This introductory piece aims to highlight the main developments in the international privacy and data protection arena in the past year. The first introduction to this publication in 2013 noted the rapid growth of privacy and data protection laws across the globe and reflected on the commercial and social pressures giving rise to this global development. Those economic and social pressures have not diminished since that first edition, and they are increasingly triggering new initiatives from legislators to regulate the use of personal information.
The exponential increase of privacy and data protection rules fuels the idea that personal information has become the new ‘oil’ of today’s data-driven economies, with laws governing its use becoming ever more significant.
The same caveat as in previous editions still holds true today: as privacy and data protection rules are constantly evolving, any publication on the topic is likely to be outdated shortly after it is circulated. Therefore, anyone looking at a new project that involves the jurisdictions covered in this publication should verify whether there have been new legislative or regulatory developments since the date of writing.
Convergence of laws
In previous editions of this publication the variation in the types and content of privacy and data protection laws across jurisdictions has been highlighted. It has also been noted that, although privacy and data protection laws in different jurisdictions are far from identical, they often focus on similar principles and common themes.
Policymakers from various parts of the world have been advocating the need for ‘convergence’ between the different families of laws and international standards since the early days of privacy and data protection law. The thought was that, gradually, the different approaches would begin to coalesce, and that global standards on privacy and data protection would emerge over time. While there is little doubt that convergent approaches to privacy and data protection would benefit both businesses and consumers, it will be a long time before truly global privacy and data protection standards will become a reality.
Privacy and data protection rules are inevitably influenced by legal traditions, cultural and social values and technological developments, all of which tend to differ from one part of the world to another. Global businesses should take this into consideration, especially if they are looking to introduce or change business processes across regions that involve the processing of personal information (for instance, about consumers or employees). Although it makes absolute sense for global businesses to implement common standards for privacy and data protection throughout their organisation and regardless of where personal information is collected or further processed, there will always be differences in local law that can have a significant impact on how personal information can be used.
There are a number of international instruments that continue to have a significant influence on the development of privacy and data protection laws.
The main international instruments are the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108) of the Council of Europe, the OECD Privacy Recommendations and Guidelines (OECD Guidelines), the European Union General Data Protection Regulation (GDPR), the Asia-Pacific Economic Cooperation Privacy Framework (the Framework) and the African Union Convention on Cyber Security and Personal Data Protection.
Convention 108 has been ratified by 53 countries; in June 2018, Cape Verde and Mexico became the fifth and sixth non-European countries – after Mauritius, Uruguay, Senegal and Tunisia – to ratify Convention 108. Morocco, Burkina Faso and Argentina have been invited to accede to Convention 108 and are expected to be the next countries to become parties. All parties to Convention 108 have passed domestic laws that implement the Convention’s standards. An Additional Protocol to the Convention requires each party to establish an independent authority to ensure compliance with data protection principles and sets out rules on international data transfers. Convention 108 is open to signature by any country and claims to be the only instrument providing binding standards that have the potential to be applied globally. It has arguably become the backbone of data protection laws in Europe and beyond. In April 2017, the European data protection authorities issued a resolution on the modernisation of Convention 108 to ensure consistency with the GDPR.
The OECD Guidelines are not subject to a formal process of adoption but were put in place by the Council of the OECD in 1980. Like Convention 108, the OECD Guidelines have been reviewed and revisions were agreed in July 2013. Where mostly European countries have acceded to Convention 108, the OECD covers a wider range of countries, including the US, which has accepted the Guidelines.
Both Convention 108 and the OECD Guidelines date from the 1980s. By the 1990s the EU was becoming increasingly concerned about divergences in data protection laws across EU member states and the possibility that intra-EU trade could be impacted by these divergences. The EU therefore passed Data Protection Directive 95/46/EC, which was implemented by the EU member states with a view to creating an EU-wide framework for harmonising data protection rules. Data Protection Directive 95/46/EC remained the EU’s governing instrument for data protection until the GDPR came into force on 25 May 2018.
In 2004 these instruments were joined by a newer international instrument in the form of the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, which was updated in 2015. Although it was subject to criticism when it was launched, the Framework has been influential in advancing the privacy debate in the Asia-Pacific region. The Framework aims to promote a flexible approach to privacy and data protection across the 21 APEC member economies while fostering cross-border flows of personal information. In November 2011 APEC leaders endorsed the Cross-Border Privacy Rules (CBPR) system, which is a voluntary accountability-based system to facilitate privacy-respecting flows of personal information among APEC economies. The APEC CBPR system is considered the counterpart of the EU’s system of binding corporate rules (BCRs) for data transfers outside of the EU. In March 2018, Singapore became the system’s sixth participant, joining South Korea, Canada, Japan, Mexico and the US.
