Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected]
Friday 28 January 2022 is Data Protection Day (or Data Privacy Day outside of Europe), which marks the anniversary of the Council of Europe’s Convention 108.
To mark Data Protection Day 2022, our Global Data Privacy and Security Team have provided a roundup of key trends and developments across the globe from a data protection perspective as well as looking ahead to what to expect in 2022.
There are new laws and developments to keep up with in various jurisdictions including the Personal Information Protection Law in China, new laws coming into force in Thailand, amendments to existing legislation in Singapore and Japan, as well as various state developments in the US, and reforms or proposals in Vietnam, Australia and other jurisdictions.
From an EU perspective, a key area companies will be focusing on in 2022 is updating existing data transfer agreements to replace them with the new EU Standard Contractual Clauses before the 27 December deadline, as well as associated compliance with the impact of the Schrems II decision. In addition, from a UK perspective the outcome of the ICO data transfer consultation was published on 28 January 2022, paving the wave for use of the UK International Data Transfer Agreement and UK Addendum to the EU Standard Contractual Clauses under the UK GDPR which are in force from 21 March 2022.
You can find more information on these developments and many others in our summary below.
UK
International data transfers
The ICO launched a consultation on data transfers under the UK GDPR, which closed at the end of last year. Following that consultation, on 28 January 2022 the Secretary of State laid the international data transfer agreement (“IDTA”) and UK addendum to the new EU Standard Contractual Clauses (“UK Addendum”) before Parliament, together with a document setting out transitional provisions for the purposes of the UK GDPR and UK Data Protection Act regarding the use of the standard data protection clauses for international transfers approved by the European Commission under the Data Protection Directive.
The IDTA, UK Addendum and transitional provisions will now lay before Parliament until they come into force on 21 March 2022.
The IDTA and UK Addendum will replace use of the previous EU Standard Contractual Clauses (approved by the European Commission) under the UK GDPR (“Directive SCCs”).
In terms of timings, contracts concluded on or before 21 September 2022 on the basis of the Directive SCCs continue to provide appropriate safeguards until 21 March 2024 for the purposes of the UK GDPR, provided the processing operations and the subject matter of the contract remain unchanged and reliance on those Directive SCCs ensures that the transfer of personal data is subject to appropriate safeguards. Therefore, there is some time for organisations to update existing agreements based on the Directive SCCs. For new contracts for data transfers from the UK entered into after 21 September 2022, the UK Addendum to the new EU SCCs or the IDTA will need to be used, although it can also be used for new contracts going forward once it comes into force on 21 March 2022
The IDTA uses the term “linked agreement”, which are agreements between the importer and exporter, for example if the importer is a processor and there are Art 28 data processing terms in place in an existing or separate agreement. The IDTA allows for the ability to cross refer to the relevant section of the linked agreement in certain circumstances.
An important difference between the new EU Standard Contractual Clauses and the IDTA is that the IDTA does not include Art 28 data processing terms. Instead, there is a provision which states if the importer is a processor or sub-processor, there is a linked agreement that includes those Art 28 obligations. In addition, the IDTA does not adopt the same “modular” approach as the new EU Standard Contractual Clauses.
In relation to the new EU Standard Contractual Clauses there is the option of a “UK Addendum”. This is a short template document which makes amendments or additions from a UK perspective (e.g. referring to the UK rather than the EU, UK Data Protection Laws rather than EU GDPR, ICO rather than supervisory authority etc).
It is likely that use of the EU Standard Contractual Clauses with a UK Addendum will be the most practical solution for many organisations that are transferring personal data from both the EU and UK in order to maintain consistency.
Consultation on reforms to UK data protection laws
The Department for Digital, Culture, Media and Sport published a consultation (“Data: a new direction”) on proposed amendments to UK data protection law, which closed in November 2021. Although the outcome of that consultation is yet to be published and there is no draft legislation at this stage, it indicates that the current government is considering various changes to UK data protection laws in the future.
In summary, some of the key proposed changes include:
Children’s Personal Data
The processing of children’s personal data will continue to be a focus area in 2022 and beyond. Organisations are now required to comply with the ICO’s Age Appropriate Design Code as of 2 September 2021. The Code applies to online services “likely” to be accessed or used by a child, which for these purposes is anyone under the age of 18.
The ICO stated in August 2021 that in its view some of the biggest risks in this context relate to social media platforms, video and music streaming sites and video gaming platforms, and that the ICO would be taking a proactive approach in requiring organisations in those sectors to explain how their services are designed in line with the Code. The ICO also published an opinion on age assurance under the Code in October 2021, which provided additional information on the ICO’s expectations regarding age assurance in the context of the Code (you can read more in our update here).
Germany
International data transfers
International data transfers continue to be a hot topic. Companies must complete the implementation of the revised EU Standard Contractual Clauses for data transfers to third countries by end of 2022 (the relevant deadline could also be September 27, 2021 for example where the data processing operations have changed under existing agreements based on the previous EU Standard Contractual Clauses) and comply with the requirements of the Schrems II decision, in particular by carrying out transfer impact assessments and, if applicable, taking supplementary measures.
We expect an increase of enforcement in the aftermath of Schrems II in Germany, on the one hand due to complaints by individuals and on the other hand because some of the German data protection authorities have also started to actively enforce the Schrems II decision by reaching out to selected companies via questionnaires that they developed on the topics of mail hosting, website hosting, web tracking, applicant portals and intra-group data transfers. The questionnaires are quite detailed and contain questions such as: “If you have concluded that the recipient can in fact guarantee compliance with the contractual obligations under the SCCs: Please describe in detail your reasons for this conclusion and provide appropriate evidence.”
