Since its entry into force in May 2018, the GDPR has had a significant impact on data protection policy and enforcement beyond the EU. This review by Ius Laboris lawyers in 24 jurisdictions examines GDPR-related legal developments, decisions and harmonisation trends outside the EU.
By Anastasia Petrova, ALRUD Law Firm
The General Data Protection Regulation (GDPR) celebrated its first anniversary on 25 May 2019. The first wave of decisions and fines has now been issued by a number of EU DPAs and it is interesting to examine the effects of the GDPR outside the EU.
The GDPR aims to protect personal data of individuals in the EU, however, the impact of the GDPR goes far beyond the EU. In particular, if processing of personal data by a non-EU controller or processor is carried out in the context of the activities of an establishment of the controller or processor in the EU the GDPR will apply. This is also the case in certain cases where personal data of data subjects located in the EU is processed by a controller or processor that is not established in the EU.
Since the GDPR sets out high fines (up to EUR 20 million or 4% of total worldwide annual turnover), non-EU organisations that meet the criteria above have also become concerned with ensuring compliance with the new rules.
More than a year on, the GDPR has had varying effects in different countries: there are certain cases of GDPR enforcement outside the EU, some countries have incorporated GDPR provisions into their national legislation and/or got binding national DPA clarifications regarding the applicability of the GDPR; some have attempted to regulate data processing rules based on international treaties while others have maintained a wait-and-see attitude, taking no further steps on harmonisation of national legislation and GDPR. These and other questions are discussed below, on a country-by-country basis.
By Verónica Puerta Basaldúa, Funes de Rioja
The country has begun a legislative process to update the National Data protection regime, as a result of the enactment of the GDPR. The Congress is currently analysing a reform of Act 25326 on Data Protection and other related regulations. In January 2019, a new Resolution was passed on recommended practices for access to private data, including protection of biometric data, forms of consent to personal data treatment and access to databases, among other topics.
By Nick O’Connell, Al Tamimi & Company
Bahrain’s Personal Data Protection Law (Law No. 30 of 2018) came into force on 1 August 2019, 12 months after its publication in the official gazette. The law is based on a draft produced more than ten years ago, and does not specifically contemplate GDPR. Whether Bahrain will seek to revise this new legislation to be more aligned to GDPR is unclear, but would seem unlikely at this stage.
While many companies active in Bahrain are seeking to comply with the requirements set out in the Personal Data Protection Law, the fact that associated Regulations have not yet been issued makes this difficult. For the moment, and noting our comments below regarding criminal offences, the fact that the Data Protection Authority contemplated in the law has not yet been established provides some comfort in terms of the low practical risk of enforcement.
The Personal Data Protection Law criminalises a variety of acts that would, at most, be the subject of administrative penalties in data protection laws elsewhere. Penalties generally comprise up to one year in prison and/or a fine of between BHD1,000 and BHD20,000 (between about USD 2,600 to about USD 53,000) (or a fine only in the case of corporate entities). The following are examples of activities that attract criminal penalties under the Law:
- processing sensitive personal data in violation of the provision specifying requirements for processing sensitive personal data;
- transferring personal data outside Bahrain contrary to the provisions specifying requirements for transfers to jurisdictions that provide an adequate level of data protection, and associated exceptions;
- processing personal data without notifying the Authority in accordance with the provision that sets out the obligation to notify the Authority before commencing any data processing activities (except where certain exceptions apply), or failing to update such notification to the Authority;
- processing personal data contrary to the provision that requires prior authorization from the Authority before processing personal data in certain circumstances;
- providing false or misleading information to the Authority or to a data subject, or withholding relevant information from the Authority, or otherwise hindering the Authority’s work; and
- disclosing any data or information accessed due to work, or using the same for own benefit or for the benefit of others unreasonably and in violation of the provisions of this law.
The Personal Data Protection Law does not specifically provide for data breach notification obligations (either to affected individuals or to the Data Protection Authority), although it is possible that requirements of this nature could be introduced when the Regulations are issued. Otherwise, loss or damage arising out of such events could be captured under other Bahrain law provisions, such as those providing for remedy where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
By Adriana Fernandes Rollo, Denise Louzano, Juliana Assi & Fábio Pereira, Veirano Advogados
Compared to Europe, where the first data protection laws were created decades ago, Brazil has only recently joined comprehensive discussions on data protection regulations, more accurately in 2009. Until then, the Brazilian data protection regulatory framework was sector-based and primarily regulated by the country’s Civil Rights Framework for the Internet (Internet Act) and Consumer Protection Code, among others.
The text for the GDPR approved on 14 April 2016 has deeply impacted the Brazilian initiatives on the creation of specific data protection legislation and consequently inspired the text for the Brazilian General Data Protection Law (LGPD or Law 13.709/18), which was signed into law on 14 August 2018 and will come into force in August of 2020.
