Taking a look at the activities of 2017, it's clear that the coming year will see lots of movement on the privacy front. This week's Privacy Tracker legislative roundup consists of contributions from around the globe on expected and potential legislation. With more than 20 entries coming in from countries and regions spanning Argentina to Zimbabwe, hopefully we've hit on some important upcoming developments you should have on your radar.
By Pablo Palazzi
The year 2018 predicts an interesting year for data protection in Argentina. The data protection authority has merged with the new freedom of information agency, so the DPA of Argentina will be bigger and with more autonomy and funding. The discussion of amending the Personal Data Protection Act during 2016 and 2017 has finished with a long participative process and a new bill that the Executive Power will send to Congress during 2018. The new bill is GDPR-style, and it will reinforce the powers of the new agency with a more modern regulation. The DPA is also working on a resolution on binding corporate rules. So we expect 2018 to be a year of debate and activity of the DPA.
By Veronica Scott
It’s going to be a significant year for privacy and data protection in Australia in 2018, building on the momentum and challenges of last year. Significantly, the Privacy Act 1988, which has undergone substantial amendments since it was first passed, turns 30! By way of example, the new mandatory data breach notification scheme in the act will start to apply Feb. 22, requiring regulated entities to notify data breaches where serious risk of harm to affected individuals is likely. This in turn will intensify scrutiny of data breaches and entities’ responses. Cyber risks will remain a high priority for all organizations and the cyber insurance market should see increased activity.
Comprehensive credit monitoring is likely to be mandated by the end of the year, given the slow progress in the reporting of positive credit information. Australian businesses will also urgently need to assess the extent to which the EU General Data Protection will apply to their activities and take appropriate action to address compliance by May. Finally, in another significant milestone for privacy in Australia, we look set to work to join the APEC Cross Border Privacy Rules system and implement its requirements. An important recognition that data flows and data protection is truly a global matter.
By Renato Leite Monteiro, CIPP/E
As in last year's report, there are still two main bills competing for the General Data Protection Law, one in the federal Senate and another in the House of Representatives. A final report on House Bill of Law 5276/2016 was expected by the end of the first semester, but it was postponed due to Brazil's political turbulence. The discussions were also postponed and new congressional panels might take place to discuss pressing matters. The Senate bill, PLS 330/2013, on the other side, was subject to several unexpected movements. The new version, which was unofficially released, is very different from every previous text presented and does not even suggest the creation of an independent national data protection authority. Civil society, academia and the private sector are already engaging on how to cope with this version, which appears to have been drafted with the support of the federal government.
The federal government will likely finalize a national internet-of-things plan and a national digital strategy, which both saw public consultations in 2017. Both have ties to privacy and data protection and will probably have a big influence on digital and infrastructure investments in Brazil.
On top of all that, Marco Civil da Internet, the law that confers users´ rights and internet services obligations, will continue to suffer amendment attempts, from user consent requirements and net neutrality exceptions to content removal provisions. Additionally, the Federal Law 12.414/2011, which regulates credit scoring and credit reports, will suffer attempts to make it automatic for personal data to be included on positive credit databases controlled and managed by private data brokers (mandatory opt-in). Citizens now have to opt out from these databases.
Courts have given important precedents in 2017, such as considering it unlawful for contract clauses that automatically allow for third-party data transfers. However, Courts will also continue to interpret laws in very different ways, causing legal uncertainty and an unstable commercial and economic Internet and data-driven environment.
In conclusion, such as the previous year, 2018 will probably be a tumultuous and curious year for privacy rights in Brazil.
By Shaun Brown
The Department of Innovation, Science and Economic Development Canada will have a busy year. Now that the INDU Committee has finished a quick review of Canada’s Anti-Spam Legislation, the real work begins as ISED develops concrete proposals to improve the law. The ETHI Committee will complete its review of the Personal Information Protection and Electronic Documents Act, which will also require ISED to respond. Amendments to both laws will be a lengthy process (don’t expect any changes to take effect this year).
Global issues will likely get more attention this year, as the implementation of GDPR increases anxiety about Canada’s adequacy to receive European data and NAFTA negotiations lead to further scrutiny of data localization requirements.
