Supplement #31

Sent to subscribers in January 2020

Happy 10th Anniversary! With the delivery of Supplement #30, which we completed during the fourth quarter of 2019, we celebrated the 10th anniversary of the publication of the first issue of the Global Privacy and Security Law treatise. Wow! Back in 2005 when I started designing the concept and outlining the treatise, I never imagined that I would be writing about the 10thanniversary of its publication now, a few days before Thanksgiving 2019. 

Anniversaries are a time to reflect on accomplishments and thank those who contributed to the realization of those accomplishments.

First, I want to thank all subscribers for their continued interest in, and enthusiasm for, the Global Privacy and Security Lawtreatise over the years. Thank you for your support! It is your enthusiasm for our work that pushes us, for each supplement, to bring you the best we can write, and inform you of the most recent developments we can identify or upcoming ones. Parts of this treatise were written because of questions from subscribers who had a particular interest in a topic or a country. Thank you for these questions! They have provided incentives for exploring further the world of privacy and security, and sharing these laws and trends with each other. Please feel free to write to me at fgilbert@globalprivacybook.com with more ideas, questions or challenges.

Many thanks to all those who have contributed their time and knowledge, and made this work progress, expand and remain up-to-date and relevant. Our treatise was the first to identify the variety and breath of issues related to the protection of personal data and privacy rights. It provides a unique tool for understanding the complex nuances of the numerous data privacy and security laws in 68 countries on all continents. Additional countries will be included in the upcoming versions. Today, the treatise remains, by far, the most comprehensive and complete work and analysis of global privacy and data security issues worldwide. We owe it to our team of attorneys around the world and their respective associates and administrative assistants who regularly supplement the country chapters, conduct research, and draft supplemental sections or proofread them. I am thankful to have been able to gather such an outstanding team.

Many thanks, as well, to the team at Wolters Kluwer, especially Kate Brady and Mallika Krishnan, and their respective colleagues. Thank you for keeping us on schedule. Thank you for following up, for your careful and meticulous work, for catching inconspicuous typos, and making each chapter look good.

And thank you, Jacques, my wonderful husband, for participating in the editing and proofreading the 100+ documents that form the treatise, especially when my full time job as an attorney competes with editing responsibilities and publishing deadlines. Thank you for designing and maintaining the successive versions of the website for the treatise, at www.globalprivacybook.com. Thank you for your encouragements, and your unconditional support of my initiatives.

Anniversaries are also a time to look at the past and prepare for the future. As I reflect on the past few years, I am amazed at the trajectory that privacy and data security laws have taken. When I decided to write the first version of this treatise, it felt like a quixotic adventure. Few companies appreciated the strategic value of personal data and few attorneys were aware that privacy and data security laws existed. The United States had a patchwork of federal and state laws that addressed the protection of some categories of personal data, but law schools did not yet offer classes on the topic. 

At the global level, only about 25% of the United Nation Members had adopted a national data protection law. Most of these laws emanated from countries within Western Europe, and derived from a handful of seminal documents such as the OECD Privacy and Security Guidelines, Convention 108 of the Council of Europe, or the 1995 Data Protection Directive. There was limited compliance and little enforcement. Outside Western Europe, several countries had adopted national data protection laws that tracked European data protection laws. In Asia, for example, early adopters included members of the former British Empire, Hong Kong, Australia and New Zealand. In the northern part of Asia, South Korea and Japan had developed their own laws, but little was happening in China or India. Asia was only tiptoeing into regulating the use of personal data as a regional initiative. The APEC Privacy Framework, considered a response to the work of the European Union and the OECD, had just been launched in 2004.

As we reach the end of 2019, more than 130 countries have passed and are enforcing comprehensive privacy and data protection laws. China has now a wide range of laws addressing the protection of personal data. Brazil’s data protection law will enter into effect on February 14, 2020. On the corporate front, two major acquisitions or divestitures by some of the major entities providing services to related to personal data protection and compliance were just announced. And, unfortunately, the rate of misuse or illegal use of personal data has risen exponentially. 