Cookies
Germany’s new Telecommunications and Telemedia Data Protection Act (“TTDSG”) entered into force on December 1, 2021. The TTDSG is intended to unify Germany’s existing rules regarding data protection in telecommunications and telemedia into one comprehensive law and to finally implement the ePrivacy Directive (2009/136/EU). In relation to cookies, the TTDSG includes language and requirements similar to the ePrivacy Directive – the scope of application is quite broad. The German data protection authorities published guidance on the interpretation of the TTDSG in December 2021. Some of the German data protection authorities have already carried out proactive website audits, including “cookie compliance”, or have become active due to complaints concerning the use of Cookies. We expect enforcement in the area of Cookies to be a hot topic in 2022.
Cybersecurity
Ransomware attacks and other data security threats have increased during the last few years, and so have personal data breach notifications under Art. 33 and 34 of the GDPR. We expect more private actions as well as more enforcement from the data protection authorities on this topic. In December 2021 one of the German data protection authorities proactively started ransomware prevention audits by reaching out to companies with questionnaires on IT security. The goals are to increase enforcement in this area as well as increasing awareness and protection against cybersecurity threats.
Enforcement and data disputes
In the last few years, there have been a number of multi-million Euro fines in Germany. In the meantime, there have also been court decisions that significantly reduced a multi-million Euro fine, and declaring a multi-million Euro fine as invalid.
In 2022 we expect to see more enforcement by the data protection authorities, such as audits and (high) fines – at the same time, more litigation challenging authority orders and fines is likely. Private actions, such as claims of individuals for non-material damages and other data disputes, such as claims between controllers and processors are also expected to increase.
France
More record sanctions
At the French Data Protection Authority (the “CNIL”), the end of the year 2021 had an “air of déjà vu”, with more high activity in terms of enforcement (investigations and fines). In December 2021, the CNIL issued fines of 150 million Euros and 60 million Euros in relation to the placing of cookies on users’ computers without their consent – topping the previous records of 100 million Euros. Among the numerous sanctions, the CNIL has also fined a company 400,000 Euros for failing to inform individuals about records used for lobbying purposes, and it is noteworthy that several of these sanctions demonstrate the strong interest of the CNIL in the security measures implemented by organisations and their effectiveness, which, in certain sanction decisions (such as in the 300,000 Euro sanction of December 2021 against a French Internet Service Provider) is combined with an interest in the obligation to protect individuals’ data by design.
Enforcement actions – focus on cookies and health data
In its communication on priority issues for 2021 released in March 2021, the CNIL announced that it will focus its inspections on three topics as part of that strategy:
Based on this inspection strategy, the CNIL has already investigated organisations regarding these topics and imposed fines to some of them, in particular regarding the use of cookies (please see sanctions mentioned above). The CNIL has announced that it will continue online inspections and send formal notices to comply as applicable, in particular to ensure that end users are given the option to refuse cookies as easily as accepting them.
Several new guidelines and sandboxes for innovation
The CNIL published new guidance on several other topics. In January 2022, two major sets of guidance were released by CNIL: (1) to establish a legal framework to determine if, and under which conditions, a processor can use personal data it obtained from a controller for purposes broader than just strictly providing services to the controller; and (2) to specify the conditions of access of employees to their personal data, including those contained in professional emails. In November 2021, the CNIL also published a practical guide to clarify the DPO missions and functions. Finally, as announced in the strategic roadmap in CNIL’s yearly report, the French regulator has started “sandbox” initiatives to accompany innovative projects, in the fields of digital health and in education.
Austria
Enforcement actions with (multi-)million Euro fines
The Austrian Data Protection Authority (“DPA”) has had an active year. Most notably, in 2021 and the beginning of 2022, the DPA issued several decisions imposing fines in the millions for alleged GDPR violations, including the following (not yet binding) decisions:
Hot topic for 2022: The practical application of Schrems II
In a landmark decision issued in January 2022, the Austrian DPA issued the first major DPA decision in Europe after Schrems II dealing with international data transfers from the EU to the U.S. In this declaratory decision, the DPA reasoned that the transferred data (the specific cookies, title of a visited website and date and time of a visit and browser-related information such as screen resolution and language settings) would qualify as personal data as they would make the user “distinguishable”, what the DPA essentially equated with “identifiable”. If the IDs stored in the cookies were combined with the browser-related data and the IP address, this would (in the DPA’s opinion) result in a digital fingerprint that would qualify as personal data in any case. Further, the DPA argued that U.S. intelligence authorities could identify the data subject anyway. Without considering the practical risk or practice of U.S. authorities, the DPA then found that widely used supplementary measures to assure an adequate level of protection of personal data would not suffice.
This decision will most certainly not be the last one that European DPAs issue on this topic, given that more than 100 similar complaints are pending with various EEA member states.
COVID-19 and data protection
The DPA had to decide a number of COVID-19-related complaints, including the following:
Belgium
The Belgian Data Protection Authority (“DPA”) has been active in 2021, including by:
Guidance and Recommendations
In 2021, the Belgian DPA published key guidance and recommendations, notably on:
Adoption of Code of Conducts
The Belgian DPA has adopted its first national and transnational Codes of Conduct in 2021.
In particular, in May 2021, following a favourable opinion by the European Data Protection Board, the Belgian DPA approved its first transnational code of conduct: the EU Cloud CoC, a European code of conduct for cloud services.
The EU Cloud CoC incorporates the requirements applying to processors under Art. 28 GDPR and other relevant related articles of the GDPR as applicable to the cloud market (including IaaS, PaaS, SaaS).
Investigations
According to the Belgian DPA, 27 authorities have indicated their willingness to be involved in the procedure. These authorities had 4 weeks to provide their feedback.
The next steps in the cooperation procedure are:
Developments expected in 2022
Italy
Over recent months, the Italian Data Protection Authority (the “Garante”) has been fairly active in terms of both enforcement and issuing guidelines and general provisions.
The Garante has been actively involved in all stages of the preparation and issuance of Covid-related provisions. Italy has been the first European country to adopt a national Covid certificate (the so-called Green Pass), to make the Green Pass check a pre-requisite to access the workplace for workers and also for individuals to access other spaces.