In June 2014, the African Union adopted a Convention on Cyber Security and Personal Data Protection as the first legal framework for cybersecurity and personal data protection on the African continent. Its goal is to address the need for harmonised legislation in the area of cybersecurity in member states of the African Union, and to establish in each member state mechanisms to combat privacy violations. So far the Convention has been signed by 10 African countries, and it has been reported that a number of African countries have drafted data protection laws based on the Convention.
The data protection laws of the EU member states, the three associated states in the European Economic Area (Iceland, Liechtenstein and Norway) and EFTA-country Switzerland broadly follow the same pattern, since they were all based on or at least inspired by Data Protection Directive 95/46/EC. However, because Data Protection Directive 95/46/EC was not directly applicable, the transposing EU member state laws were divergent in many areas. This has led to inconsistencies, which created complexity, legal uncertainty and additional costs for businesses required to comply with, in many cases, 31 different data protection laws in Europe.
This is one of the primary reasons why the European Commission introduced its EU Data Protection Reform in January 2012, which included the GDPR as well as a Data Protection Directive for the police and criminal justice sector (the Police and Criminal Justice Data Protection Directive). The GDPR establishes a single set of rules directly applicable throughout the EU, intended to streamline compliance for companies doing business in the EU. The European Commission estimated that the GDPR could lead to cost savings for businesses of around €2.3 billion a year.
After four years of negotiations, on 15 December 2015 the European Parliament, the Council of the EU and the European Commission reached a compromise on a new and arguably more harmonised data protection framework for the EU. The Council and the Parliament adopted the GDPR (EU 2016/679) and the Police and Criminal Justice Data Protection Directive (EU 2016/680) in April 2016, and the official texts were published the following month. While the GDPR entered into force on 24 May 2016, it applies from 25 May 2018. The Police and Criminal Justice Data Protection Directive entered into force on 5 May 2016, and EU member states had until 6 May 2018 to transpose it into their national laws.
The GDPR, which will be further discussed in this publication, is a ‘game changer’ and one of the most significant developments in the history of EU data protection law. The impact of the GDPR is not confined to businesses based in the EU. The new rules apply to any processing of personal information conducted from outside the EU that involves the offering of goods or services to individuals in the EU or the monitoring of individuals in the EU.
EU member states have either prepared or are preparing new data protection laws at member state level to supplement the GDPR in a range of areas (eg, sensitive data processing and data processing for employment purposes). However, these legislative initiatives at member state level are not aligned and therefore businesses find themselves – once again – in a situation where they have to comply with different member state laws in addition to the GDPR. Furthermore, almost all data protection authorities in the EU have published their own guidance and recommendations on how to comply with the GDPR, regardless of the guidelines that are being adopted at EU level (by representatives of the EU member state data protection authorities known as the Article 29 Working Party under the previous law). This variety of guidance and recommendations at EU and member state level is likely to trigger confusion for businesses that are trying to determine how to comply with the GDPR.
In April 2016, the European Commission launched a public consultation on the review of the ePrivacy Directive. This review, which intended to pursue consistency between the ePrivacy Directive and the GDPR, raised questions about whether it is still necessary and meaningful to have separate rules on ‘e-privacy’ now that the GDPR has been adopted. Following the 2016 consultation, the European Commission adopted on 10 January 2017 a proposal for a Regulation on Privacy and Electronic Communications (the ePrivacy Regulation), which is intended to replace the ePrivacy Directive. The proposal was forwarded simultaneously to the European Parliament, the Council and member state parliaments, as well as to the Committee of the Regions and the Economic and Social Committee for review and adoption. The goal was to have the final text adopted by 25 May 2018, when the GDPR became applicable, but that goal was not achieved. At the time of drafting, it is estimated that the Regulation will be finalised by 2019, but no definitive timeline has been provided by the European Commission.
In addition to revamping the legal framework for general data protection, there has been an increased focus on cybersecurity in the EU. Since the adoption of its EU Cybersecurity Strategy in 2013, the European Commission has made laudable efforts to better protect Europeans online, which culminated in an action plan to further strengthen the EU’s cyber resilience by establishing a contractual public-private partnership (PPP) with industry in July 2016. In addition, on 6 July 2016, the European Parliament adopted the Network and Information Security (NIS) Directive, which aims to protect ‘critical infrastructure’ in sectors such as energy, transport, banking and health, as well as key internet services. Businesses in these critical sectors will have to take additional security measures and notify serious data incidents to the relevant authority. The NIS Directive entered into force in August 2016, but member states had 21 months to transpose the NIS Directive into their national laws.