By Galaad Delval, CIPP/E
Now beyond its period of grace, the Cybersecurity Law is fully enforced in China since June 2017. Sanctions have already been given to infringing companies, and the trend for 2018 is toward increased enforcement aiming at companies infringing on the Cybersecurity Law.
Regarding supporting guidelines and standards on data protection and cybersecurity, as more were drafted in 2017 by the National Information Security Standardization Technical Committee (TC260), such as the Information security techniques - Guidelines for Data Cross-Border Transfer Security Assessment or the Information security techniques - Security techniques requirement for network storage, the earliest drafted guidelines are expected to be finalized early to mid-2018. Among them, it is probable that the Information security techniques -Personal information security specification drafted late 2016 will be among the first one to be finalized.
In addition, the E-commerce law draft that we mentioned in our 2016 update has now moved into its second draft. Now one step closer to its final version, a definitive draft is to be expected during 2018. The overall trend for data protection and cybersecurity in China is toward further enforcement and development of the data protection and cybersecurity legal framework.
By Luis-Alberto Montezuma, CIPP/E, CIPP/US
2017 ended with a decision from the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC), recognizing Japan as a third country that provides an adequate level of protection under Law 1581 of 2012.
On Aug. 10 2017, the authority recognized the U.S., member states of the EU and the Republic of Korea, among other countries, as providing adequate protection. The decision gave rise to much discussion in the Congress of the Republic, in particular, with the approval of the U.S. as a country that ensures an adequate level of protection for personal data.
Expect Uber’s story to continue into 2018. According to the SIC’s docket system, the authority has probably required Uber to provide information about its personal data breach that happened last year (there is no official announcement yet). In Colombia, data controllers are required to notify the authority regarding any personal data breach within 15 working days after having become aware of an incident.
The obligation to register the databases before the National Database Registry will continue in 2018, though it may see some changes. There is a draft decree to extend the time period to register the databases until Sept. 30 that would apply to medium or large companies, and the requirement would no longer apply to small businesses. The decree is ready to be signed by the Colombian president.
There is also a draft bill to give power to the authority to investigate companies outside of Colombia, such as Facebook or Google. Regarding Google, the ‘right to de-referencing’ (or ‘the right to be forgotten’ or ‘the right to delete search results’ or ‘the right to delisting') will be debated again before the Colombian Constitutional Court; both public- and private-sector organizations have filed amicus curiae briefs in the case, according to the Court’s docket system.
by Tim Van Canneyt, CIPP/E
2018 is of course the year in which the GDPR will become applicable and as such, it is a milestone year for data protection. In the coming months, we will continue to see a steady flow of guidance from the WP29/EDPB and from the national supervisory authorities. Equally important are the national legislative initiatives: many Member States are in the process of adopting legislation that will supplement the GDPR, e.g. with regard to minors or employees. Finally, we should see the conclusion of the trilogue on the e-privacy reform. It will, among other things, significantly change the way in which electronic communication data and cookies may be used.
By Yann Padova
Dec. 13, 2017, the French government introduced the draft legislation No. 490 on personal data protection. The National Assembly’s Law Committee has appointed Paula Forteza as its rapporteur.
The proposed act implements the GDPR in France law by maintaining the current FDPA and clearing it of provisions in contradiction with the GDPR.
It confers to the CNIL new soft law powers such as guidelines or referential, notably in terms of data security requirements. It extends the legal framework of checks and inspections carried out by the CNIL, among which is the possibility for CNIL agents to conduct online checks under fake identities.
The draft legislation also takes into account the suppression of the filing requirements enacted by the GDPR, except for certain data such as national Social Security number. The authorization regime that currently exists under French law for a list of sensitive processing will therefore disappear.
The proposed text furthermore implements the CJEU's decision of October 6, 2015, (the “Schrems” ruling) by allowing the CNIL, before which is brought a claim related to the data transfer made under an adequacy decision or an contractual clause approved by the European Commission, to introduce a request for the temporary suspension of the data transfer before the French administrative Supreme Court (Conseil d’Etat). The Conseil d’Etat must then refer the question of the validity of the relevant decision of the European Commission to the CJEU for a preliminary ruling.
The draft legislation will be applicable as of May 25. As it only operates the most necessary adaptations of the current FDPA to the GDPR, it remits the overall rewriting of the FDPA to a later ordinance to be issued by the French government in the next six months.