Recently, vaccination has been made mandatory for 50-year-old individuals, which has led to the launch of a ‘super’ Green Pass. Especially in the employment sector, checking of the Green Pass (both the base and super Green Passes) entails the processing of personal and also health data. The Garante has therefore worked closely with the Government to provide guidance on how to collect, process and store this information. The Garante has also been involved in the launch of new functionalities of the Italian Covid App (named Immuni).
In relation to the internet front, the Guidelines of the Garante on cookies entered into force last January, after a sort of grace period granted to companies to align with the new rules. Generally, the indications of the Garante are in line with those of other European data protection authorities, even if there are some differences for the use of cookies for analytics and the content and functionalities of the cookies banner. We are expect that specific enforcement activities will be launched now that the new rules are in place.
The Garante has issued significant fines targeting the marketing/telemarketing sector, where companies from different industry sectors (from telecoms to utilities and call centres) have been sanctioned for the collection and use of personal data in breach of (mainly) the information and consent requirements.
The Garante has also been focused on the digital environment, especially IT platforms and social networks which resulted in investigations and also general guidance to individuals to protect their privacy rights while online.
The process of GDPR certification is continuing, through the adoption of additional requirements for accreditation of certification bodies, in coordination with the EDPB.
The Garante also tackled the issue of whistleblowing systems. In a proceeding where it was investigating the setup and functioning of a whistleblowing system, the authority has specified how these kinds of systems should be organised to fulfil, among others, the principles of Privacy by Design, by Default and proportionality. This proceeding took place before implementation in Europe of the EU Whistleblowing Directive 1937/2019 – nonetheless it has provided interesting indications to consider particularly for the adoption of whistleblowing systems under the new Directive.
The rules governing the public opt-out register for telemarketing calls have recently been modified further due to intervention by the Garante. In summary, individuals will have the possibility to opt-out not only from calls with an operator, but also from automated calls made for marketing purposes. In addition, an individual’s subscription to the public opt-out register will also entail revoking former consents provided by the individual, in order to avoid possible misuse of their personal data.
In terms of issues on the radar screen of the authority for investigations, further to the fines for marketing and profiling activities, there is specific attention on the issues of the right to be forgotten, the IoT environment, the HR sector and investigations following data breaches.
Lastly, the Garante confirmed its presence and commitment to the activities of the EDPB and European initiatives on data protection.
Poland
Polish Data Protection in 2021
The Polish Data Protection Authority (Prezes Urzędu Ochrony Danych Osobowych – “PUODO”) was very busy in 2021, to some extent catching up with slower approach in 2020. The focus of PUODO is clear: data breach reporting.
On 22 April 2021, the PUODO imposed a fine of approx. 250.000 Euros (PLN 1.100.000) on a Polish paid TV broadcasters for late identification of infringements. The company did not implement appropriate technological and organisational measures in its cooperation with the courier company. The lack of implementation of appropriate organisational and technical measures allowing for quick identification of violations resulted in the fact that for a long time data subjects were not aware of the risk of their data being used by unauthorised persons, e.g. risk of identity theft. Data subjects were also unable to take measures to limit such risks during that time. Meanwhile, the scope of personal data either lost or delivered to the wrong recipient was extensive. Despite the fact that the infringements were connected with irregularities on the part of the courier company, it was the data controller that incorrectly implemented supervision over the enforcement of contractual provisions, which resulted in late identification of infringements.
Similar decisions (although with lower penalties) were issued in a few other cases, with a focus both on notifications to the PUODO as well as notifying the data subjects.
Future plans
PUODO already issued its inspection plan for 2022. This covers:
Netherlands
Enforcement – 2021 broke records
In 2021, the Dutch Data Protection Authority (Dutch DPA) imposed around a dozen fines on companies and governmental organisations for various types of data protection (GDPR) violations. The enforcement activities indicate that the Dutch DPA is increasingly focussing on corrective and punitive action, rather than focussing on education and prevention (which it did in the early GDPR years). This is in line with previous announcements made by the Dutch DPA. Examples of enforcement action in 2021 include:
Until recently, all penalties imposed by the Dutch DPA since the GDPR came into force have not exceeded 900,000 Euros. This is in line with the Dutch DPA’s sanction policy rules, on the basis of which the Dutch DPA determines the height of fines for GDPR violations (and on the basis of which the Dutch DPA’s fines have not, and unlikely will, reach the GDPR maximum).
However, in December 2021 the Dutch DPA imposed a fine of 2,750,000 Euros on the Dutch Tax Authority for conducting years of unlawful, discriminatory processing of personal data pertaining to the (double) nationality of individuals for automated decision making around (childcare) allowances. This controversy caused serious (financial) harm to affected individuals, led the Dutch government to resign and shocked Dutch society, enough reason for the Dutch DPA to impose a record-breaking fine.
Civil law action – incentive to claim
More and more individuals and other stakeholders are finding ways to civil courts in cases of privacy (GDPR) violations. As in principle, Dutch civil law does not leave room for punitive damages; individual court cases generally do not lead to significant amounts of damages being awarded for data protection law violations.
With that said, since the introduction of a new bill in 2020 it is legally possible for representative bodies to claim mass damages on behalf of a group of individuals in class action proceedings. A number of class actions with mass damage claims have been initiated against (tech) companies allegedly violating privacy legislation, with claims going up to 6 billion Euros (comprising of an amount for each of the individuals represented). At this moment in time, the cases initiated have not yet been decided upon, and it remains to be seen how these claims are handled by Dutch courts.