In the meantime, the United States, despite having more than one thousand federal or state laws addressing the protection of specific categories of personal data, is still viewed, worldwide, as lacking laws that provide “adequate protection” of personal data or privacy rights. US companies are plagued by the “GDPR effect” and the “CCPA Tsunami”. There is little hope that the United States Congress will soon pass a national, comprehensive law addressing the privacy and security of all personal data in all circumstances and applying uniformly throughout the United Stated.

As we embark on another ten-year adventure in privacy and data security, it is exciting to see the wide range of issues and nuances raised by the myriad ways in which information relating to individuals can be collected, used or distilled to be associated to individuals, in order to create profiles and identifying patterns. There is still so much to explore about the protection, use and secondary uses of personal data. Artificial Intelligence, the Internet of Things ecosystem and the development of blockchain technologies, among others, are paving the way to new technologies and new concepts that push the limits of exploration, and invite our Global Privacy and Security Law treatise team to investigate and analyze. 

And . . .  one more thing! I am also embarking into another personal adventure. In August 2019, I launched a new company: DataMinding whose website is located at www.dataminding.com. With DataMinding, I will continue to work with my clients, while exploring the new frontiers of data privacy and security law, and addressing or anticipating the upcoming uses – or misuses – of personal data.

I look forward to continuing to lead our Global Privacy and Data Security law adventure, and to exchanging questions, sharing ideas, and responding to challenges from subscribers, colleagues and everyone else.

Read More

Supplement #30

Sent to subscribers in September 2019

2019 continues to be a year of intense activity around the protection of personal data. The adoption and implementation of the EU General Data Protection Regulation (GDPR) are having a viral effect around the world. Several countries have recently adopted their first data protection laws, for example, Brazil (during the summer of 2018) and, more recently, Thailand and Uzbekistan (to be added to this treatise in upcoming supplements). Elsewhere, countries are updating or amending their laws or supplementing them with additional laws. Below are examples of some of the recent developments that are described in further detail in the chapters of this 30th Supplement of the Global Privacy and Security Law treatise.


Argentina passed it first Personal Data Protection Act years ago. It is one of the few countries that the European Commission has determined provides an adequate level of protection of personal data. In its Disposition 47/18, issued by the National Directorate of Personal Data Protection in July 2018, Argentina expands the scope of its provisions regarding information security. Disposition 47/18 identifies a series of suggestions regarding security requirements. The suggestions follow the international standards, especially the ones of the European Union. Among other things, Disposition 47/18 suggests that entities affected by a breach of security report the breach to the Application Authority and appoint a security officer who will be in charge of reporting data breaches and to be the liaison with the Application Authority.


In Austria, the Austrian Data Protection Authority and the courts have actively prosecuted violations of the GDPR. The first decision of the DSB (the Austrian Data Protection authority) applying the GDPR was published on June 26, 2018. It determined that GDPR Art. 15 covers a customer’s request to obtain his or her historical bank account statements free of charge if no third-party rights are endangered. The DSB issued several decisions on the formalities of a data subject’s request. It has also ruled that the use of dash-cams is generally not in line with the legal data protection framework. In a rare case involving GDPR Art. 85, the DSB ruled on the availability of information to individuals and the privilege of “freedom of information.”


Brazil amended its recently adopted Privacy Act (which becomes effective on February 14, 2020) to formerly provide for the existence of a National Data Protection Authority (NDPA). While the Privacy Act originally approved by the Brazilian Congress created the NDPA as an independent federal agency linked to the Ministry of Justice, the concept was vetoed by the President of Brazil on constitutional grounds in the law-making process. The NDPA itself and its rules of operation have been reintroduced by the President by means of a provisional measure, and the existence of the NDPA was confirmed through the enactment of Federal Law 13,853, on July 9, 2019. The NDPA in turn will draft and issue other rules and provisions concerning specific requirements and guidelines to data collectors that are generally addressed in the Privacy Act, as well as the rules applicable to administrative procedures.

Brazil also adopted the Positive Credit Rating Law. The law sets out several obligations for the data controllers and conditions applicable to the collection, use, and sharing of financial information of the data subjects (individuals or legal entities) with other databases, as well as general access, amendment, cancellation, and opt-out rights for the data subjects.