By Ernst-Oliver Wilhelm, CIPP/E, CIPM, CIPT, FIP
The German legislature delivered the first national implementation of the EU Data Protection Reform Package, for the most part, by publishing the EU Data Protection Adaption and Implementation Act (in German: Datenschutz-Anpassungs- und Umsetzungsgesetz EU) in the Federal Law Gazette July 5, 2017. The DSAnpUG-EU aligns as a centerpiece the Federal Data Protection Act (in German: Bundesdatenschutzgesetz, BDSG) and additionally some laws in the area of law enforcement and intelligence service with the new EU Data Protection Standards. A synopsis of the DSAnpUG-EU and the new BDSG, which will become applicable on May 25, 2018, can be found here. Furthermore, the German legislature is working on a second Data Protection Adaption and Implementation Act (in German: Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU, 2. DSAnpUG-EU), which will align 124 more laws on the federal level. In addition, the alignment of data protection provisions on a regional level (e.g., the data protection acts in each of the 16 federal states of Germany) and in specific domains (e.g., social security statutes) is in preparation. Finally, the upcoming ePrivacy Regulation may require adjustments in the implementation or interpretation of data protection-related provisions in relevant national legislation like the Telecommunications Act (in German: Telekommunikationsgesetz, TKG), the Telemedia Act (in German: Telemediengesetz, TMG) and the Act Against Unfair Competition (in German: Gesetz gegen den unlauteren Wettbewerb, UWG).
By Stephen Mathias
2018 will most probably be the most important year in the world of data privacy in India. If 2017 wasn’t! Following the judgment of the Supreme Court of India in August 2017 that the right to privacy is a fundamental right under the Constitution of India, a committee appointed by the government began work on drafting a new law on data privacy for India. In December 2017, it released a white paper on the subject, which largely covered many of the key issues involved in data privacy such as geographical jurisdiction, applicability to juristic persons, level of detail of notices, requirements for transfer, etc. The paper however largely discussed issues and raised questions but provided few conclusions. The paper did call for feedback from the public.
The chairman of the committee, Justice Srikrishna (retd) has stated that he expects the new law will come into force by the end of 2018. This is not entirely in his hands since a draft law will have to be passed by both houses of Parliament and the present government has a majority only in the lower house. But support for a privacy law is strong, perhaps stronger, from the main opposition party, so it is entirely possible that such a law will be passed quickly.
Following the Supreme Court judgment, the court took up another important constitutional challenge — to the validity of Aadhaar, the biometric based identification system, the largest of its kind in the history of the world. The original purpose of this ID project was to ensure that food and other subsidies to the poor would go to the right people. This is mostly because the poor have less opportunity to prove identification and residence. But in the last couple of years, the government has made the use of Aadhaar compulsory for many other purposes — linkage to bank accounts, cell phone numbers, tax filings, etc. Even more is on the way. The key problem with this is that as Aadhaar is used for more and more services, more and more databases will have one’s Aadhaar number in them. There is no restriction on connecting all these databases and profiling people in a way that has never been seen before. The court proceedings are ongoing and it is hoped that the judgment might provide some guidance as to the manner in which the new law must protect, not just biometric and other basic information that is collected, but information in databases that is linked to Aadhaar numbers.
2018 most certainly promises to be an exciting year for data privacy in India.
By Dan Or-Hof, CIPP/E, CIPP, US
The evolution of Israeli privacy regulation is well connected to the current global data protection turmoil. May 2018 is marked as a due date for the major shift in privacy compliance and awareness. As data-driven and web-based services constitute a large portion of the Israeli Hi-Tech industry, GDPR preparations are key to their ability to continue their international activities. On top of that, the new Israeli information security regulations come into effect on May 8 and will add a challenging set of new requirements for controls, measures and procedures. The regulations also introduce breach notification into Israeli law. No doubt, the notification requirements of security incidents will create a substantial impact on doing business in Israel. The Protection of Privacy Authority has become increasingly active this year, and we expect to see more guidelines and enforcement activities in 2018. Following a review by the EU this year, we are yet to see if the adequacy recognition will be maintained as invalidation of the recognition will definitely have an adverse impact on data transfer from the EU to Israel. Lastly, it is unclear whether the Privacy Shield Framework serves as an adequate mechanism for transferring personal information from Israel to the U.S. We hope that the Justice Department will remove the uncertainty over this issue.
