With less than 1 year to go until the GDPR enters into force, countries around the globe have been gearing up in preparation for the Regulation.
A number of European countries have now released their Annual Reports setting out details of their activities during 2016. Countries publishing their reports include Ireland, Ukraine, Belgium and France. While the reports will inevitably vary from country to country, the key themes across the board are complaints from data subjects, sanctions and fines towards infringers, and preparing for the GDPR as we approach 25 May 2018.
A number of countries have also published guidance documents to assist with practical implementation of the GDPR. The Dutch DPA and the Italian DPA have published GDPR guidance aimed at compliance with the new data protection obligations and Germany has adopted a bill to implement the GDPR. Austria has published its first draft of the Austrian Data Protection Act and Argentina has published its second draft of the Data Protection Amendment Bill. The Bavarian DPA has also published a GDPR readiness questionnaire for companies to use when assessing data protection compliance internally and Romania has recently held a data protection order conference in the run up to the GDPR.
Data breaches are still a prominent topic with the Czech Republic DPA issuing its highest fine to date (approximately €160,000) for data protection infringement. In the same vein, the French DPA sanctioned Facebook €150,000 for several breaches to the Data Protection Act in France. This fine was issued a few months before the significantly greater EU Commission fine of €110 million to Facebook, which was also meted out for data protection infringements.
Data protection obligations have also been raised in European courts, with the Serbian DPA setting out its approach to potential data protection breaches following a mishandled subject access request. Greece has also set out clear guidelines on whether evidence presented in court breaches privacy rights following a recent case in the Greek Supreme Court.
In the run up to May 2018, this year, as last year, promises to be (in the words of the ODPC) another "Olympic year" for data protection!
Last but not least, China has published its new Cybersecurity law as of 1 June 2017 with significantly amended obligations, alongside guidance on cross border data transfers.