While India is finalizing its national data protection law, its central government passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Ordinance, 2019 (the Aadhaar Ordinance) amending the Aadhaar Act in February 2019. The Aadhaar Ordinance introduces the method of offline verification of an individual’s identity using their Aadhaar in the manner provided by Unique Identification Authority of India. The ordinance further proposes that individuals may voluntarily use Aadhaar to establish their identities using authentication or offline verification with another private entity if that private entity complies with the applicable security and privacy safeguards and is permitted to carry out Aadhaar authentication by law or is seeking authentication for a purpose that the central government has prescribed to be in the interest of the state.


In the second quarter of 2019, the Italian Data Protection Authority (DPA) issued a number of significant decisions. It ordered Mediamarket, a subsidiary of the retailer Mediaworld, to cease and desist the processing of large amounts of personal data of customers collected before the GDPR and used for massive mailing of marketing materials. It found that the information notice and the consent did not comply with the law, but that they both had been changed after the effectiveness of the GDPR. There was no fine assessed, but the company received a cease-and-desist order.

The DPA did impose a fine of one million euros on Facebook with respect to the Cambridge Analytica case. The Italian DPA issued the fine against both Facebook Ireland and Facebook Italy, as co-processors. The procedure was under the old Italian law and not under the GDPR, which explains the amount of the fine.


Like Argentina, Uruguay was one the first countries that the European Commission determined provides adequate protection for personal data and privacy rights. In late 2018, Uruguay adopted an amendment to its original data protection law in the form of Ley de Presupuesto Nacional que modifica la Ley No. 18.331 (October 25, 2018) (National Budget Law Amending Law 18.331). The purpose of the law is to align Uruguay’s data protection law, Law 18.331, to the GDPR. The  amendment extends the geographic scope of the data protection law to data controllers that are not established in Uruguay but target Uruguayan inhabitants for the purpose of selling them goods or services and collect their personal information to analyze their behavior. It also adds the obligation to immediately report a data breach, the principle of proactive responsibility, and the obligation to appoint a Data Protection Officer in certain cases.

Read More

Supplement #29

Sent to subscribers in May 2019

Almost one year after GDPR Day, the European Union Member States have not yet fully completed their implementation of the EU General Data Protection Regulation (GDPR) into their national laws. While the GDPR became applicable as of May 25, 2018, and is fully in effect throughout the European Union, each Member State has the opportunity to make changes or additions to approximately 50 clauses of the GDPR. Some Member States have already done so, but a few are behind. In Supplement #29, we provide new information about changes in several Member States. 

In the meantime, the EU data supervisory authorities have begun enforcement actions against violators. These actions have resulted in a wide range of fines. The smallest fine so far is approximatively €5,000. The largest fine was assessed in January 2019 by CNIL, the French data supervisory authority, against Google and amounts to €50 million. A summary of the Googleopinion is provided in Chapter 06A. Google is appealing the decision primarily on jurisdictional grounds.

In addition to the GDPR, a new law has become “the talk of the town”: The California Consumer Privacy Act (CCPA). The CCPA was passed in California at the end of June 2018 and amended in August 2018. More than 40 amending bills have been filed in an attempt to amend it further. The CCPA is expected to take effect on January 1, 2020, unless a federal omnibus data protection law is passed in the U.S. Congress that supersedes the CCPA. As it stands currently, the CCPA grants California residents rights of information, access, erasure, and objection that have significant similarities with those provided to EU residents under the GDPR. The CCPA is of interest to all companies worldwide that do   business with California residents or are located in California. It also applies to companies that control a business that is subject to the CCPA. The scope of the law and its requirements are described in Chapter 65.

As we are approaching the 10th anniversary of this treatise, it is fascinating to look back and evaluate the significant changes, evolution, and expansion of the law of the protection of personal information.

Read More

Supplement #28

Sent to subscribers in January 2019

As 2018 is ending, the enforcement of the General Data Protection Regulation (GDPR) remains the most important event of the year. The GDPR will be remembered as a significant paradigm shift throughout the world because of its extensive scope. The entire world has become “GDPR-ized.” In this supplement, we provide a number of updates to chapters pertaining to activities throughout the European Union and European Economic Area (EEA) resulting from the switch to the GDPR.

