International E-news - June 2011
- Qatar consults international privacy experts on innovative privacy law
- Peru: Congress approves DP Bill
- US aims for federal data breach law
- Ireland sees 350% increase in data breach notifications
Qatar has drafted a Personal Information Privacy Protection law and has invited views from a number of international experts including PLB. The law would apply to both private and public sectors, and to “electronic processing of personal information about an individual”. The proposed definition of 'personal information' extends to any information that can reasonably be linked to a specific individual, irrespective of whether that individual can be identified, thus covering location data. Views are sought on whether the law should include the principle of Privacy by Design by imposing an obligation to design and develop products, systems and services so that privacy protection is included from the outset. The idea of accountability has also been included. For example, organisations would need to appoint staff to be responsible for data protection and make sure that staff receive appropriate training.
Bill N° 4079/2009-PE, introduced in 2010, has now gained political momentum in Peru and was approved by the legislature on 7 June with 73 votes in favour and two abstentions. Based on EU standards, the bill protects personal data stored in public and private databases. The bill now needs to be signed by the new president-elect, who will be sworn in on 28 July. Companies such as Google and Yahoo have objected to the bill on the basis that it would threaten online businesses.
More about this subject in the next issue of PL&B International Report, to be published by the end of June.
Senator Patrick Leahy, a Democrat, introduced a Bill on 7 June to create a federal data breach notification duty and to replace the existing 47 state data breach laws.
The Personal Data Privacy and Security Act of 2011, co-sponsored by two other Democratic senators, would introduce criminal penalties for individuals who intentionally or wilfully conceal a security breach involving personal data when the breach causes economic damage to consumers. Failure to notify would incur a civil penalty of up to USD 1,000 per day, per individual and a maximum penalty of USD 1 million per violation.
The bill would also require companies to establish and implement internal policies to protect data privacy and security.
Read more about this topic in the July issue of PL&B International Report.
See the Bill.
The Irish DP Commissioner, Billy Hawkes, reports that his office received 410 data breach notifications in 2010, which represents nearly a 350% increase from 2009. The Commissioner says, however, that ‘it can be assumed that the sudden increase reflects the more exacting demands placed on organisations by the Code of Practice rather than an increase in the absolute number of data breaches.’
Most notifications were received from the financial and health sectors, and mailing breaches (postal) were the most common.
Ireland is close to having a statutory Code of Practice, which would make reporting mandatory. The final version of the Code was published last summer, and sent to the Minister of Justice. The Code has not yet been given statutory effect.
For further details on the Privacy Laws & Business International Newsletter, please click here.
Copyright Privacy Laws & Business 2011