Dutch DPA focus areas 2022
At the end of 2019, the Dutch DPA announced its focus areas for 2020-2023, with the overarching theme being “data protection in a digital society”. In its announcement, the Dutch DPA identified three key topics that it will keep a particularly close eye on and enforce as a matter of priority:
The Dutch DPA’s focus is built around its risk-based approach to supervision; in addition to its regular enforcement activities such as investigating data breaches, handing complaints of civilians and supporting DPOs, the Dutch DPA focuses on those subjects that it considers come with a high privacy risk for the general public. The Dutch DPA may use various instruments to effectuate its supervisory focus, including the issuance of regulatory guidance, information campaigns aimed at the general public, and enforcement action.
Hungary
The Hungarian Data Protection Authority (“NAIH”), acting either ex officio or at the request of a data subject, regularly imposes data protection fines. However, these have been moderate amounts to date. The highest fine imposed to date was HUF 100,000,000 and fines rarely reach HUF 10,000,000. Further, most NAIH enforcement procedures resulting in fines to date began with a data subject complaint lodged with the NAIH.
The NAIH investigations regularly focus on data breaches, infringement of data subject rights, determination and documentation of proper legal bases (e.g., legitimate interest balancing tests), CCTV and voice recordings, and processing of minors’ personal data. The NAIH published several notifications regarding the COVID-19 pandemic, including regarding processing data related to the coronavirus pandemic at workplaces.
Switzerland
International data transfers
Internal data transfers remain a hot topic in Switzerland as well. The Federal Data Protection and Information Commissioner (FDPIC) communicated in August 2021 that it recognises the revised EU Standard Contractual Clauses, in connection with Swiss specific amendments published by the FDPIC, as the basis for personal data transfers to a country without an adequate level of data protection.
The old EU Standard Contractual Clauses may be used during a transitional period until 31 December 2022.
Entering into force of the revised Federal Data Protection Act
The revised Federal Data Protection Act (revFADP) was passed by the Federal Council in September 2020. Per official communication, it will enter into force in the second half of 2022, although an official date has not yet been announced. On 23 June 2021, the draft of the totally revised ordinance to the revFADP was published. However, the text of the ordinance was criticized vehemently during the subsequent consultation process, in particular because of the imprecise language and provisions that are stricter than those listed in the underlying revFADP. It is not yet clear when the final text of the ordinance will be published, and extensive revisions are expected.
The revFADP introduces significant changes compared to the current FADP. This mainly concerns governance obligations and new, higher fines. However, the basic principles remain the same. The principle of permissibility of data processing continues to apply in Switzerland. A specific basis for the legitimisation of data processing, such as consent, is only required under certain circumstances.
The most important changes include the following:
By and large, companies that are compliant with the GDPR will be in a good position and will likely only need to make a few adjustments in order to meet the requirements of the revised Federal Act on Data Protection. On the other hand, companies that previously only met the requirements of the current law are advised, in particular due to the newly introduced governance obligations and the new, higher fines, to immediately address with the new provisions and introduce corresponding processes. This is all the more important as the revFADP does not contain any relevant transition periods.
Turkey
GDPR Compliance – Cross Border Data Transfers and Sensitive Data Processing
On March 23 2021, the Turkish Ministry of Treasury and Finance published the Economy Reform Package, which contains action items relating to the amendments to the Turkish Data Protection Law No. 6698, in particular, provisions on cross-border data transfers, as part of legislative efforts to comply with the EU’s General Data Protection Regulation (GDPR). The deadline for this action item is March 31 2022.
Although no official draft law has been published by the Turkish Parliament, the Turkish Data Protection Authority mentioned on a number of occasions of their legislative efforts for compliance with the GDPR, and it was noted that the amendments to the Turkish Data Protection Law will mainly concern: (i) Article 6, which regulates the processing of special categories of personal data (i.e. sensitive data) and (ii) Article 9, which regulates cross-border data transfers.
Cross-border data transfer rules have been a hot topic since the Turkish Data Protection Law entered into force back in 2016. The debates regarding this topic have mainly been due to the lack of: (i) a “safe country” list, which hasn’t been published by the Turkish Data Protection Authority; and (ii) alternative short-term legal mechanisms for cross-border data transfers, other than explicit consent.
Cookies
On January 11 2021, Turkish Data Protection Authority officially opened the Draft Cookie Guidelines for public consultation, marking the first ever extensive cookie guidance in relation to Turkish data privacy law. Stakeholders will have until February 10 2022 to submit their responses to the Turkish Data Protection Authority. The draft guidelines largely follow the EU based cookie rules published by a variety of data protection authorities, including the Information Commissioner’s Office (“ICO”) of the UK and Commission Nationale Informatique & Libertés (“CNIL”) of France.
Under the guidelines, the Turkish Data Protection Authority makes the distinction between essential and non-essential cookies, and explains that the use of certain types of cookies for data processing require data subject’s consent. In line with EU practices, the Turkish DPA evaluates granular consent mechanisms, cookie walls and notice requirement while providing examples of “good” and “bad” cookie practices.
COVID-19 Guidance
In 2020 and 2021, the Turkish Data Protection Authority published various guidance for data processing activities during the COVID-19 pandemic. In its announcements, the Turkish Data Protection Authority underlined the importance of compliance with health data processing rules and notice requirements, and clarified certain exemptions from data privacy law requirements in connection with COVID-19 measures.
Enforcement
Despite the negative impact of the pandemic on the administrative processes of the Turkish Data Protection Authority, the Authority has still been quite active in issuing new decisions and guidance. The Turkish Data Protection Authority announced that it issued a total of TRY 57.4 million (approx. USD 4 million) administrative fines as of October 2021. The Authority has also imposed its largest administrative fine to date at TRY 1,950,000 (approx. USD 150,000) in 2021.