The legislation replicates key points of the European regulation, following the worldwide trend towards strengthening personal data protection, guaranteeing a series of rights to data subjects, as well as imposing important obligations and relevant penalties on processing agents. However, it also contains some particularities adapted to Brazil. For example, any consent obtained must be specific and data subjects can withdraw their consent at any time. Moreover, the Brazilian law creates ten legal bases allowing the processing of personal data, four more than the European legislation. These include performance of a contract, legitimate interests, legal basis for processing and the protection of credit. This last one is very specifically adapted to the needs of the credit sector in Brazil. This specific provision might suggest that the application of the LGPD can be more flexible in Brazil than what has been established in Europe.
On the other hand, similarly to the GDPR, the Brazilian law regulates controllers and processors of personal data and establishes the principle of extraterritoriality, that is, the Law also applies to processors based outside Brazil that treat data collected in Brazilian territory or offer goods or services to individuals located in Brazil, regardless of where the organisation is based.
Furthermore, the consequences of non-compliance with the LGPD can be just as severe as non-compliance with the GDPR. While EU enforcers can issue fines worth 4% of global revenue, Brazil's regime allows fines of up to 2% of Brazilian revenues, capped at BRL 50 million (approximately USD 13 million or EUR 11,395.140) per infraction.
Regarding enforcement, Law No. 13,853/2019 established the creation of the National Data Protection Authority (‘NDPA’), which, among other powers, has the authority to:
- regulate data protection and privacy matters;
- impose administrative sanctions in the event of breach of the LGPD provisions;
- propose guidelines for the creation of the National Policy for the Protection of Personal Data.
Since the LGPD is recent, controllers and processors still lack appropriate technology systems, data governance mechanisms, and ways to allow data subjects to exercise their rights. For this reason, organisations are now implementing measures to guarantee compliance with the GDPR and the LGPD when it comes into force, but there is still much more to do.
At the time of writing, there is no record of any Brazilian company facing GDPR enforcement, perhaps due to lack of supervision while the country is still adapting to this new regulatory scenario. Expectations are that when the ANPD is properly established and operating, organisations will face closer supervision and sanctions will be imposed on non-compliant organisations to guarantee the efficacy of data protection regulations.
By Tracy Zhu, Fangda Partners
The GDPR has been drawing the attention of various Chinese companies and the regulators since 2018 for the following reasons:
- The magnitude of fines that can be imposed for violations of its provisions.
- Its extra-territorial reach to organisations that are outside the EEA but collect and process personal data of data subjects in the EEA; and
- It is seen by Chinese regulators as a good example of comprehensive legislation on personal data protection.
Unlike Japan, South Korea, Thailand or other countries in APAC where the GDPR is used as a benchmark for reviewing current legal regimes on personal data protection, the Chinese authorities do not recognise the direct application of such a foreign law but instead use the GDPR as a good reference for the developing data protection regime in China. In 2018 and the first half of 2019, in awe of the record-breaking fines that were imposed in a few headline law enforcement actions in the EU, the national standard committee (TC260) and some research institutions respectively published white papers commissioned by the Chinese authorities and provided guidance to Chinese organisations on complying with the GDPR, particularly where they have business in the EU or offer services globally, including to data subjects in the EU.
To catch up with the trend of increasing transparency of personal data processing activities, China has launched a few nationwide law enforcement initiatives and campaigns focussing on privacy notices and curbing certain privacy practices such as bundled or forced consent. While there is no accountability principle in the Chinese Cyber Security Law, the way that the authorities approach organisation that are in violation of personal data protection laws in China is similar to the GDPR, in the sense that the authorities require those organisations to provide evidence of their compliance with the laws.
GDPR also sheds light on how to interpret the fundamental principles of data protection, particularly the European Data Protection Board’s guidelines and clarification. National standards on data protection and cyber security are multiplying in China. These include various principles and requirements under GDPR, such as data protection by design and by default, data protection impact assessments, vendor due diligence and more.
China is neither a signatory to Convention 108 nor a participating member of any regional cross-border data transfer regime such as CBPR. For the past two years, China has been working on its cross-border data transfer regime and the Chinese authorities are also seeking inspiration from the GDPR.
While Chinese companies have not yet received any fines from DPAs in the EU, after how Facebook monetised data was exposed in various incidents and in view of DPAs’ focus on GAFA (Google, Amazon, Facebook and Apple), Chinese companies are mindful about personal data protection, particularly where data subjects in the EU are under discussion. Where Chinese organisations have operations in the EU and local employees’ data is transferred back to headquarters in China, these organisations would also need to consider compliance with the GDPR.
By Nick O’Connell, Al Tamimi & Company
Some recent media reports have indicated that the Egyptian parliament has approved a draft data protection law. It seems that these reports are not quite accurate, and should have simply reported that a draft data protection law has been reviewed by a parliamentary committee. It is unclear whether the draft law has been prepared with GDPR in mind. At this very early stage of the legislative process, there is a high likelihood that the draft will undergo amendments.
In the absence of a modern data protection law, there are other Egyptian law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. These range from general provisions protecting privacy or providing for remedies where someone causes damage to another, through to specific provisions in the anti-cybercrime legislation that could be material in the context of data processing activities.
Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
By Kathryn Weaver, Lewis Silkin
As Hong Kong is home to many EU and UK headquartered companies, GDPR compliance has remained a hot topic notwithstanding the geographic distance between these jurisdictions. The Hong Kong Privacy Commissioner for Personal Data (‘PCPD’) has also publicly encouraged Hong Kong businesses to adopt standards more in line with those required by the GDPR, and has flagged that changes to Hong Kong’s data privacy laws are highly likely in order to bring the regime in line with EU requirements.
Until Hong Kong’s data protection laws are updated, however, the GDPR remains a much more onerous regime to comply with. The relative lack of teeth of the Hong Kong laws was highlighted by the recent and widely publicised data breach by Cathay Pacific Airways (‘Cathay’).
On 6 June 2019, the Office of the PCPD published the results of its investigation into the data breach incident by Cathay. This breach was discovered by Cathay in March 2018 but only self-reported to the PCPD in October 2018. No penalties were imposed for the breach, which involved the personal data of 9.4 million passengers and registered users of Cathay’s website from over 260 locations globally. Instead, Cathay was given six months to take remedial actions specified in an enforcement notice.
Under the Personal Data (Privacy) Ordinance (‘PDPO’) Cathay will face a financial penalty if it fails to carry out these remedial measures. The maximum penalty for first conviction will only be HKD 50,000, although also potentially imprisonment for two years. If non-compliance continues after the initial conviction there will be a daily penalty of up to HKD 1,000.
This is obviously a far lesser sanction than would have been awarded under the GDPR. The enforcement notice does not deal with Cathay’s delay in reporting the breach, as there are no mandatory breach notification requirements in Hong Kong, although best practice recommendations in this regard are contained in a guidance note issued by the PCPD. In contrast, the GDPR requires certain types of personal data breach to be reported to the relevant supervisory authority within 72 hours after a data controller becomes aware of the breach. A failure to do so may attract the maximum fine of the higher of EUR 10 million or 2% of global turnover.
However, as Cathay does market its products and services to EU citizens, it is possible that it will face action from an EU regulator and it will be interesting to compare the consequences which arise as a result of the same data breach incident.
It is expected that Hong Kong is headed towards an overhaul of its PDPO following this and other recent high profile personal data breach incidents. Comments made by the PCPD in the Cathay enforcement notice in relation to the principle of accountability are potentially significant. This principle is incorporated into the GDPR and includes requirements to compile personal data inventories and to report data breaches. The PCPD stated that although the principle of accountability is yet to be provided for in the law of Hong Kong, businesses in Hong Kong should be well poised to adopt proactive data management measures now. We agree that the adoption of proactive measures is a sensible strategy. This will not only ensure that a business is better prepared for any future changes to the regime in Hong Kong, but may help to prevent enforcement action in other jurisdictions where the principle of accountability is already enshrined.
Nick O’Connell, Al Tamimi & Company
There is currently no modern data protection law in Iraq, and there is accordingly no Data Protection Authority. There are Iraqi law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. These have not been prepared with GDPR in mind. They range from general provisions protecting privacy or providing for remedies where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
By Ariel Yosefi, Herzog, Fox & Neeman
The GDPR has significantly affected the Israeli regulatory environment in five main aspects; some are direct while the others are indirect.
1. In most cases, Israeli companies with a local operational presence in the EU or with a remote offering that is directed to the EU are subject to the GDPR’s territorial or extraterritorial reach. Consequently, such companies have been working on complying with the GDPR’s requirements in the past two years.
2. While in many cases local Israeli branches of multinational companies are not directly subject to the GDPR, as their employees and operations are focused on the Israeli market, these companies have been required to comply with global data protection policies which have been adopted by their global management, effectively requiring them to comply with many material aspects of the GDPR.
3. Similarly, Israeli service providers that process personal information of EU-based data controllers are subject to contractual requirements applying the material GDPR requirements, even when these service providers are not directly subject to the GDPR.
4. Israel has been recognised by the European Commission as an adequate jurisdiction for processing personal information, which allows a straight-forward movement of personal data between controllers and processors in both jurisdictions. This recognition was adopted pursuant the previous data protection regime in the EU, and while it continues to apply under the current regime, there are public discussions among regulators and scholars regarding the possibility of losing this important recognition when it is re-reviewed by the EU, considering the significant developments in the regulatory environment in the EU, with which Israeli law has not fully caught up.
5. The GDPR introduced an updated and significantly comprehensive data protection regulatory regime, which has to some extent affected the legislative review of the regime in Israel, as well as the regulatory approach. The GDPR indirectly affected the enactment of the Israeli Protection of Privacy (Data Security) Regulations in 2017, which entered into force at the same time as the GDPR and adopted requirements that are partially similar to the GDPR’s in some aspects, mainly data security and data processing management. The global effect of the GDPR has also indirectly affected the Israeli Data Protection Authority in its regulatory approach with respect to the enforcement of the new Regulations, as well as in enhancing its collaboration with EU-based data protection authorities in the context of GDPR enforcement on Israeli-based companies that are subject to the GDPR’s territorial or extraterritorial reach.
By Nick O’Connell, Al Tamimi & Company
A draft data protection law has been under consideration by the Jordanian parliament for a number of years. It is unclear whether the draft law has been prepared with GDPR in mind, and the likely timeframe for it to become law is unclear.