By Rocco Panetta
As far as Italy and EU is concerned, 2018 is going to be a critical year. Italy for months did not want to adopt an implementation national law for GDPR to respect the real spirit of GDPR, that as a regulation does not require a national implementation law. But then, as Germany, Ireland, the UK and other EU member states have adopted national implementing laws, the Italian legislator passed in November 2017 a law giving the Italian government the power to adopt within six months (i.e., by April) a national law merging the existing data protection law (based on Directive 95/46) with the GDPR.
This exercise is going to be very risky as the breach of the EU regulation is always around the corner when member states rule at a national level. The adoption of such a national law could also coincide with the general election of the Parliament and the new government, expected between March and April.
In addition, we are to a sort of assault to the market by thousands new self-declaring expert consultants in privacy, data protection and cybersecurity. This is a very risky game, as the privacy compliance practice is not an easy one and cannot be invented overnight. I am sure that the presence of IAPP on the Italian market as well as the important role always played by the Garante (the Italian DPA) will help to increase education, awareness and best practices in the sector, in order to help data controllers and processors to be properly ready for the May 2018 appointment.
By Takashi Nalazaki
It is likely that Japan and EU will make adequacy decision to each other before the implementation of the GDPR, and the Personal Information Protection Committee will issue some guidelines to comply with the GDPR this February.
Also the act, commonly called Jisedai Iryo-kiban Ho — roughly translated as the next-generation medical infrastructure law — was enacted in May 2017 and will come in force by this May. The act will allow medical big data to be pooled anonymously so it can be utilized for research into diseases and the development of new drugs.
By Rosa Maria Franco, CIPP/US
In January of 2017, after waiting for it, the General Law for the Protection of Personal Data in Possession of Obliged Subjects was finally published in the Official Gazette.
The purpose of this law is to establish the bases, principles and procedures to guarantee the right that every person has to the protection of their personal data, in possession of obliged subjects, which are defined by the same as: any authority, entity, organ and body of the executive, legislative and judicial powers, in the federal, state and municipal levels, autonomous bodies, political parties, trusts and public funds.
Some of the objectives of the law are: (i) to distribute powers between the data protection authorities of the Federation and the Federative Entities, in matters of protection of personal data; (ii) establish the minimum bases and homogeneous conditions that will govern the processing of personal data and the exercise of the rights of access, rectification, cancellation and objection; (iii) regulate the organization and operation of the National System of Transparency, Access to Information and Protection of Personal Data referred to in this Law and the General Law of Transparency and Access to Public Information; (iv) guarantee the observance of the principles of personal data protection; (v) guarantee that every person can exercise the right to the protection of personal data; (vi) promote and disseminate a culture of personal data protection; (vii) establish the mechanisms to guarantee compliance and the effective application of the corresponding enforcement measures for those conducts that contravene the provisions of this Law.
The transitory articles of the law set forth important deadlines for compliance with the new law, thus, a long this year we may expect to see compliance with the obligations.
By Lokke Moerel
The Dutch bill implementing the GDPR into Dutch national law has been submitted to parliament for adoption and is still on track to come into force at the same time as the GDPR (available here, in Dutch only). Like the German implementation law, the Dutch bill takes a restrictive approach favoring EU-wide harmonization as much as possible. The Dutch Data Protection Authority is expected to continue to focus its enforcement on profiling activities, processing of special categories of data and security obligations.
By Jaqueline Peace
This time last year when I was asked to gaze into the crystal ball to predict the state of privacy law reform in New Zealand, I didn’t just rely on my crystal ball, I even crossed my fingers in the hope that such actions would result in a draft privacy law bill. Alas, wizardry and hocus-pocus crystal ball gazing are not my forte. Whilst there has been no public sight of an exposure draft, there has been activity behind the scenes with the right people being engaged to help move the law reform forward. With the newly elected Labour government, which came in to power in October, the Office of the Privacy Commissioner has briefed the Minister of Justice about the need for law reform to be an urgent priority to avoid New Zealand falling behind the rest of the world. The majority of the initial recommendations for reform to the current Privacy Act 1993 made by the Law Commission in 2011 were accepted by the then government and supported by the OPC. The OPC subsequently responded to rapid global law reform and proposed further recommendations in November 2016. The OPC has now made it clear to the new government that there is a pressing need for NZ privacy law to be modernized. There is too much at stake, including the failure to keep up with individual’s rights that many other countries have or are improving for control over personal information and our privileged position of holding EU adequacy, enabling unrestricted transfer of personal data between the EU and NZ. Should I cross my fingers again?