During the middle part of 2018, a series of official documents regarding the interpretation of the GDPR were finalized. The Article 29 Working Party, under its new name—EU Data Protection Board (EDPB)—and its slightly different composition, has officially replaced the Article 29 Working Party. As part of its first activities, the EDPB endorsed numerous guidelines and opinions that were prepared under the Article 29 Working Party. The EDPB has a new website, and this supplement provides numerous new links to the guidelines managed by the EDPB.

As provided in and throughout the GDPR, the Member States are slowly implementing the GDPR in their own laws. This is being done both by integrating the GDPR in their own legal frameworks and by adopting additional provisions. As expected, each country is implementing the GDPR in its own way. In this supplement, we provide updates from Belgium, Estonia, Finland, Lithuania, Malta, the Netherlands, Slovakia, and Sweden.

Switzerland, which is not part of the EEA, is also attempting to update its laws to retain consistency with the GDPR but has not yet agreed to a final draft of its updates. We provide a short summary of its efforts and projects.

Outside the European region, there are changes in Latin America. The most significant one was Brazil’s adoption of its first data protection law, which occurred during the summer and was reported in our prior supplement. In this supplement, we provide an update on activities in Chile. Chile was the first Latin American country to adopt a data protection law in the 1990s. It is now inching toward modernization of its legal framework to keep up with developments in the privacy/cybersecurity area so that it can provide protections that are consistent with those provided by its neighbors in Latin America.

By the time this supplement is completed and shipped to our subscribers, it will be 2019. Our team of writers, contributors, editors, and technical assistants wishes all subscribers a very happy new year. Many thanks to all of you for your interest in our work.

Finally, a personal note on behalf of our team. 2019 will be a special year for us. In September 2019, we will celebrate the 10th anniversary of the first publication of our two-volume Global Privacy and Security Law treatise! The privacy/cybersecurity world has changed so much in 10 years.

Read More

Supplement #27

Sent to subscribers in September 2018

At long last, the GDPR is in force.  It has been a long process.  I still remember reviewing the first draft of a GDPR in November 2011, and after that, all the successive drafts, wondering how long it would take to get to launch.

Here we are, almost 7 years later, GDPR is in effect! When you receive this set of supplements, GDPR will be celebrating the four-month anniversary of its enforcement date. It is still taking baby steps.  In the meantime, the first sets of lawsuits claiming violation of individuals’ rights under GDPR were filed on the inaugural day, May 25, 2018.

The GDPR grants Member States the ability to supplement some of its provisions. It was hoped that EU Member States would take advantage of the two-year period between signature of the law and the enforcement date to take the measures necessary to implement the GDPR into their national laws and take advantage of their ability to supplement it.  Some did take advantage of this opportunity. Germany and Austria were the first to have completed the process. Nevertheless, a significant number of EEA Member States are still struggling.  In numerous cases, bills are pending and still being discussed. Others are almost done; for example, Italy

While not a member of the European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR as part of its agreements with the EEA Member States.  The Swiss parliament is said to be working on a draft.

Outside the EEA region, countries are actively working on the improvement or development of their data protection laws.  On August 14, 2018, the president of Brazil signed the country first data protection law.  That laws contains numerous references to the GDPR.  Across the Andes, Chile is also working actively on developing further its existing data protection law, to bring it to current international standards.

At end of June 2018, California passed the California Consumer Privacy Act (CCPA).  Like the GDPR, the statute has a very broad reach. It applies to most business entities that collect personal information of California residents and operate in California. In the next Supplement, we will provide a summary of the CCPA, and describe the circumstances of its very turbulent launch.

According to its terms, the statute becomes effective as of January 1, 2020. However, because of its controversial content, the statute has been attacked for a variety of reasons, and the launch date is becoming uncertain.  Since its signature by the California Governor, numerous activities have been ongoing in California to attempt to amend the statute and delay its enforcement date. There are also discussions at the Federal level, which are aiming at drafting a federal law that would supersede the California statute.

One of the most amazing features of the CCPA is its definition of “personal information.” It is probably the longest of all definitions of that term, worldwide. It is 345 word-long and extends over 13 paragraphs.

