More than ever, the field of privacy, cybersecurity and data protection is in constant evolution.  We hope that you will enjoy the many changes and updates brought in this Supplement No. 36 of our Global Privacy and Security Law treatise.   


[1] The UK was still an EU member state at that time.

Read More

Supplement #34

To be sent January 2021

The world will remember 2020 as a year of major events of drastic consequences in so many respects. While the Covid pandemic affected so directly and so massively people, minds, families and economies, it also prompted the adoption of new laws or regulations, including some that touched directly on the collection and use of personal data.  Several of the chapter supplements provided today describe those new rules, adopted throughout the world, to address the many ways in which the pandemic changed the way in which we live, work, or communicate. These changes affected the protection of the privacy and security of personal and business data in so many ways.

There was more than just the tsunami of tragedies and disruptions caused by the pandemic. The global Data Privacy and Security legal framework was also significantly rattled and shattered. The consequences of certain events that occurred in 2020 will be felt for many years to come. 

Several initiatives centered in the European Union are toughening the conditions for access to, and exchange of personal data, hampering the movement of people, goods and services, creating uncertainty and havoc in global business, and causing unnecessary compliance expenses. The July 2020 decision of the Court of Justice of the European Union in the Schrems II case did not just shatter the EU US Privacy Shield program. It is also drastically changing the way in which personal data may be transferred out of the European Economic Area to most of the rest of world.  The uncertainty and havoc created by, or expected from, the ripple effects of the EUCJ Schrems II decision and its aftermaths will be felt for several months or years until a new balance can be developed.

2020 also saw ripple effects of other initiatives of the European Union in the domain of the protection of personal data.  As you recall, the adoption of the 1995 EU Data Protection Directive (95/46/EC) and its implementation in the national laws of the EU and EEA member states caused a dozen of countries, over time, to request to be recognized as providing “adequate protection” to personal data, meaning a protection similar to that which was offered to EU/EEA citizens in accordance with the principles defined in Directive 95/46/EC. With the adoption of the EU General Data Protection Regulation (GDPR), which significantly modifies the concepts laid down in Directive 95/46/EC, those countries that have been recognized as providing “adequate protection” are now adopting or preparing to adopt new laws or amendments to their existing privacy and data protection laws so that they can ensure that they will also be deemed to provide “adequate protection” when their laws are compared against GDPR, the new EU/EEA base data protection law. This is the case for Argentina, Uruguay, New Zealand, Switzerland, Japan, and Canada, for example. Some of these new laws or bills are described in this supplement, and the remainder will be provided in the next supplements.

In the United States, California continues to lead the development of personal data protection laws, and has again been in the limelight for its attempt to increase the protection of consumers’ personal data.  After the chaotic adoption of the controversial California Consumer Privacy Act of 2018 (CCPA) by the California legislature, in November 2020, California citizens voted to adopt a ballot whose ultimate effect with be the replacement of CCPA by a new law, effective as of January 1, 2023, the CPRA or California Privacy Rights Act.  CPRA will expand and toughen the CCPA. Like CCPA, the CPRA has some common elements with GDPR and other data protection laws of the world but takes a drastically different approach. WARNING:  Compliance with GDPR does not mean that all aspects of CCPA or CPRA are covered.  To meet CCPA or CPRA, companies must go back to the drawing board and conduct a careful gap analysis.

This Global Privacy and Security Law treatise is now over 5,000-page long.  While the number of data protection laws has drastically increased over the years, are consumers receiving better protection for their personal data? While the length of privacy and cookie notices has also significantly increased, and new laws grant consumers a wide variety of “privacy rights”, does the average consumer, in any country blessed with a 50- to 150- page privacy or data protection law, understand his/her rights or take advantage of the options offered to them?  Is there a better way to raise consumers’ awareness of the uses and misuses of their personal data? Are there better means to prevent data hogs and unscrupulous entities from misusing or monetizing the details of an individual’s life? 

Read More

Supplement #33

Sent to subscribers in September 2020

The COVID pandemic has drastically changed the way each of us lives, works or communicates. Less than a year into it, and with dim prospects for the months or years to come, businesses are struggling to respond to conditions and restrictions that are unlike anything else they anticipated or experienced previously. Entire industry segments, such as travel, hospitality, food or entertainment are more-or-less in a state of coma. Employers who used to discourage telecommuting are now requiring their staff to work from home. Businesses are trying to reinvent themselves. Little by little, each country is attempting to adapt to the new reality, and address the variety of issues presented by the havoc caused by the magnitude and intensity of the attack on people’s health and condition. 

Personal data has not been spared by the pandemic. In a world knocked down by a powerful, destructive virus, sensitive personal information is relevant and necessary (or is it really?) to almost every aspect of a person’s public and personal life. Very sensitive information about each individual is often a key element in addressing the care of that person, in avoiding contagion, in analyzing the effects of a drug, in gathering data about the death toll or other statistics, and much more. Governments and their agencies, at time too slowly, are realizing that in the fight against the virus, privacy and the protection of privacy rights are at risk if limits are not set to how much information can be collected and what can be done with that information. 

In this Supplement #33, you will find out, among other things, how some countries have reacted to the effects that the pandemic is having on the use and potential misuse of personal data. As is often the case, there are times where privacy rights and security and safety end-up on opposite sides, and both aspects must be balanced. In this case, the privacy and data protection laws and principles may serve to guide governments, legislators and other who collect, use or share personal data.  

In the past few months, numerous countries have recognized this tension and developed guidelines for their constituencies on different aspects of the response to the pandemic as it relates to the protection of personal data.  For example, in this Supplement #33 you can read about:

Government Regulations

  • Israel passed temporary, emergency regulations to permit the tracking of data that in other circumstances would be considered extremely sensitive, such as people’s names, identification number, health status and location.  These measures were justified to the extent that they meet the principles of good faith, reasonability and proportionality.