Australia
Australia is in the process of reforming the Privacy Act 1988 (Cth) (the “Privacy Act”), in response to growing criticism that the legislation does not adequately address modern technology and data handling practices, and that Australia has fallen behind other regions with more stringent data protection laws, such as the European Union’s General Data Protection Regulation. However, changing a long-established data protection regime is not a quick or easy process, and requires considerable consultation. Although the Federal government first announced plans for some reforms and an extensive review of the Privacy Act in 2019, it was not until late 2020 that consultation began, with the publication of a high level issues paper. Progress then slowed until late 2021, when the government published an exposure draft of an Online Privacy Bill to introduce a first set of legislative changes and a discussion paper containing proposals for more extensive reforms.
Stage One Reforms: Online Privacy Bill
The exposure draft of the Online Privacy Bill proposes to create a binding online privacy code which will apply to social media services, data brokers, and certain large online platforms operating in Australia. Service providers and platform operators subject to the code will need to comply with strict new privacy requirements, including stronger protections for children on social media. Among other things, this code will:
The draft Online Privacy Bill also seeks to implement harsher maximum penalties for breach of the Privacy Act, of potentially A$10million or more (to match the Australian Consumer Law), and additional enforcement powers for Australia’s privacy regulator, the Office of the Australian Information Commissioner (“OAIC”). The scope of the Privacy Act’s extra-territoriality provisions would also be clarified, with the effect that foreign organisations who carry on a business in Australia will generally be regulated, even if they do not collect or hold personal information directly from a source in Australia.
A public consultation on the Online Privacy Bill closed on 6 December 2021, and the government is currently considering submissions received.
Stage Two Reforms: Discussion Paper
The government’s discussion paper for review of the Privacy Act proposes significant further reforms, building on the Online Privacy Bill, including:
Looking Ahead to 2022
During 2022, we would expect that the government will introduce the Online Privacy Bill to parliament, although an upcoming Federal election does create some uncertainty. The stage two reforms will take longer to progress, with the next step expected to be publication of draft legislation. It remains to be seen exactly how many of the discussion paper’s proposals will be adopted. However, given that the OAIC has recently reiterated its support for the proposed reforms, we expect many of the proposals will progress and there will be a significant step change in Australia’s privacy legislation in the near future. Additionally, the government has recently instigated a parliamentary inquiry into social media and online safety, which is investigating matters that may ultimately lead to further measures targeting digital platforms’ activities, including their collection and use of data. All in all, 2022 is shaping up to be an interesting year for privacy in Australia; watch this space for further developments.
Thailand
Following two year-long postponements by the Thai Government due to the COVID-19 pandemic, Thailand’s Personal Data Protection Act B.E 2562 (2019) (“PDPA”) is finally due to come into effect on 1st June 2022. The PDPA provides a set of comprehensive regulations on the collection, use, disclosure and cross border transfer of personal data, as well as corrective measures for data subjects whose data protection rights are violated.
The foundations of the PDPA were inspired by the EU General Data Protection Regulation (GDPR), which provides broad protection for data subjects, whilst simultaneously aiding international businesses in allowing them to implement similar security measures across ASEAN countries. The most notable PDPA requirements that have been influenced by the GDPR include sensitive personal data (although the PDPA provides more restrictive legal exemptions), lawfulness of processing, consent requirements, privacy notices, and the rights of data subjects. However, before the PDPA comes into effect, Thailand’s competent authority, the Personal Data Protection Committee (“PDPC”), are set to announce supplementary rules to ensure that other Thai laws are not contradicted. The PDPC was officially established in January this year and are expected to hold their first meeting in February, which should further shed some light on the specifics of the new law as the PDPC look to ensure that the PDPA is fully enforced from the 1st of June.
Compliance with the PDPA is mandatory for all businesses and organisations that handle personal data and operate in Thailand. Throughout the postponement period, businesses have been encouraged to implement security measures in preparation for the launch of a new data protection law this year and further sub-regulations have been issued during this time that will aid businesses in effectively protecting personal data. Security obligations that have been set out for businesses and organisations include, among others:
For any businesses operating in Thailand that have yet to implement the measures set out in the PDPA, it is imperative that they use the next five months to do so and to train all staff to allow them to competently deal with any data protection issues that may arise once the PDPA goes live in June. As Official Sources have indicated that there will not be another postponement, this really is the last chance for those who will be affected to become compliant.
Vietnam
At present, Vietnam does not have a unified legal framework regulating data privacy related issues. However, in February 2021, the Ministry of Public Security (“MPS“) proposed the first comprehensive legislation in Vietnam for personal information protection under the form of a Governmental Decree, with the draft decree being published in April 2021 and a revised draft in September 2021. You can read more about the key points in the proposed reforms in our update here.
Singapore
Most of the major amendments to the Personal Data Protection Act (“PDPA”) came into effect on 1 February 2021. The amendments that have yet to be commenced relate to: (i) provision for increased financial penalties of up to 10% of an organisation’s annual gross turnover in Singapore for breaches of the PDPA; and (ii) data portability. There may be renewed focus on these provisions this year. The Personal Data Protection Commission (PDPC) had previously indicated that it does not intend to commence with increased financial penalties until at least 1 February 2022. The exact commencement date is pending further guidance. On the data portability provisions, the PDPC intends to issue further regulations before commencement of these provisions. Additional information on these data portability regulations could be made available if the PDPC decides to proceed with a public consultation of these regulations this year. With the combination of increased prevalence of cybersecurity incidents and the commencement of the mandatory data breach regime in 2021, we expect more organisations to be handling data breaches and navigating the associated legal nuances.
Hong Kong
Hong Kong’s data protection law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), has been amended to introduce “anti-doxxing” provisions. The new regime creates offences to curb doxxing activities, and empowers the Privacy Commissioner for Personal Data (“Commissioner”) to carry out criminal investigations, institute prosecutions, and issue cessation notices. The changes came into effect on 8 October 2021.
“Doxxing” refers to the gathering of personal data of a specific targeted person and/or related persons (such as family members) through various means, e.g. public registers and discussion platforms, and disclosing this personal data on the Internet, social media or other open platforms (such as public places).