There is no modern data protection law in Jordan, and there is accordingly no Data Protection Authority. There are Jordanian law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. These range from general provisions protecting privacy or providing for remedies where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
By Yekaterina Khamidullina, AEQUITAS Law Firm
The Enhanced Partnership and Cooperation Agreement (the ‘Agreement’) between the European Union and its member states and the Republic of Kazakhstan was signed on 21 December 2015. The Agreement was ratified by Kazakhstan on 25 March 2016 and it has been temporarily applied since 1 May 2016 according to a verbal statement from the European Union. Pursuant to Article 237 of the Agreement:
‘The Parties shall cooperate in order to ensure a high level of protection of personal data, through the exchange of best practices and experience, taking into account European and international legal instruments and standards. This may include, where appropriate and subject to applicable procedures, accession to, and implementation of, the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its additional Protocol by the Republic of Kazakhstan’ (‘Convention 108’).
As of September 2019, Kazakhstan has not yet acceded to Convention 108.
In 2018 and 2019, the issues around implementing GDPR standards were actively discussed by legal advisors, representatives of business, governmental authorities and the media at various conferences and seminars and huge number of articles were prepared on this issue.
During discussions, representatives of governmental authorities, including the Deputy Chairman of the Information Security Committee of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan, often mentioned the problems of enforcing violations of personal data legislation and the great number of gaps in Kazakhstan’s Law on Personal Data and Protection Thereof (‘Data Protection Law’), as well as the absence of a single authorised governmental agency on personal data protection (the role of which could include studying international best practice on personal data protection and the introduction of these practices in Kazakhstan).
Kazakhstan’s legal databases contain a file with a draft Law on ‘the Introduction of Amendments into Certain Legislative Acts of the Republic of Kazakhstan on the Issues of Digital Technologies Regulation’ (the ‘Draft Law File’). As of August 2019, the Draft Law File provides for the introduction of amendments into a great number of laws and codes of Kazakhstan, including into the Data Protection Law. The Draft Law File contains references to the GDPR as the examined international practice. According to the Draft Law File, an authorised governmental agency dealing with personal data issues has been proposed.
In view of the above, we believe that in the years to come, Kazakhstan will gradually work on harmonisation of the national rules on personal data protection with GDPR standards.
To date, no Kazakhstan companies have faced GDPR enforcement.
By Nick O’Connell, Al Tamimi & Company
There is currently no modern data protection law in Kuwait, and there is accordingly no Data Protection Authority. There are Kuwait law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. These have not been prepared with GDPR in mind. Of specific relevance is the Electronic Transactions Law (Law No. 20 of 2014), which includes the following:
‘Other than in cases set forth by law, state bodies, authorities, public institutions, companies or non-state bodies or those working there-in shall not have the right to peruse, disclose, or publish any data or personal information registered in the electronic processing records or systems pertaining to the professional affairs or social status, medical status, or financial dues of persons or other personal information registered at one of the bodies stated therein unless by the consent of the person whom such information or data are related. Further, the bodies stated above shall set forth the necessary procedure for protecting the personal information and data from loss, damage, disclosure or invalid information or providing in-valid information. In addition, the aforementioned bodies, shall be bound to state the purpose for collecting the data and the collection of the data should be within the limits of such purpose.’
Additionally, there are general provisions in Kuwaiti law protecting privacy and providing for remedies where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
By Teresa Espinosa, Basham, Ringe y Correa
Before the GDPR became enforceable, and since then, many companies in Mexico worried about their compliance with data protection legislation, not only with regard to GDPR but also with local laws, as the intense media coverage that accompanied the GDPR created alarm in Mexico.
As a result of many changes in organisations’ compliance programmes and data protection practices worldwide, subsidiaries in Mexico had to adapt to new processes or practices implemented by their parent companies, even if it meant setting higher standards of data protection than those set out in Mexican laws.
Additionally, companies in Mexico that do business in the EU or that offer their services and goods there, and also companies that do not directly do business in the EU, were first interested in finding out to what extent, or if at all, the GDPR would apply to them.
To dissipate doubts, various forums and events were held in the country, mainly in Mexico City, where debate regarding the extra-territorial scope of application of the GDPR was a trending topic, as there was a lot of confusion on the subject.
Even though some companies are still adapting to the GDPR, especially as they deal with new European clients, providers or individuals, there seems to be more awareness regarding its applicability and the obligations set out in the GDPR.
On the legislative side, it is expected the Mexican Data Protection legal framework will be amended to resemble the GDPR or to include certain concepts and obligations that are not currently regulated in the country. A couple of topics that could change are the inclusion of the concept of ‘legitimate interest’, as in Mexico consent is the only legal ground for processing data, and the need to require opt-in consent for marketing activities.
Unfortunately, however, it is uncertain when data protection legislation will be amended, as it does not seem a pressing matter for the current (new) Government and administration.
By Claude A. Lenth, Hjort
Although not a member of the EU, Norway is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA agreement and became applicable in Norway on 20 July 2018. Norway is thus bound by the GDPR in the same manner as EU Member States.