By Romulo Henson III
2018 is a big year for Data Privacy in the Philippines. For one, March 8 will be the deadline of the Transitory Period (Phase II) for the Registration Requirement under Republic Act 10173 or the Philippine Data Privacy Act of 2012 as further defined under the National Privacy Commission circular order number 17-01. In line with this, there are heightened discussions both in the government and private sectors on the requirements of the law thus pushing forward the agenda of data privacy even further to the public consciousness who, in the first place, are the actual intended beneficiaries of the law.
On the broader landscape, the Philippines has joined the APEC Cross Border Privacy Enforcement Arrangement, the government backstop enforcement network developed for the Cross-Border Privacy Rules. It is an initiative that facilitates information sharing among privacy enforcement authorities in APEC economies, provide mechanisms to promote effective cross-border privacy cooperation, and encourage information sharing and cooperation with authorities outside APEC. CPEA also confirmed NPC’s status as a privacy enforcement authority for the Philippines, becoming the eleventh PEA along with those from eight other APEC economies, namely, Australia, Canada, Hong Kong, Japan, Republic of Korea, New Zealand, U.S. and Mexico. So we will see more activities on this area this coming year.
Process outsourcing or BPOs serving European clients are busy in preparing for the upcoming GDPR implementation in 2018. The Philippines is one of the top BPO destinations in the world, ranking second after India.
By Maria Elterman, CIPP/E, CIPP/US
No doubt that 2018 will be a very interesting year for the privacy protection under Russian law. New changes to the Russian Law “On Personal Data” as of 27.07.2006 No. 152-FZ just have come into effect and have introduced new requirements for Russian companies to prohibit unidentified users access to online messaging applications. Companies must identify their users by cellphone numbers and be ready to share this data upon Russian law enforcement agencies requests. In the case that mobile applications fail to comply with the requirements to restrict anonymous accounts, they will be blocked in Russia. Another change introduced by Russian State Duma (the lower chamber of the Russian Parliament) is the draft bill that regulates the usage of a biometric data (face and voice recognition) by financial institutions. Banks will be able to use unified users identification database to associate users' identities with their clients’ bank accounts without the need for a client to be physically present. The database will be managed by an operator (Rostelekom is a likely candidate) and accessible on request by Russian law enforcement agencies.
By Rizwi Wun
- The landmark cybersecurity law is going to come into force very soon. The provisions tabled for discussion in our Parliament contain significant differences from the contents of the public consultation last year.
- The impending changes to the PDPA should incorporate facets of the GDPR, most notably in terms of mandatory breach notification.
- We should expect more resources to be channelled towards the building up of capabilities in cyber-security.
By Begüm Yavuzdoğan Okumuş
Turkey is now four months away from the deadline or fulfilling the compliance with the Data Protection Law, and in 2017 we were all busy with adopting the law as much as possible in the absence of well-established rules and practices, but in light of EU developments. It seems that our efforts will continue in 2018.
During 2017, fundamental steps were taken for the purpose of privacy after the enactment of the Data Protection Law in April 2016. The data protection authority was officially established (although it has certain organizational deficiencies) and secondary legislation has been prepared, in this respect the Regulation on Anonymization, Erasure and Deletion of Personal Data and the Regulation on Data Controllers Registry were enacted and the Regulation on Protection of Health Data which was highly criticized during 2016 and subject to stay of execution decision in 2017, was recently amended in a way to clarify the main controversial provisions. In addition, sector-specific Draft Regulation on Privacy in Electronic Telecommunication was prepared.
Privacy lawyers and professionals discussed data mapping techniques, personal data analysis and assessment the most during 2017. Further, the validity of using consent forms for all data processing activities and the scope of legitimate interest or other conditions to make data processing lawful were on the top of the discussion lists. Transfer of data abroad in the absence of DPA’s safe countries’ list and validity of obtaining the consent from data subjects to overcome the difficulty was questioned. Appointment of a data protection officer to companies — is that a legal requirement, or is it only advised; and what is a health data, were the other frequently asked questions. It is worth saying that concrete steps for compliance were only taken by global companies and Turkish conglomerates. Turkish SMEs still do not find themselves busy with compliance issues.