Major “anti-doxxing” provisions
New offences
The Commissioner’s new powers
The Commissioner may issue a written notice to request any person to provide relevant materials and answer questions to facilitate the investigation, apply for a warrant to enter and search premises and seize materials for investigation, or access an electronic device, stop, search and arrest any person who is reasonably suspected of having committed a doxxing-related offence, and prosecute in the name of the Commissioner a doxxing-related offence triable summarily in the Magistrates’ Court.
Cessation notices
The Commissioner may serve a cessation notice on a Hong Kong person, or a non-Hong Kong service provider that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person, who is able to take a cessation action. A cessation notice may only be served on non-Hong Kong service providers in relation to electronic messages. Cessation actions, in relation to an electronic message, include removing the subject message, ceasing or restricting access to the message or the relevant platform (in whole or in part), and discontinuing the hosting service for the relevant platform (in whole or in part).
Comments
The changes are most relevant to platform and online service providers (such as social media platforms). Where doxxing occurs on or via their platforms or services, they may be the recipient of a cessation notice from the Commissioner which requests the removal of doxxing messages, and it is a criminal offence to contravene a cessation notice (the person who commits the offence is liable to a fine and imprisonment). As cessation notices may be served on non-Hong Kong service providers, the amendments impact both Hong Kong and overseas businesses.
From an enforcement perspective, the Commissioner made its first arrest under the regime on 13 December 2021. An individual was arrested after the Commissioner received a report from an alleged victim that the suspect had posted the victim’s personal details on an online platform. The matter is said to relate to a monetary dispute between the suspect and the alleged victim. During the course of its operation, the Commissioner also seized one smartphone in relation to the case.
China
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) was passed on 20 August 2021 and came into effect on 1 November 2021. This is the first piece of consolidated and comprehensive legislation in China that seeks to regulate the processing of personal information and address personal information protection.
The law has introduced specific obligations that apply to individuals and organisations that process the personal information of natural persons residing in China (we have used the term “Chinese residents” in this section for convenience). The scope and structure of the PIPL is similar to the GDPR in many aspects yet the PIPL also differs from the GDPR in various ways. Some of the requirements under the PIPL are in fact more stringent than that under the GDPR and so companies and organisations cannot assume that measures or practices that are GDPR-compliant are necessarily PIPL-compliant.
The geographical scope of application of the PIPL regime is beyond the domestic jurisdiction. It also applies to processing activities conducted outside China involving personal information of Chinese residents where the processing activities: (i) are for the purpose of offering products or services to individuals in China, (ii) analyse and evaluate the behaviour of individuals in China, or (iii) meet other circumstances provided under Chinese laws or administrative regulations.
Among other things, the PIPL imposes heightened disclosure and consent requirements with respect to the processing of sensitive information and cross-border provision (transfer) of personal information: the name and contact details of each and every foreign recipient must be disclosed and separate consent from the data subjects is required. In addition, controllers are mandated to conduct personal information protection impact assessments (akin to Data Protection Impact Assessments (DPIAs) under the GDPR) under a number of data processing scenarios, which are more extensive than that prescribed for DPIAs under the GDPR. Further, there are data localisation requirements for operators of critical information infrastructure and controllers who process personal information above the statutory volume threshold (which is to be announced but likely to be 1 million data subjects), as well as strict cross-border data transfer controls.
Another key development is the passing of the Data Security Law of the People’s Republic of China (DSL) on 10 June 2021 and came into effect on 1 September 2021. The DSL establishes a categorised and classified data security system and regulates the storage and transfer of information. One of the key focuses is the protection of data that is relevant to national security, lifeline of the national economy, people’s livelihoods and public interests. It is worth noting that the DSL also applies to data processing activities conducted outside China that may “harm China’s national security or public interests, or the lawful rights of any Chinese citizen or organisation”.
The detailed requirements under the new laws are yet to be fleshed out by the Chinese authorities by way of Implementing Regulations / Rules, although some draft rules were released in the past few months. Companies and organisations should closely monitor the legislative developments to ensure that their China-related practices are compliant with the new laws.
Japan
The latest amendments to Japan’s privacy law, the Act on the Protection of Personal Information (“APPI”), will come into effect from 1 April 2022. The amendments, among other things, expand the scope of the data subjects’ rights, restrict the range of personal data that may be provided to third parties (including cookie data), and introduce mandatory obligations to report and notify data breach incidents. If an international data transfer is to be made based upon consent, then the name of the jurisdiction to which the data will be imported and certain information on the data protection laws of such jurisdiction will need to be provided to the data subject.
Middle East
In an effort to build and develop legal frameworks that support the growth of the digital economy, governments in the region are more focused than ever before on the critical importance of data and the regulations in place to control its processing. Permissive frameworks are tempered by data localisation requirements in respect of certain types of data and data gathered by certain technologies.
UAE and Saudi Arabia
To support their digital transformation mandates, the governments of both the UAE and Saudi Arabia passed their first standalone personal data protection laws towards the end of 2021. The establishment of new data protection regulators in both countries and the prospect of sanctions for breach mark the beginning of a new chapter for data protection compliance in both states. Both laws afford in-scope companies a grace period to bring their operations into line with the new requirements. However, certain key requirements remain to be addressed in the executive regulations, which are set to be issued in 2022. We will be monitoring developments closely and in particular we hope to learn when the executive regulations are published whether:
DIFC and ADGM
In terms of enforcement priorities, the DIFC Information Commissioner has confirmed that:
The grace period for achieving compliance with the updated ADGM Regulations will end on 14 February 2022, following which we are likely to see the ADGM Commissioner of Data Protection make an increased number of enquiries regarding the data protection compliance of ADGM businesses. These enquiries are most likely to be prompted by anomalies in the mandatory data processing filings, or indeed, the failure to file one in the first place.