In preparation for the GDPR, large areas of Norwegian law underwent a thorough review, and legislative changes were made as needed. This included the implementation of a new Privacy Act, and technical changes in the legislation relating to camera monitoring in the work place and access to employees’ emails. The Privacy Act section 6 (the equivalent of GDPR article 88(1)) give employers the right to process special categories of personal data if it is necessary for carrying out the employer or employee’s obligations or rights in the employment field.
By Nick O’Connell, Al Tamimi & Company
There is currently no modern data protection law in Oman, and there is accordingly no Data Protection Authority. There are Oman law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. Of specific relevance is the Electronic Transactions Law (Royal Decree 69/2008), which prohibits data processing that prejudices the data subject’s rights, and which introduces security considerations applicable when transferring personal data abroad. Additionally, there are general provisions in Omani law protecting privacy and providing for remedies where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
By Mario Adolfo Rognoi, Arosemena, Noriega & Contreras
With the implementation of the GDPR, many multinational companies from EU countries with branches or subsidiaries in Panama, and companies established in Panama with European clients, have adjusted their privacy policies in order to comply with GDPR standards.
In line with GDPR standards, Panama enacted Law 81 of 26 March 2019, regulating Personal Data Protection, (‘Law 81’), which will enter into effect on 29 March 2021. Before the enactment of Law 81, there were no specific rules that protected personal data, beyond the general principles contained in the Political Constitution, stating that private mail and documents cannot be examined without the owners' consent or by virtue of a court order for specific purposes in accordance with the law. Moreover, Panama has not signed any treaty aimed at harmonisation with GDPR standards.
Pursuant to Law 81, holders of personal data have the following inalienable rights, without affecting any other legal rights:
- the right to obtain his or her personal data stored or processed in a public or private institution database;
- the right to request the correction of personal data that is incorrect, incomplete, irrelevant, outdated, inaccurate, false or impertinent;
- the right to request the elimination of personal data that is incorrect, incomplete, irrelevant, outdated, inaccurate, false or impertinent;
- the right, with sound and legitimate reasons related to a particular situation, to refuse to provide personal data or to permit that data be subject to certain treatment, as well as the right to revoke consent; and
- the right to obtain a copy of personal data in a structured manner in a generic format use, that permits that the data can be operated by different systems and/or transmitted to another responsible party.
In addition to the above, it is worth noting that Law 81 protects employees’ personal data. As a result, employers may only collect and process confidential employee information with the employee’s consent.
To the best of our knowledge, no Panamanian organisations have been been fined and no complaints have been filed against Panamanian organisations for GDPR data breaches.
By Carol Quiroz, Estudio Olaechea
Peru has a data privacy legal framework since 2011: the Peruvian Data Privacy Law, Nº 29733 (the ‘Law’) was published on 4 July 2011, and its implementing Regulations were published on 22 March 2013 (amended on 2017). Both entered fully into force in May 2013, so all the provisions of both Law and Regulations are mandatory for any individual or legal entity that processes personal information of individuals in Peru.
The purpose of both Law and Regulations is to ensure the fundamental right to protection of personal data as set forth in paragraph 6 of Article 2 of the Peruvian Constitution, in order to guarantee its appropriate processing, so that the respect of other fundamental rights is also assured.
The Peruvian Data Protection Authority (the ‘Peruvian DPA’) has been aware of the entry into force of the European GDPR, as it is one of the most important data protection reforms in recent years. Indeed, on 4 September 2018, almost four months after it came into force, the Peruvian DPA issued Advisory Opinion N° 46-2018-JUS/DGTAIPD, expressly analysing the applicability of the GDPR in Peruvian territory.
In this Advisory Opinion the Peruvian DPA stated:
‘1. The GDPR will be applicable when the processing of personal data of residents of the European Union is carried out in this territory or within the framework of the activities of a branch in the European Union.
2. The GDPR does not apply when European Union residents’ personal data is processed in Peru.
3. Considering the sovereignty of the Peruvian State, the processing of personal data treated in Peru is subject to the provisions of Law N° 29733, Law on Protection of Personal Data, and its Regulations.
4. If a legal entity, whose main domicile is Peru, has a branch or headquarters in the European Union, it must comply with the regulations of such territory, within the processing activities carried out in it.’
Therefore, the Peruvian DPA is conscious of the application of the GDPR provisions, although local regulations have prevailed. An example of this is that investigations into the processing of personal information on the Internet (web pages and platforms) have intensified, since the Law is extensive enough to include any type of processing. From our experience in the procedures regarding data processing, it has come to our knowledge that the Peruvian Authority uses the criteria applied by the Spanish Data Protection Authority as a first reference, so it is expected that in practice (using the investigation faculties granted by the Law), the authority will raise the standards of protection until an internal reform is enacted.
Finally, please note that Peruvian Law includes the following guiding principles:
- Personal information can only be processed with free, prior, informed, express and unequivocal consent (through ordinary or electronic means).
- The consent document must contain all the information regarding the collection and processing of data, data importers and cross-border flows of data.
- Express consent is only valid if the data subject can choose between an ‘Accept’ or ‘Reject’ option.
- Data collectors and data processors must adopt adequate technical, organisational and legal measures to ensure the safety of the information and avoid its alteration, loss or treatment or unauthorised access to it.