While the CCPA has been presented by some as a “mini GDPR,” it is much more liminted than the GDPR.  For example, unlike the GDPR, it does not contain general data processing principles and does not require a legal basis for the processing of personal information. CalCPA focuses primarily on providing consumers with a number of rights, such as a right of access and right of portability, in a manner similar to the GDPR. It also grants consumers the right to obtain from businesses that they cease selling, sharing or disclosing their personal information with or to third parties for commercial purposes.

CCPA grants a private right of action to California residents whose personal information was compromised in a breach of security. This addition to the existing California security breach landscape is likely to significantly increase litigation.

Read More

Supplement #26

Sent to subscribers in May 2018

It is just a few weeks before the May 25, 2018, deadline to implement the General Data Protection Regulation (GDPR), and it seems that the privacy and data protection world is frozen. The Member States of the European Union and European Economic Area have not done much to take advantage of the numerous GDPR provisions that allow Member States to draft additions and adaptations to the GDPR. Austria, Germany, and Belgium are the exceptions.

Germany has added numerous changes to the GDPR. One of the most significant additions is the obligation for companies to appoint a data protection officer if (1) at least 10 persons in the organization deal with automated processing of personal data or (2) the company is required to conduct data protection impact assessments. The German additions to the GDPR also grant significant supplemental powers to the supervisory authorities. Austria has expanded the scope of the provisions that give individuals the ability to be represented by a non-profit organization that focuses on data protection issues to allow such mechanism to be used for actions not only against organizations but also against the supervisory authority.  Austria has also identified 14 as the age of consent.

In addition to Germany and Austria, Belgium has developed its local additions to the GDPR.  In the case of Belgium, the changes have focused on establishing a Data Protection Supervisory Authority and providing it with supervisory powers and punitive functions.  The Belgian additions to the GDPR grant the Supervisory Authority the power to give warnings, work on investigations, and impose administrative fines.

A few other Member States have developed drafts but, as we go to press, have not achieved finalization. These include, for example, France, Ireland, Latvia, the Netherlands, Spain, and the United Kingdom. The remainder of the European Union and European Economic Area Member States have not made any tangible progress.

While not a member of the European Union or European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR and that affect the remainder of Western Europe.  The Swiss parliament, however, has not yet published a draft. The word is that a draft should be coming soon.

Read More

Supplement #25

Sent to subscribers in January 2018

Supplement #25 to our two-volume treatise Global Privacy and Security Lawreflects a period of significant transition in the European Union and European Economic Area where the Member States are still working on integrating the EU General Data Protection Regulation (GDPR) into their laws. Few countries have published any tangible information about their views on the transition to the new regime under the GDPR.

The Article 29 Working Party has been prolific and has published several guidelines, which are detailed in Chapter 6A. The Article 29 Working Party has already published Guidelines on Data Protection Officers, Data Portability, Lead Supervisory Authority, Data Protection Impact Assessments, and Administrative Fines. It has also published, for consultation, Guidelines on Data Security Breach and Guidelines on Automated Decision-Making and Profiling. Guidelines on the concept of consent, and cross border data transfers are expected to be published by the end of 2017 or early 2018.
The Asia Pacific Region, China continues to make made significant changes to its laws governing the protection of personal information.

The global privacy and security framework keeps evolving. The effect of the EU General Data Protection is clear.  Countries outside the EU/EEA block, such Switzerland are looking at potential changes to their own data protection framework are looking at the challenges posed by the EU General Data Protection Regulation, and exploring how to keep up with the changes to the data protection framework that the GDPR is bringing.

Best regards

Read More

Supplement #24

Sent to subscribers in September 2017

This Supplement #24 to our two-volume treatise Global Privacy and Security Law reflects a period significant transition in the European Union and European Economic Area where the member states are still working on interpreting the EU General Data Protection Regulation (GDPR) into their laws. Few countries have published any tangible information about their views on the transition to the new regime under the GDPR.

On the other hand, the Article 29 Working Party has been prolific and has published several guidelines which are detailed in our Chapter 06A. The Article 29 Working Party has already published on Guidelines on Data Protection Officers, Data Portability, and Lead Supervisory Authority. It has also published for consultation Guidelines on Data Protection Impact Assessment, and is working on additional Guidelines on the concept of Consent, which are expected to be published by the end of 2017. Details on these Guidelines are provided in Chapter 06A.