Moving outside Europe, the picture is more varied. From an EU perspective, the US has traditionally been considered to have less regard for the importance of personal information protection. However, the US has had a Privacy Act regulating government departments and agencies since 1974, and many of the 50 states have their own privacy laws. Contrary to the EU’s omnibus law approach, the US has adopted a sectoral approach to privacy and data protection. For instance, it has implemented specific privacy legislation aimed at protecting children online, the Children’s Online Privacy Protection Act 1998 (COPPA). It has also adopted specific privacy rules for health-related data, the Health Insurance Portability and Accountability Act (HIPAA). In October 2015, the US Senate passed the Cybersecurity Information Sharing Act (CISA), which aims to facilitate the sharing of information on cyber threats between private companies and US intelligence agencies. A few months later, the US Department of Homeland Security (DHS) issued guidelines and procedures for sharing information under the CISA. The Judicial Redress Act was enacted in February 2016 as a gesture to the EU that the US is taking privacy seriously. The Judicial Redress Act is designed to ensure that all EU citizens have the right to enforce data protection rights in US courts. In May 2017, President Trump signed a Presidential Executive Order aimed at strengthening the cybersecurity of federal networks and critical infrastructure.
The US also used to be in the privileged position of having the EU–US Safe Harbor scheme, which had been recognised by the European Commission as providing adequate protection for the purposes of data transfers from the EU to the US. This formal finding of adequacy for companies that joined and complied with the Safe Harbor was heavily criticised in the EU following the Edward Snowden revelations. On 6 October 2015, in a landmark decision, the Court of Justice of the European Union (CJEU) declared the Safe Harbor invalid. This decision forced thousands of businesses that had relied directly or indirectly on the Safe Harbor to look for alternative ways of transferring personal information from the EU to the US. To address the legal vacuum that was created following the invalidation of the Safe Harbor, the European Commission and the United States agreed in February 2016 on a new framework for transatlantic data transfers: the EU–US Privacy Shield. In accordance with the EU–US Privacy Shield adequacy decision that was adopted in July 2016, the first joint annual review of the Privacy Shield and how it functions in practice took place in September 2017. In its report concluding the first review, the European Commission reiterated its support for the Privacy Shield while outlining certain areas in need of improvement, including the need for ongoing monitoring of compliance with the Privacy Shield Principles by the Department of Commerce and strengthening of the privacy protections contained in the US Foreign Intelligence Surveillance Act. In addition, it remains to be seen whether the Privacy Shield will pass the scrutiny of the CJEU. In April 2018, the Irish High Court referred a number of questions to the CJEU, including whether the rights of EU citizens are being adequately protected by the Privacy Shield framework.
In the Asia-Pacific region, the early adopters of privacy and data protection laws – Australia, New Zealand and Hong Kong – have been joined by most of the other major jurisdictions. In early 2017, Australia amended its privacy act to introduce data breach notification requirements replacing the previous voluntary regime. China adopted a comprehensive Cybersecurity Law that came into effect on 1 June 2017. The Cybersecurity Law contains a data localisation requirement applicable to operators of critical information infrastructure. A draft regulation would expand restrictions on cross-border data transfers to all ‘network operators’. The law also imposes personal information protection obligations (eg, notice and consent requirements) on network operators, in addition to a data breach notification requirement and obligations to implement cybersecurity protocols. Additional regulations and guidelines also are being considered in relation to the Cybersecurity Law, including draft guidelines concerning the security assessment of cross-border transfers of personal information and important data. Furthermore, on 1 May 2018, the Information Security Technology – Personal Information Security Specification (the Specification) came into effect in China, providing a best practices guide for the processing of personal information. While the Specification is not binding and cannot be used as a direct basis for enforcement, agencies in China can still use the Specification as a reference or guideline in their administration and enforcement activities. In April 2018, the Hong Kong Privacy Commissioner for Personal Data announced plans to review and update the 1996 data protection law in light of the GDPR and recent large-scale data breaches affecting Hong Kong citizens’ personal data. In December 2016, Indonesia adopted its first data protection law, which focuses on the processing of personal information through electronic media. Japan amended its Personal Information Protection Act in September 2015, creating an independent data protection authority and imposing restrictions on cross-border data transfers (which took effect in September 2017). On 17 July 2018, the EU and Japan successfully concluded negotiations on a reciprocal finding of an adequate level of data protection, thereby agreeing to recognise each other’s data protection systems as ‘equivalent’. This will allow personal data to flow legally between the EU and Japan, without being subject to any further safeguards or authorisations. The Personal Data Protection Standard in Malaysia came into force in December 2015 and complements the existing data protection law. The Malaysian data protection authority recently launched a public consultation on the rules regarding cross-border data transfers, which included an initial ‘whitelist’ of jurisdictions deemed adequate for overseas transfers. In the Philippines, the implementing rules for the Data Privacy Act of 2012 took effect in September 2016 and the law introduced GDPR-inspired concepts, such as a data protection officer designation and 72-hour breach notification requirements. Having one of the most advanced data protection regimes in the region, Singapore passed its Cybersecurity Act in February 2018, which provides a national framework for the prevention and management of cyber incidents. South Korea has lived up to its reputation as having one of the most strict data protection regimes in the Asia-Pacific region. The European Commission is actively engaging with South Korea regarding the possibility of recognising South Korean data protection law as adequate and hence allowing unrestricted transfers of personal information to South Korea. There is currently no specific data protection law in Thailand, but in April 2018, the Thai government published a revised draft of its Personal Data Protection Bill, which is general in scope and moves away from the country’s sector-specific approach to privacy protection. Finally, in Taiwan amendments to the Personal Information Protection Act came into effect in March 2016. The amendments introduce, inter alia, rules for processing sensitive personal information.