- Processors and sub-processors must guarantee adequate security measures.
- ARCO (access, rectification, cancellation and opposition) rights are guaranteed and any act or omission that contravenes or fails to comply with the provisions of the Law constitutes a punishable infraction.
- Administrative fines can be imposed for minor, serious or very serious infractions. The amount of fines is between USD 640.00 to USD 130,000 approximately depending on the infraction.
By Nick O’Connell, Al Tamimi & Company
Qatar’s Data Protection Law (Law 13 of 2016) came into effect in 2016. It was not drafted with GDPR in mind. The Data Protection Authority contemplated in the law has not yet been established, and the associated Regulations have not yet been established.
Under the Data Protection Law, processors have an unqualified obligation to notify data controllers of breach type events, whereas there is a materiality consideration (‘serious damage’) beyond which data controllers would be required to notify data subjects and the Data Protection Authority. Associated penalties include fines of up to QAR 5,000,000 or USD 1.3 million (for processors failing to notify) and QAR 1,000,000 or USD 2.6 million (for data controllers failing to notify).
Otherwise, loss or damage arising out of such events could be captured under other Qatar law provisions, such as those providing for remedy where someone causes damage to another. Depending on the circumstances of a data breach (and in the absence of a Data Protection Authority as contemplated in the Data Protection Law), it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
Separate to the generally applicable Data Protection Law, a licensing authority in Qatar, the Qatar Financial Centre, has a modern data protection law applicable to entities licensed by it. The QFC Data Protection Regulation 2005 was not prepared with GDPR in mind, although it bears some similarity to the European Data Protection Directive 95/46. It is unclear whether it is currently being reviewed in order to make it more consistent with GDPR.
By Anastasia Petrova, ALRUD Law Firm
Since many Russian companies have branch or representative offices or subsidiaries in the EU or in target European markets, ensuring compliance with the GDPR has been quite a hot topic in Russia during the past year. In particular, this concern was expressed by, among others, e-commerce companies, banks, carriers, telecoms operators and social networks.
At first, the Russian DPA was sceptical about the GDPR’s applicability to Russian entities and there is still no national legislation implementing GDPR requirements. However, eventually the Russian DPA issued brief practical guidance regarding territorial applicability of the GDPR, intended to instruct Russian companies on GDPR compliance.
Further, on 10 October 2018 Russia signed a protocol modernising the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dd. 1981 (Convention 108). As a party to Convention 108, Russia will have to incorporate the amendments under the protocol and ensure their proper enforcement.
The protocol significantly increases the level of data protection and specifies principles and requirements already implemented in the GDPR. In this sense, incorporation of the protocol’s provisions into national legislation will be a step forward for the harmonisation of Russian data protection legislation with European. Potential novelties in Russian data protection legislation include an obligation to notify data breaches, the roles of data processor and data recipient, new types of sensitive data and a ‘privacy by design’ principle.
At the moment Russian companies have not faced GDPR enforcement. However, in August 2018, Belarusian citizen Christian Shinkevich filed a complaint against the well-known Russian social network Vkontakte to the Polish data protection authority. He suggested that Vkontakte’s data processing practices did not meet the privacy standards introduced by the GDPR. This case is still under consideration and currently it is hard to predict its possible outcome.
By Nick O’Connell, Al Tamimi & Company
Saudi Arabia’s law is based on Islamic Shari’ah, which generally affords protection to the privacy of persons. The Basic Law of Governance (a constitution-like document), states that the State shall protect human rights in accordance with the Islamic Shari‘ah. It also contains general protections on correspondence by telegraph and mail, telephone conversations, and other means of communication, which may not be seized, delayed, viewed, or listened to except in cases set forth in the law. The recently issued E-Commerce Law contains provisions relating to protection of personal data in an e-commerce context, including both B2B and B2C e-commerce activities. The Cloud Computing Regulatory Framework, issued by the Communications and Information Technology Commission, contains restrictions relating to the use of cloud computing, and the transfer of customer data to recipients outside Saudi Arabia. The Labour Law contains provisions relating to the maintaining of a file for employees, although this does not go into any detail in terms of data protection principles. In general terms, these are the laws and regulations that we would consider in addressing data protection issues from a Saudi law perspective.
Local media reports indicate that a draft data protection law is currently under consideration by the Saudi legislative body. This is not yet publicly available, although it is unlikely that it has been prepared with GDPR in mind.
By Lionel Tan, Rajah & Tann Singapore LLP
Singapore is widely considered to be a leading business hub in the Asia-Pacific region and numerous multinational corporations have established their headquarters in Singapore. Their business operations might include potential data transfers between their European and Singapore offices, or the targeting of European subjects to proffer goods and services. Furthermore, with Singapore being the EU’s largest trading partner in the Association of Southeast Asian Nations (ASEAN), it is inevitable that many businesses and organisations based in Singapore will be affected by the GDPR.
The Personal Data Protection Commission (PDPC), Singapore’s data protection regulators, have responded by publishing a factsheet to help businesses better understand the GDPR when applied to the Singaporean context.