Guidelines

  • In Greece, the data protection authority published guidelines regarding the use of personal data by employers.
  • In Slovakia, the data protection authority published a series of opinions and guidelines regarding the measurement of temperature for employees and visitors to the workplace, guidelines for ensuring the security of employees’ laptops used when working from home, and guidelines on the use of location data and contract tracking tools in the context of the COVID outbreak. 
  • In the Philippines, the data supervisor authority issued guidelines regarding the collection of personal data, to ensure that only data that was “necessary” be collected, and that it be disclosed “only to the proper authority”. It also issued guidelines for health institutions and their data protection officers regarding the use and disclosure of sensitive data.  The data protection authority also published guidelines on general security measures to organization operating under a Work from Home arrangement (WFH), to be applied both during the pandemic and whenever any telecommuting arrangement is implemented.

Enforcement Actions

  • In Norway, the data protection authority blocked the use of a contact tracing app launched by the Norwegian Institute of Public Health, which required users to provide personal data both for contact tracing and for analysis and research without giving the opportunity to consent to only one of the purposes separately.
  • In Chile, the Ministry of Health and the Ministry of Transport and Telecommunications announced that the use of GPS technology on cellphones would be analyzed to observe the population’s mobility during the pandemic.  However, the Transparency Council stated that it wants to review the detail of the initiative because it may be inappropriate. As of the date of this writing no rules on the subject has been published. 

Legal Moratorium

  • Brazil postponed the date of entry into force of its new data protection law, the LGPD.  The entry into force of the law is postponed to May 3, 2021 and the administrative penalties provisions will enter into force in August 2021.

Despite the grim times, Supplement #33 also brings good news.  

After 7 years in a holding pattern, the data protection law of South Africa is now in effect!  Enacted by the South Africa Parliament in July 2013, the Protection of Personal Information Act (or POPIA) was approved by the President and became a law in November 2013.  After many years of waiting and pressure from the Information Regulator for the commencement of the law, the South Africa President proclaimed the commencement date of POPIA to be July 1, 2020.  The law is now fully in effect and organizations have a one-year grace period (computed from July 1, 2020) to ensure that all of their processing of personal data comply with the new law.  Thus, on July 1, 2021, all processing of personal data in South Africa must comply with POPIA.

To our subscribers:  Thank you for subscribing to this treatise

To all contributors to this Supplement #33:  Thank you for your timely reports.

To the Wolters Kluwer and CCH  teams who make this treatise happen and work tirelessly to deliver each supplement on time: Thank you for your hard work.

To everyone:  Keep safe! Keep healthy!

Read More

Supplement #32

Sent to subscribers in May 2020

As I am writing this note, the global tsunami effect of the Coronavirus is shaking, affecting, or perhaps destroying public health, businesses, work life, and family reunions. COVID-19 news and the defense against the Coronavirus have become the central part of our daily preoccupations. The outbreak and spreading of the virus on a global scale present challenging issues to which a significant number of public and private entities appear to have been ill-prepared.

While most of the updates to the chapters that are part of this Supplement #32 were written at a time when the threat and global effects of the virus in a particular country were not yet felt or anticipated, some of our contributors were living and working in difficult conditions under strict lockdown orders.

Special thanks to Marissa Xiao Dong and Guo Jinghe (China) and Raffaele Zallone (Italy) for producing their country updates while their respective countries and healthcare systems were deeply shaken by the effect of the destructive contagion. They worked on their country updates during their respective “lockdown,” “confinement,” “self-isolation,” or “retrenchment” periods. Thank you for your team spirit and the gift of your time in such dramatic circumstances.

The seriousness and intensity of the attack on people’s health and the dramatic consequences for countries’ healthcare ecosystems have significant business and legal implications involving almost every possible area: advertising, admiralty, bankruptcy, children, commercial, contracts, education, employment, health, insurance, telecommunications, telemarketing, torts, trademarks, trade secrets, and much more.

Privacy and information security are among the legal and practical issues to take into account. Privacy is highly vulnerable in a time  when public health concerns may not be consistent with personal interest or civil liberties. Consider, for example, the civil rights concerns related to the collection of location data to track the path of the virus.

Most existing privacy and data protection laws do not address, or only at the highest level, how to handle personal information in case of a major event. How much information should be disclosed when an employer faces the fact that one employee has been infected? Who should be provided with the information? When looking at the interests of the community, providing transparency and disclosing the details of the effect of the virus may help save lives. Collecting or sharing personal details that may allow tracking an individual’s whereabout might help identify useful information or trends that help fight against the spread of the virus but also opens the door to monitoring and surveillance and provides a means of encroaching on civil liberties, the future effect of which might not be stopped.

Significant security concerns are also at the forefront. The quarantine or isolation strategies require businesses and government agencies to send their personnel home to be shielded from contagion. While they help reduce the risk of infection, these strategies may put at risk the security shield that protects files and data. What level of security is provided to the confidential or strategic business records or the highly sensitive personal information that are now processed on a family computer, on the proverbial “kitchen table”? How is the security of the information preserved? What is the level of awareness of the potential risks to the confidentiality and security of all the contracts, reports, customer lists that are transferred among co-workers, or between a worker and the company’s headquarters where internal measures, physical and technical security might be lacking or deficient, and there is little experience or training on how to protect the company’s crown jewels, or those of its clients or customer?

I hope that our next Supplement will be produced in less dramatic and concerning circumstances.

Keep safe! Keep healthy!

Read More