In the Middle East, Israel has significant updated its Information Security Regulations, to expand upon the old regulations to prevent the misuse of data. The new Regulations are intended to realize the objectives of the original law and include several innovations, of which the most significant are intended to protect the privacy of registered users in a computerized database.
The Asia Pacific Region has also seen sig

nificant developments. For example, in June 2017, South Korea became the fifth country to join the CBPR system. Japan and China have made significant changes to their laws governing the protection of personal information.

In Latin and South America, Uruguay has welcome the EU-US Privacy Shield and now recognizes as providing “adequate protection” the US companies that are listed on the EU-US Privacy Shield list. In Colombia, The Superintendence of Industry and Commerce of Colombia (SIC) has prepared a draft regulation with a series of dispositions, that would clarify the obligations of managers and controllers in connection with the transfer and transmission of data to thirds Countries. Chile is working on a bill that would update its current privacy law and would increase the level of privacy protection to meet the guidelines of the Organization for Economic Cooperation and Development (OECD), which Chile joined in 2010.

The global privacy and security framework keeps evolving. While technology evolves faster than laws, throughout the world, legislators and litigators are paying attention to the many uses and potential misuses of personal information.

Read More

Supplement #23

Sent to subscribers in May 2017

With the European Union and the European Economic Area (EU/EEA) in a period of transition, there is much activity but still insufficient tangible results. EU/EEA Member States are both attempting to fathom the changes that the adoption of the General Data Protection Regulation (GDPR) will bring to the region as a whole, to understand how their own countries will or should implement the new rules, and whether and in what ways they can or should supplement the basic provisions of the GDPR when that is possible. Thus, numerous documents, decisions, guidelines, and the like are still in gestation or being revised and reshaped. On the other hand, some of the Member States, such as France, Germany, and the Netherlands, have made substantial progress and have been especially active.

The next supplement will bring updates on the final versions of several guidelines drafted by the Article 29 Working Party. These guidelines are about to be adopted in their final forms, but their final texts are not public as of press time. These guidelines provide some clarity on the interpretation of certain provisions of the GDPR.

Elsewhere, some countries are preparing major changes. This is the case, for example, for China and Turkey, but the changes came in too close to press time, and the details of their application are still too scarce for an analysis to be included in this supplement. A more detailed report will be published in the next supplement.

Stay tuned!

Read More

Supplement #22

Sent to subscribers in January 2017

The first half of 2016 focused primarily on the finalization and final approval of the EU General Data Protection Regulation (GDPR), which replaces Directive 95/46/EC. The GDPR will apply and enforcement will commence as of May 26, 2018. Now, most of the European Union and European Economic Area (EU/EEA) is focusing on the preparation of the transition to the new data protection regime. Member States are working on guidelines and on provisions supplementing the GDPR. We will hear more details in the next supplement.

The early days of July 2016 also saw the approval of the EU-US Privacy Shield, which replaces the Safe Harbor, invalidated in October 2015. U.S.-based companies doing business with EU/EEA-based entities are now recovering from the whirlwind of activities and the uncertainties of the first part of 2016. Many of them are preparing for, or may already have filed for, self-certification under the Privacy Shield, ensuring that they are better prepared for further attacks to crossborder data transfer structures.

The second half of 2016 has been much quieter than the first half. As a result, Supplement 22 does not bring as many sensational developments as did the prior ones published in 2016.

The most significant development occurred in France, as we were completing our set of updates for Supplement 22.

In early October 2016, France passed Loi No. 2016-1321 Pour Une République Numérique. The law introduces new provisions that will regulate the digital economy as a whole, such as open data, online cooperative economy, revenge porn, and access to the Internet. It also introduces key amendments to the existing 1978 Loi Informatique et Libertes (the current    national data protection law) ahead of the May 2018 enforcement date of the EU GDPR.

Among the key points of the Law 2016-1321 you should note higher fines (up to EUR 3 million), removal of data residency rules, and enhanced rights for individuals, including right to be forgotten and the right to data portability.

Best wishes for 2017. It will be a very interesting year for data privacy and cybersecurity.

Read More