Conventional expectations challenged

Some privacy law developments in the last two months have challenged conventional expectations.

China enacted in August “a modern and sophisticated data privacy law influenced by many advanced aspects of the GDPR, and which in a few respects may be stronger than the GDPR” writes Graham Greenleaf, PL&B’s Asia-Pacific Editor.

The enactment of some privacy laws, such as the one in Saudi Arabia, a country without a foundation in a democratic society will no doubt, surprise many experts grounded in privacy law traditions. However, the advantage is that the government can and has adopted the new law quickly for commercial reasons, as its society is preparing for a future less reliant on oil. Despite this democratic deficit, the new law, enacted by Royal Decree in September, reflects some of the well-known principles, requirements and best practices in line with international data protection laws, such as the EU General Data Protection Regulation.

Quebec, Canada, with its Europe-based Civil Code legal tradition, last month adopted its new law which makes the claim to represent the Gold Standard for privacy in North America. It has not attracted the publicity surrounding California’s privacy law but it represents an important step forward for Canada where the moves to strengthen the federal privacy law have, for now, slowed to a halt.

Action on “creepy” function

Italy’s DPA, the Garante, is investigating smartphone apps which have their microphones always on, resulting in users being served advertisements for products and services related to their conversations. This “creepy” function may have been mentioned in the privacy policy, which most users accepted without reading the terms and conditions on their small screens. This is the exact opposite of the GDPR’s data protection by default. The Garante’s investigation is being strengthened by its collaboration with the Special Privacy and Technological Fraud Unit of the Guardia di Finanza, the uniformed Financial Police with offices throughout Italy.

This “creepy” function is obviously not limited to Italy. Will the Garante’s investigation lead to action by the European Data Protection Board? Inevitably, the national DPAs have different views on how strongly the GDPR should be enforced. Will the EDPB be able to harmonise their enforcement policy on this issue, as it is trying with the One-Stop-Shop and cookie banners?

Switzerland and the UK risk their EU adequacy status

Switzerland is not a member of the EU. But it has developed its new data protection law so that it is similar in many respects to the GDPR (PL&B International Report October 2020). Until now, it has pursued a policy on the EU-US Safe Harbor and then the EU-US Privacy Shield closely aligned, essentially identical to the EU. The Swiss Federal government is now assessing the option of pursuing its own path to address adequacy with the US. However, there is a risk that the EU will not be pleased that Switzerland is essentially breaking away from the European norm. If so, the Swiss government will have to balance the risk to its business relations with its EU neighbours with potentially the advantage of enhancing its trading links with the US.

I can see a parallel pattern of intent between Switzerland and the United Kingdom. The UK has a declared plan to negotiate new trade agreements, including data adequacy partnerships with many countries, including India, which does not yet have an internationally recognised privacy law. This policy might risk the UK’s hard-won adequacy agreement with the EU. The UK government, conscious of this risk, is compensating by building data policy relationships in different fora, such as the OECD, the G20 and the G7.

We at Privacy Laws & Business have now completed a full year of organising webinars and nearly 18 months of podcasts. We will continue with online events. Our next one is on 9 November Navigating the Labyrinth of US Privacy Laws: Building a Compliance Program and we hope to resume live events in London in February and Cambridge in July next year where we look forward to meeting you in person.

Best regards,

Stewart Dresner, Publisher


International Report 173

Lead stories:

Saudi Arabia issues its first standalone data protection law

The law will take effect on 23 March 2022, 180 days after its adoption. There will then be a one year grace period to comply. By Dino Wilkinson and Masha Ooijevaar of Clyde & Co.

Spain lives up to its reputation as a tough enforcer

Rafael García del Poyo, Roger Segarra and Samuel Martínez of Osborne Clarke Spain analyse the DPA’s enforcement activity before and after the GDPR.

Click for full contents list