We have high expectations for 2018 and are hopeful in terms of establishment of privacy rules in a more clarified way together with more guidelines to be announced by the DPA and more DPA decisions. The main difficulty in application of privacy rules in Turkey is the lack of guidance regarding the legal background and lack of experienced experts within the DPA. Thus there is need of close follow up of EU developments and legislation considering that Turkish legislation has elements of both the EU Directive and GDPR. In terms of raising awareness, most probably a landmark DPA decision may teach the importance of privacy to public better than the legislative developments.
By John Bowman, CIPP/E
We can expect a busy 2018 in data protection in the U.K. Although the UK is planning to leave the European Union in 2019, it will implement the GDPR and the Law Enforcement Directive by May 25. A data protection bill has already been introduced to Parliament and is expected to be enacted ahead of GDPR go-live. The bill has yet to capture much public attention, but other important policy issues remain unresolved, including maintenance of the free-flow of data between the U.K. and the EU post-Brexit. One controversial issue is about press freedom. In some newspapers’ view, the bill transfers too much power to regulators who may be able to determine whether investigative reporting activities are in the public interest. Other stakeholders, however, consider such a safeguard necessary to prevent intrusive reporting and protect individual privacy. This debate about the balance of rights and freedoms is expected to continue next year.
By Yaron Dori
Now that the Federal Communications Commission has reclassified broadband Internet access service for regulatory purposes, effectively subjecting broadband providers to the jurisdiction of the Federal Trade Commission, expect to see complaints filed at the FTC by consumer groups and others pertaining to broadband provider practices in the areas of data privacy, zero rating, and other creative approaches to packaging, pricing and managing internet content, services and applications. How the FTC responds to these complaints will depend in large part on the facts, as well as on the outcome of the FTC v. AT&T Mobility case pending before the 9th Circuit. The 9th Circuit's decision and the FTC's responses to these complaints will be significant factors in whether and how net neutrality legislation may take shape in Congress in 2018.
US: Heath Care
By Kirk Nahra, CIPP/US
I expect very little this year in Congress on health care privacy and security. The focus will still primarily be on the ACA, and whether the administration can break it apart. Not much else is likely to get through, both because of that focus and because there isn’t a lot of pressure to do something new or different. There’s an odd bill floating around to give health care clearinghouses the right to use enormous volumes of data. I doubt this will move far but it's interesting because it grants clearinghouses — who possess enormous volumes of data — a lot of new rights that will create a health care version (sort of) of what a credit reporting bureau does (and we’ve seen how that goes). There is still an enormous need to fill a HIPAA gap relating to wearables, and mobile apps and other “non-HIPAA health care data,” but there seems to be no appetite for taking on that challenging problem. I don’t expect that to move unless there is some enormous data breach of some kind in this space. We could see some cybersecurity movement if there is a big health care data breach — either one involving personal data or one that (for example) shuts down a significant health care system — but Congress already has indicated that it can’t get its act together in this area regardless of a number of “tipping point” security breaches.
By Kuda Hove
2017 saw little being done to finalize the Computer Crime and Cyber Security Bill, the Data Protection Bill and the Electronic Commerce Bill. The abrupt change in Zimbabwe’s presidency and government did little to help the situation.
Just before his resignation former President Robert Mugabe created a Ministry of Cybersecurity, Threat Detection and Mitigation, to spearhead, among other things, the regulation of Zimbabwe’s internet space. This ministry was a thinly veiled attempt by the Zimbabwean government to monitor and control Zimbabweans’ online activity under the guise of securing the country’s cyberspace. Under the new government, this ministry has morphed into a department within the Ministry of Information Communication Technology and Cyber Security.
The current government has spoken against “the abuse of social media,” this is an important announcement in light of the fact that Zimbabwe is scheduled to hold general elections in 2018. It remains to be seen what, in the absence of the relevant legislation, will amount to such abuse. More importantly, how the government’s stance on social media will impact privacy in Zimbabwe.
If you want to comment on this post, you need to login.