Latin America has seen a noticeable increase in legislative initiatives in recent years. Only a handful of Latin American countries currently do not have specific privacy and data protection laws. Argentina and Uruguay have modelled their data protection laws on the former EU approach (under the EU Data Protection Directive), which explains why they are the only Latin American countries considered by the European Commission as providing an adequate level of data protection. In February 2017, Argentina initiated a revision process to align its data protection law with the EU GDPR, introducing concepts such as data portability and 72-hour breach reporting. Chile, Costa Rica, Panama and Peru have launched similar initiatives, while in January 2017 Mexico expanded the scope of its data protection law to cover data processing by private and public persons or entities. Nicaragua passed its data protection law in 2012, but it does not have a fully functioning data protection authority at this point. Other countries in Latin America have some degree of constitutional protection for privacy, including a right to habeas data, for example, in Brazil and Paraguay. On 10 July 2018, Brazil’s Federal Senate approved a comprehensive data protection bill that was inspired by the GDPR. The Bill will take effect 18 months after it is published in Brazil’s Federal Gazette.
The global gaps in coverage lie in Africa and the Middle East. However, the number of countries with laws impacting personal information is steadily rising in both regions. As noted earlier, the African Union adopted a Convention on Cyber Security and Personal Data Protection in June 2014. There were initially concerns that the Convention was too vague and insufficiently focused on privacy rights. In May 2017, the Commission of the African Union and the Internet Society issued guidelines and recommendations to address these concerns. An increasing number of African countries are implementing data protection laws as well as cybersecurity regulations irrespective of the Convention. Angola, for example, introduced its data protection law in 2011 and approved a law in 2016 that would create a data protection authority, although such an authority has not yet been established. Equatorial Guinea’s new data protection law entered into force in August 2016, and is clearly inspired by EU data protection standards. Mauritania adopted data protection rules in June 2017, while South Africa passed a data protection law based on the (former) EU model in 2013, which is not fully in force yet but is expected to be fully effective by the end of 2018. In October 2015, the South African government created a virtual national cybersecurity hub to foster cooperation between the government and private companies. It also introduced a Cybercrimes and Cybersecurity Bill in December 2017. Tanzania passed its Cyber Crime Act in September 2015, and Uganda is still in the process of preparing the adoption of its first privacy and data protection bill. Four African countries joined Convention 108 between 2016 and 2017: Cape Verde, Mauritius, Senegal and Tunisia. Mauritius also amended its data protection law in light of the EU GDPR, while Morocco published a Q&A in June 2017 on the possible impact of the GDPR on Moroccan companies.
In the Middle East there are several laws that cover specific industry sectors but, apart from Israel, few countries have comprehensive data protection laws. Israel updated its data protection law in March 2017 by adding data security-related obligations, including data breach notification requirements. The European Commission recognises Israel as a jurisdiction that provides an adequate level of protection of personal data. Qatar passed its first data protection law in November 2016, which is largely inspired by EU data protection principles. In January 2018, the Dubai International Financial Centre Authority of the UAE amended its existing data protection law to bring it in line with the EU GDPR. The UAE’s Abu Dhabi Global Market enacted similar amendments to its data protection regulations in February 2018.
Now more than ever, global businesses face the challenge of complying with a myriad of laws and regulations on privacy, data protection and cybersecurity. This can make it difficult to roll out new programmes, technologies and policies with a single, harmonised approach. In some countries, restrictions on cross-border data transfers will apply, while in others localisation requirements may require data to be kept in the country. In some jurisdictions, processing personal information generally requires individuals’ consent, while in others consent should be used in exceptional situations only. Some countries have special rules on, for example, employee monitoring. Other countries rely on vague constitutional language.
This publication can hopefully continue to serve as a compass to those doing business globally and help them navigate the (increasingly) murky waters of privacy and data protection.