This included outlining the criteria of who comes under the GDPR. As explained in the factsheet, the main criteria includes organisations that process data which relates to:
- offering goods and services to individuals in the EU;
- monitoring the behaviour of individuals in the EU.
Key considerations for ascertaining whether the organisation is offering goods or services to individuals in the EU were also included, and this included the use of a language or currency that is generally used in one or more EU Member States, with the possibility of ordering goods and services in that language.
The PDPC also distilled the key requirements of the GDPR, helping Singapore firms coming under the GDPR better understand how to comply with it. Key requirements highlighted included:
- basis of processing (Article 6);
- rights of Individual (Articles 15, 16, 17, 18, 20, 21 & 22);
- accountability and Governance (Articles 25, 35 and 37);
- data breach notification (Articles 33 and 34);
- administrative fines (Article 83).
The PDPC also published online FAQs to help businesses better understand whether the GDPR applies to them, and if so, what Singapore firms need to do to comply with its provisions. The PDPC stressed that requirements for the local Personal Data Protection Act (‘PDPA’) differ from that of the GDPR, and that compliance with the PDPA does not equate to compliance with the GDPR.
To help businesses based in Singapore better understand the extent of applicability of GDPR in their own business operations, the PDPC also included real-life scenarios of businesses where GDPR is likely to apply.
At the moment, Singapore does not have the right to data portability under the PDPA. The right to data portability is one of the eight rights enforced under the GDPR. To allow for a measure of congruence between the GDPR and the local PDPA, the PDPC, as part of an ongoing review of the PDPA, is considering introducing a Data Portability Obligation under the PDPA. The PDPC, with the Competition and Consumer Commission of Singapore (CCCS), has published a discussion paper on data portability to help businesses and other stakeholders better understand the benefits. The PDPC has also held a public consultation on this issue, seeking feedback and input from various stakeholders to assist in creating data portability provision under the PDPA.
Private sector response
According to the Global Forensic Data Analytics Survey 2018 done by Ernst & Young advisory services, nine out ten companies in Singapore do not have a plan to cope with GDPR.
Professional associations and higher education institutions based in Singapore are offering certification programs and workshops to help professionals and businesses better understand the various aspects of becoming GDPR compliant.
By Oleksandr Melnyk, Vasil Kisil & Partners
More than one year since the GDPR took effect, the Ukrainian authorities have demonstrated themselves to be more declarative than proactive in its implementation or clarification. Unlike the state, however, the Ukrainian business community and associations have taken a vigorous approach in implementing GDPR-compliant practices, even in the absence of guidance from the local DPA (the Parliamentary Commissioner on Human Rights).
Back in June 2014, Ukraine concluded an Association Agreement with the EU (the ‘Agreement’). Apparently, the Agreement could not provide for GDPR implementation since the GDPR did not exist at that time. However, under Article 15 of the Agreement, Ukraine and the EU agreed to cooperate ‘in order to ensure an adequate level of protection of personal data in accordance with the highest European and international standards.’
Led by this commitment, in October 2017, the Ukrainian Government planned to implement GDPR into national legislation by 25 May 2018, that is, simultaneously with the GDPR taking effect in the EU.
It comes at no surprise that such an ambitious goal could not be reached in less than six months, and even at the time of writing the GDPR has not been implemented into Ukrainian national legislation. The local DPA, supported by the EU Twinning project, has made several attempts to draft an implementation bill, on which Parliament has not voted. With a new Parliament being elected recently and a new state policy of complete digital transformation, we expect to see new GDPR-related bills.
At the same time, the Ukrainian DPA has not tried to clarify the GDPR provisions to local businesses, leaving them unclear how the GDPR will apply in Ukraine, and if the Ukrainian DPA will assist its partners from the EU to enforce it locally.
On the other hand, the Ukrainian business community and professional associations have tried to implement GDPR-compliant practices, even in the absence of clarifications from the local DPA. Companies in the e-commerce, fintech, IT outsourcing and product sectors, as well as banks, mobile operators, and others, have adopted their own policies and procedures to be GDPR-compliant. It is also worth mentioning that Ukrainian IT associations are working on getting the EU Commission’s adequacy decision for the Ukrainian IT industry as a ‘specified sector within third country’, pursuant to Article 45 of the GDPR. This decision could significantly boost the IT services market and make it more competitive for European customers.
Finally, we have not seen any GDPR-related cases within the last year, or any attempts by European DPAs to enforce GDPR against Ukrainian companies. But with GDPR enforcement gaining speed in the EU, we may soon see how it will work in Ukraine too.
United Arab Emirates
By Nick O’Connell, Al Tamimi & Company
There is currently no modern data protection law of general application in the United Arab Emirates, and there is accordingly no Data Protection Authority.
Local media reports indicate that a draft data protection law applicable to the financial services sector is being considered, along with a draft data protection law of general application. There has been no indication of the expected timeline for issuance of these laws.
Otherwise, there are local law considerations that could be material in the context of considering personal data processing activities, either in an HR context or more broadly. These include penal code prohibitions on disclosures of secrets or misuse of information/data, as well as sector specific considerations such as a healthcare technology law requiring data localisation and an IoT (Internet of Things) policy requiring the same. None of these local law considerations have been prepared with GDPR in mind.
Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.
The UAE has a number of free zones, some of which have modern data protection regimes applicable to entities licensed in such free zones. Besides a healthcare-focussed free zone that has regulations relating to patient health information, there are two notable financial services free zones: the Dubai International Financial Centre (DIFC); and Abu Dhabi Global Market (ADGM). ADGM and DIFC can be understood as legal jurisdictions with a high degree of legislative autonomy. Both have modern data protection regimes that reflect some degree of similarity with the European Data Protection Directive 95/46. The data protection rules in both these jurisdictions are currently being updated for general consistency with GDPR.
By Danielle Van Katwyk, FordHarrison LLP
The implementation of the GDPR has the potential to greatly affect US companies and their current business practices. US companies with employees in the EU or that are doing business in the EU must become aware of the complexity of the GDPR and analyse whether the regulations apply to them. A US business subject to the GDPR should evaluate its potential impact and analyse how best to comply with its provisions. It is best practice to design, implement and maintain a comprehensive data protection compliance programme to implement the GDPS’s requirements and ensure compliance. Failure to do so could expose US companies significant penalties (including the greater of 4% of global revenue or EUR 20 million).
California has become the first state to introduce privacy protection for individuals’ personal data comparable to that provided under the GDPR. The California Consumer Privacy Act of 2018 (‘CCPA’ or the ‘Act’), which takes effect on 1 January 2020, is a sweeping digital privacy law that creates new protections and rights for consumers’ personal data.
The CCPA will grant California consumers the following rights:
- to know what personal information is being collected about them;
- to know whether their personal information is sold or disclosed and to whom;
- to say no to the sale of personal information;
- to access their personal information;
- to equal service and price, even if they exercise their privacy rights (e.g., businesses may presumably offer tiered pricing for goods and services, such as offering higher prices for increased privacy); and
- in addition, to hold companies liable for data breaches.
Efforts to amend the CCPA continue since its quick passage.
As amended, the CCPA defines ‘personal information’ much more broadly than other privacy statutes in the United States, including California’s own data breach notification statute, closely aligning with the GDPR’s definition of ‘personal information.’ Personal information under the CCPA includes:
‘information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’
This broad definition specifically includes:
‘internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application or advertisement.’
Notably, since the CCPA covers ‘households’, this means it protects data even if the record does not contain a name nor relate to a single individual.
Additionally, the CCPA requires businesses to make disclosures about the information and the purposes for which it is used. Specifically, under the CCPA, California consumers now have the right to request a business to disclose:
- the categories and specific pieces of personal information that it collects about the consumer;
- the categories of sources from which that information is collected;
- the business purposes for collecting or selling the information; and
- the categories of third parties with which the information is shared.
Further, California consumers have the right to request deletion of their personal information, and businesses are required to delete upon receipt of a verified request, as specified. Notably, consumers may opt out of the sale of personal information by a business, and businesses are prohibited from selling the personal information of a consumer under 16 years of age, unless affirmatively authorised.
The CCPA applies to for-profit entities that conduct business in California and ‘collect consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information’ and either:
- have more than USD 25,000,000 in gross revenues;
- annually buy, receive, sell or share the personal information of 50,000 or more consumers; or
- derive half or more of their annual revenues from selling consumers’ personal information.
Following amendments, the CCPA’s operative date remains unchanged, however, the enforcement action start date has been moved to either 1 July 2020 or six months after publication of the final regulations, whichever date is earlier.
And finally (possibly) (maybe) the United Kingdom
By Alexander Milner-Smith, Lewis Silkin
At some point in the future (near, distant or, of course, non-existent) the United Kingdom may be fully outside the EU post Brexit. From a GDPR application and enforcement perspective not much will change.
The UK has already implemented the GDPR in full via the Data Protection Act 2018 and it is very unlikely the UK government would amend this legislation (further, it will likely copy the material elements of the E-Privacy Regulation when (and if) it comes in to force). It may also be that the Information Commissioner’s Office (‘ICO’, the UK’s data protection authority) and UK courts follow European Court of Justice and EU regulatory decisions on application of the rules.
As such data processing in the UK, both generally and in the workplace, will still look very much the same as in the EU regarding lawful bases, notices, proportionality, security, accountability and other elements.
The UK will have to consider all the extra-territorial implications of GDPR as other countries above have described, but as companies in the UK will already be complying with GDPR principles, this is not likely to make much difference to current practices. There will be also be reverse implications in terms of the extra-territorial application UK data protection rules. Again, this should not make too much difference for EU organisations but non-EU companies should consider this (at the same time as the extra-territorial implications of GDPR as other countries above have described).
The two big (albeit not insurmountable) areas for the UK being outside the EU are:
- Extra-EU (EEA) transfers. For more information on this much misunderstood topic see here https://theword.iuslaboris.com/hrlaw/insights/uk-no-deal-brexit-and-data-transfers-an-update.
- That the ICO will no longer be party to the EU regulatory (or even the EEA regulatory) mechanisms including the European Data Protection Board, access to the Leading Supervisory Authority system.