Transformational changes in 2016



2016 has been marked by several transformational changes. The adoption of the EU Data Protection Regulation in April, after more than four years of negotiations, has dominated the year. A quarter of the time has passed for companies to prepare by May 2018. EU Member States are also working out the consequential national legislative or administrative amendments which are needed and considering the areas left to national discretion, such as in the employment area.

The Netherlands is the latest to announce a change of national law. The Ministry of Security and Justice published last Friday, 9 December a draft Implementation Bill. The Bill covers necessary amendments to national law including stronger powers for the national Data Protection Authority, the Autoriteit Persoonsgegevens. Other changes cover special categories of personal data, rights of data subjects and mandatory data breach notification (p.30).

France has already made legislative changes (pp.12-13) to permit collective (class) actions which could result in a significant increase in reputational risk for companies. In Germany, Bavaria is leading nine other Land (state) and city Data Protection Authorities across the country in a survey of companies’ transfers of personal data to countries outside the European Economic Area. A more thorough investigation may be needed in some cases. On this occasion, Hamburg, normally considered one of the DPAs in Germany most critical of companies, such as Facebook, is in the team but is not the captain.

There is a spectrum of approaches in Asian countries with South Korea having a strong data protection law and Myanmar and Cambodia taking their first steps. See our Top 21 compliance checklist for companies working to comply with privacy laws across the Asia region (p. 22).

Data protection laws are being adopted in several countries in Africa, as Laura Linkomies and I saw when we attended the Data Protection Commissioners’ International Conference in Morocco in October (pp. 15-17, 26-27). South Africa, after many years preparation, now has a five member Information Regulator, who have been appointed with effect from 1 December (pp. 28-29).

The United Kingdom’s government and the new Information Commissioner, Elizabeth Denham, make it clear that the EU Data Protection Regulation will apply, despite the UK leaving the European Union (p.14).

The EU Data Protection Regulation will continue to cast its influence. This week the group of national Data Protection Authorities, the EU Art. 29 Data Protection Working Party, is expected to publish its guidance including on the role of Data Protection Officers (p.23).

Thank you for your continuing subscription. There is much to look forward to in 2017, Privacy Laws & Business’s 30th Anniversary year.

Regards,

Stewart Dresner, Publisher

International Report 144

Lead story:

China’s Cybersecurity Law – also a data privacy law?

The new provisions represent China’s most comprehensive and broadly applicable set of data privacy principles to date.  Graham Greenleaf and Scott Livingston report.

Contents also include:

  • Comment: GDPR guidance
  • Elizabeth Denham: A bigger, bolder, brighter UK Commission
  • DPAs discuss privacy and digital education
  • Morocco prepares for Convention 108 and EU adequacy
  • South Africa’s Information Regulator commences duties
  • European Union court rules that IP addresses are personal data
  • Japan joins APEC Cross Border Privacy Rules – does it matter?
  • France expands DP rights for minors, consumers, and the dead
  • Top 21 compliance checklist for Asian privacy laws
  • FEDMA works on guidance for GDPR marketing provisions
  • Book Review: Data Ethics
  • Events Diary
  • Commonwealth DPAs meet
  • France allows for DP class actions
  • Privacy Shield faces challenge
  • German DPAs launch enquiry about international transfers
  • EU-level GDPR guidance imminent
  • Russia blocks LinkedIn
  • Fitness bands and connected toys breach Norway’s DP law
  • Brazil considers two privacy Bills
  • US broadband providers need permission to collect data
  • Netherlands publishes GDPR Bill
  • EU e-Privacy proposal in January