Kuwait
Various new regulations were adopted by the Kuwaiti Communications and Information Technology Regulatory Authority (CITRA) over the course of 2021 and have established a data protection framework for the public and private sector in Kuwait. The most notable regulations are the Data Classification Resolution and the Data Protection Resolution. In 2022 we will find out how CITRA intends to interpret and apply these requirements in practice.
Qatar
Qatar published a long awaited suite of regulatory guidelines in 2021, which are intended to implement the requirements of its 2016 Personal Data Protection Law. Whilst they are not legally binding, the guidelines set out helpful controls and checklists to support companies achieve compliance with the Personal Data Protection Law. These guidelines are set to bridge the gap between the requirements of the law and their practical application, to help parties understand their regulatory responsibilities. In some cases the requirements introduced go further by implementing new standards that were not necessarily mentioned in the 2016 law. In light of these guidelines we expect to see a fundamental shift in how businesses in Qatar process and handle personal data.
Oman
Oman’s authorities reportedly continue work on their first standalone data protection law, which we understand is in the final stages of being drafted. We expect the law to be promulgated during the course of 2022, making it the final of the six Arab States of the Gulf Cooperative Council to do so.
Canada
In Canada, privacy laws are enacted at the federal and provincial/territorial level, applicable to private-sector entities, public sector-entities, and health information custodians. In 2021, there were notable legislative and policy developments to modernize and reform private-sector privacy legislation at both the federal and provincial levels, which will carry-over into 2022:
Federal
The proposed federal private-sector privacy reform legislation, the Digital Charter Implementation Act, 2020 (“Bill C-11”) did not complete the legislative process and died on the order paper with the announcement of a September 2021 federal election. Although, Bill C-11 attempted to address the various privacy issues stemming from the modern digital economy, the Office of the Privacy Commissioner of Canada (“OPC”) raised several concerns that the bill failed to provide adequate privacy protections for Canadians and would require significant amendments (e.g., weighing privacy rights and commercial interests, providing specific rights and obligations in relation to consent and accountability, providing effective means for access to quick and effective remedies, and defining the role of the OPC).
On December 9, 2021, the OPC issued a final annual report, which highlighted the government’s commitment to prioritise privacy legislative reform in an effort to ensure effective privacy protection, responsible innovation, and strengthened consumer trust. The annual report outlined the following key issues that will be considered when designing a modern private-sector privacy law: (i) defining permissible uses; (ii) need for a rights based framework; (iii) defining corporate accountability; (iv) need for common, or at least similar, principles for public and private sectors; (v) need for interoperable laws both internationally and domestically; and (vi) need for quick and effective remedies and the role of the OPC. Until such privacy reform legislation is re-introduced and enforced, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”), continues to govern privacy in the federal and provincial private-sector, with the exception of provincially-regulated organisations in the Provinces of Alberta, British Columbia, and Quebec.
Alberta
The Province of Alberta is considering privacy legislative reforms to strengthen privacy protections for Albertans and improve government services. In August 2021, the Ministry of Service Alberta concluded its public consultation for proposals to reform the province’s private-sector and public-sector privacy laws including: (i) establishing stronger transparency requirements such as mandatory reporting; (ii) enhancing the rights of Albertans to access and control their own privacy when interacting with government, other public bodies, and private sector organizations; (iii) establishing parameters and legal requirements for collecting, using, and disclosing data that has been de-identified; and (iv) enhancing oversight to ensure the Government of Alberta, public bodies, and/or private sector organizations will protect personal information and privacy as new technologies and/or digital business models are implemented. Until any such privacy reform legislation is introduced and enforced, Alberta’s current Personal Information Protection Act, SA 2003, c P-6.5 will continue to govern privacy in the province’s private-sector.
British Columbia
The Province of British Columbia (BC) is seeking to reform its private and public sector privacy legislation in an effort to ensure harmonisation with any federal efforts to modernise PIPEDA and introduce federal consumer privacy protection legislation. The BC Legislative Assembly appointed a Special Committee to review the province’s current private-sector legislation (Personal Information Protection Act, SBC 2003, c 63 (“BC PIPA”)). In December 2021, the Special Committee submitted a report to the BC Legislative Assembly on input and recommendations gathered from privacy stakeholders on modernising the BC PIPA, including introducing mandatory breach reporting requirements, updating consent requirements, and adding financial penalty provisions. Until any such privacy reform legislation is introduced and enforced, the BC PIPA will continue to govern privacy in the province’s private-sector.
Ontario
The Province of Ontario, is seeking to introduce its own private-sector privacy legislation. In June 2021, the Ontario government released for public consultation a white paper seeking feedback for its proposals on the following topics: (i) rights-based approach to privacy; (ii) safe use of automated decision making; (iii) thoughtful consent and lawful uses of personal data; (iv) data transparency for Ontarians; (v) protecting children and youth; (vi) a fair, proportionate and supportive regulatory regime; and (vii) support for Ontario businesses and innovators. In September 2021, the Information and Privacy Commissioner of Ontario in response to these proposals emphasised the need for a provincial-level privacy regime which should be substantially similar to federal privacy legislation however, address regulatory gaps found under PIPEDA which include a lack of privacy protections for provincially regulated employees in Ontario and absence of privacy regulations for non-commercial activities (e.g. unions, charitable organisations, and professional associations). Until any such privacy reform legislation is introduced and enforced, PIPEDA will continue to govern privacy in the province’s private-sector.
Quebec
On September 22, 2021, the Province of Quebec’s Bill 64 (An Act to modernize legislative provisions as regards the protection of personal information) received royal assent and will be entering into force in phases over the next three years. Until the provisions of Bill 64 enter into force, Quebec’s current private-sector legislation, the Act respecting the protection of personal information in the private sector (“CQLR c P-39.1”) will remain in effect. Bill 64 imposes new requirements on businesses and provides new rights for data subjects including (but not limited) to enhanced consent requirements, data portability rights, data breach notification requirements, and introduction of greater fines and administrative penalties.
