Engage with the laws, assess their impact, avoid complaints

We welcome as writers for this edition the Director of Argentina’s Data Protection Authority (DPA) on his country’s draft law (p.1), the Head of the International Department at Israel’s ILITA (DPA) on the newly adopted data security regulations (p.27), and we quote from an address by South Africa’s new Regulator on her priorities (p.23). Nathalie Metallinos, a Paris-based lawyer, gives us the highlights from the CNIL’s annual report press conference (p.22) and Dr Hiroshi Miyashita reports from Tokyo on a landmark case, decided by Japan’s Supreme Court, on the balance between surveillance and privacy in the context of Global Positioning Systems (p.24).

Professor Graham Greenleaf, PL&B’s Asia-Pacific Editor, not only reviews the first comprehensive book on privacy laws in Africa (p.25) but also completes his two part marathon survey by describing the Data Protection Authorities’ international networks (pp. 14-17) and provides us with a table of the annual score of data protection laws adopted from 1973 to 2016 (p.18).

The Council of Europe as a safety net

We are nearly at the half way stage between the adoption last April of the EU Data Protection Regulation (GDPR) and it applying from May next year. This edition covers plans to implement it in France, Poland and Spain (pp. 22 and 26). The United Kingdom, having voted in a referendum last June to leave the European Union, is in the uncomfortable position of having to apply it from May next year, just like the other 27 Member States. But for how long? Dr David Erdos discusses the meaning of “essentially equivalent” in the post-Brexit context (p.11). Will the UK Prime Minister’s statement about shared European values be sustained by action or be seen as mere rhetoric if the UK withdraws from the Court of Justice of the European Union and the EU Charter of Fundamental Rights? Alternatively, will the UK’s adherence to the Council of Europe conventions provide an “essentially equivalent” safety net?

California’s influential data breach law

Although the new US Administration is widely seen as negative on privacy at the federal level, much legislation favourable to privacy is quietly moving forward at the state level (pp. 6-7). This trend could be influential in the future. For example, while the federal level EU-US Safe Harbor program has now disappeared, the data breach law first adopted in California in 2002, has now been largely copied by almost all of the other 49 states. It has also been influential in the drafting of the GDPR and laws and regulations in many other countries. Although a tiny sub-set of the GDPR requirements, regulators like this legal duty because it attracts consumer and employee interest, it gives organisations practical tasks to do, and it links with the well-resourced cyber security function, although managers complain that the required notification timetable is too short.

The working and survival of the EU-US Privacy Shield (p.1) understandably attracts much attention. We provide helpful tips on managing your Privacy Shield program (p.4). There have been no substantive complaints so far (p. 4) but I expect that privacy advocates will test the new system.

How to avoid privacy complaints

While on the subject of complaints, an important article in your April edition is on the practical management issue of how to avoid complaints escalating to a privacy regulator (p.8). As privacy law is as much about protecting or enhancing your reputation as about compliance with the law, you will find practical advice on how you can help your organisation stay out of the regulators’ spotlight.

I am delighted that several of our writers in this edition, Bob Belair (pp. 6-7), Dr David Erdos (p.11), Javier Samaniego (p.26) and Professor Graham Greenleaf (pp. 14-18, 25), will be speakers at Promoting Privacy with Innovation, Privacy Laws & Business’s 30th Anniversary Conference, 3-5 July at St. John’s College, Cambridge where they, Laura Linkomies, Editor (pp.1-5, 12-13) and I will be pleased to meet you. The current list of 46 speakers from 16 countries and their subjects are available on the link above. 


Stewart Dresner, Publisher

International Report 146

Lead story:

Privacy Shield up and running and surviving initial hurdles

The EU-US Privacy Shield is valid for now but a DPA assessment is due in September. In the meantime, US-based companies are self-certifying and DPAs are preparing to deal with complaints. By Laura Linkomies and Stewart Dresner.

Contents also include:

  • Comment: GDPR’s influence grows
  • DP in the Nordic countries
  • CNIL: ‘En marche’ for the GDPR
  • South Africa gets ready to enforce DP and FOI Acts
  • Japan’s Supreme Court rules on GPS tracking without a warrant
  • An essentially equivalent post-Brexit future for UK and GDPR
  • DPAs’ international networks
  • Data Privacy Laws 1973-2016
  • Personal information under Australian privacy law
  • US States active on privacy issues
  • How to avoid complaints escalating to a privacy regulator
  • Events Diary
  • Book Review: African Data Privacy Laws
  • Call for Privacy Shield annulment
  • Attributes of effective DPAs
  • Mexico’s public sector DP law
  • Google and Microsoft top study
  • DPA 2018 conference in Brussels
  • EU and Japan to discuss adequacy
  • Italy issues EU record fines
  • Poland issues draft GDPR law
  • Spain prepares for GDPR
  • France’s DPA GDPR advice
  • EDPS: Don’t interfere with GDPR
  • Albrecht: Tweak e-Privacy draft
  • Israel’s data security regulations