From September 22, 2022, the following provisions of Bill 64 will be applicable for businesses: (i) requirement to appoint an internal privacy officer; (ii) requirement to notify Quebec’s privacy regulator, the Commission d’accès à l’information du Québec, of any data breach that presents a “risk of serious injury” to an individual; and (iii) right to disclose personal information without consent when it is necessary for the fulfilment of a commercial transaction or for scientific research purposes.
From September 22, 2023, the majority of the following provisions under Bill 64 will be applicable for businesses: (i) establish and implement data governance policies; (ii) perform privacy impact assessment before transferring personal information outside of Quebec; (iii) inform data subjects when automated decision-making and profiling technologies are being used; (iv) abide by enhanced consent requirements, including clear, free, and informed consent relating to a specified purpose and timeframe; (v) develop an external privacy policy in clear and plain language; (vi) implement “privacy by default” to products and services offered to the public; and (vii) destroy or anonymise personal information once the original purpose has been fulfilled.
From September 22 2024, the “data portability” provision of Bill 64 will be effective under which data subjects can request that a business disclose their personal information to another individual or business.
US
State privacy laws continue to develop, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA). Regarding California, although CPRA extended the sunset provisions for CCPA’s employee and B2B exemptions, without further action from the California State Legislature, such exemptions are set to expire on January 1, 2023, at which point employee and B2B data will be subject to CCPA/CPRA in their entirety. As such, we anticipate that companies subject to CCPA/CPRA will want to spend some time this year expanding their CCPA/CPRA compliance program to cover employee and B2B data. Both CPRA and VCDPA come into effect on 1 January , 2023, and CPA will follow shortly thereafter and come into effect on 1 July , 2023. With the effective date getting closer, we expect companies will focus on complying with these state privacy laws during the course of this year, and companies will begin preparing for the possibility that the privacy bills currently being considered in other states are passed, as well. Meanwhile, we anticipate that members of the US Congress in both houses will continue their efforts to create a federal privacy act.
Ransomware and significant cybersecurity incidents continue to be on the rise, and pose significant risks, such as business interruption, customer churn, regulatory scrutiny, and liability claims. In the United States, there has been an increased focus by federal and state authorities and legislatures on privacy and data security. Many state data breach notice laws require companies to have reasonable safeguards in place to protect personal information. State regulatory authorities continue to investigate and bring enforcement actions after data security incidents, citing the relevant unauthorized access as indication that the security of personal information in place was insufficient.
The Federal Trade Commission (FTC) has focused on strengthening and enforcing existing rules, as well as introducing new rules related to safeguarding data, in light of the increased number of security incidents and data breaches, both domestic and international. The FTC also included “deceptive and manipulative conduct on the internet” as one of its key enforcement priorities published in September 2021, alongside “harm to children under 18” (which includes increased scrutiny for violations of the Children’s Online Privacy Protection Act) and “algorithmic and biometric bias.” Looking more broadly at a continually increasing and valuable use of data in support of artificial intelligence, the FTC has emphasized the importance of truth, fairness, and equity and the FTC’s enforcement of those principles.
Mexico
The Mexican Data Protection Regulator (“INAI”) has been very active in 2021, including by:
It is expected that the DPA will proceed along these lines in 2022.
Guidance and Recommendations
In 2021, the INAI published guidance and recommendations, notably on:
Enforcement
During 2021 the number of requests for access to information and protection of personal data submitted by data subjects to INAI, increased by 10.2 %, as compared to 2020. In additions, the INAI has confirmed that the USD $4.5 million in fines imposed by them during 2021, derive from 83 new sanctioning procedures and 43 sanctioning procedures that initiated in other years but that were resolved during 2020.
In addition, the INAI has confirmed that during 2020 there were a total of 278 Procedures for the Protection of Rights; of which 143 dealt with the right of Access to personal data, 19 for Rectification, 106 for Cancellation and 57 for Opposition to the processing of data. These numbers are complemented with the previous confirmation by INAI that, the most requested rights by data subjects were: (1) rights of access to medical records or medical history; (2) certificates of vaccination; (3) payroll receipt or proof of payment; (4) pension and retirement records; (5) specific documents with personal information; and (6) the correction of data in the certificate of vaccination against the SARS CoV-2 virus.
According to the INAI’s records, the most sanctioned activities, from highest to lowest, were: (1) financial services and insurance; (2) mass media information; and (3) health and social welfare. In most cases, the origin of such fines were: (1) the collection and/or transferring of personal data without the necessary consent; and (2) delivery of privacy notices that do not fully comply with the requirements under the law.
Brazil
Brazilian Data Protection Law has been in force for more than one year, and administrative penalties are enforceable as of August 2021. Last year, we have seen a significant increase in the enforcement of the Brazilian Data Protection Law not so much by the Brazilian Data Protection Authority, but rather by consumer authorities and in civil, consumer and employment litigation. Brazilian Data Protection Authority (ANPD) has been active issuing regulations, liaising with other authorities and also very active in cases of incidents involving personal data that need to be notified according to the law.
For 2022, we can expect significant developments. Data incidents will continue to be a high priority for the Authority, and we expect an increase in cybersecurity litigation, as the market matures and notifications get more frequent. We also expect that the volume of consumer, employment and civil litigation involving personal data will continue to increase. In terms of regulation, in 2022 the Brazilian Data Protection Authority is expected to regulate, according to the Regulatory Agenda published in 2021:
The regulations have been long expected in Brazil and will provide the much needed guidance for controllers and processors involved in the processing of personal data in Brazil or collected in Brazil, in areas that are particularly unclear in the law.
Content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes. For more information, please visit: www.bakermckenzie.com/en/client-resource-disclaimer.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR)
© Copyright 2006 – 2022 Law Business Research