We've seen a number of key jurisdictions implement or update their privacy legislation this year. Here is a snapshot overview but for more, check out Global Data Hub's dedicated country pages which can be found under the 'risk map' tab on the homepage.
Canada's anti-spam legislation
Although Canada's anti-spam legislation (CASL) was passed in December 2010, it came into force (in part) earlier this year on 1 July 2014 and is a far-reaching regime with rigorous penalties for breach. Both Canadian businesses and those organisations sending messages to and from Canada need to take CASL seriously.
CASL applies to "commercial electronic messages" (CEMs) sent by any means of telecommunication (such as text, sound voice or image message) from which it is reasonable to determine its purpose includes encouraging participation in a commercial activity.
On the whole, CEMs may only be sent pursuant to CASL where the recipient of such messages has communicated express or implied consent (in certain circumstances and subject to a time constraint) and the contents of the message is compliant with the requisite form and content requirements.
For more, see our article, 'Canadian anti-spam legislation now in force'.
From 2 July this year, organisations had to fully comply with the Personal Data Protection Act 2012 (PDPA). This applies to the private sector (not public sector) and those organisation which process personal data on behalf of other organisations.
The PDPA established a Do-Not-Call (DNC) registry as well as regulating the use of personal data to send such electronic communications. This has been the year that the Singapore Data Protection Commission began enforcing the rules in relation to the DNC registry. It has issued guidance and begun enforcement proceedings in response to 1500 valid complaints about failure to respect rules on unsolicited marketing communications. It has prosecuted one organisation; has offered to compound fines in relation to two organisations; and issued warning notices to over 100 organisations. The PDPC has previously said it would take a practical view on enforcement but is clearly taking a proactive position. In June, a Singapore tuition agency and its director were fined for breach of the Singapore's 'Do Not Call' rules. Each was fined SGD 39,000 after prosecution for sending large numbers of text messages without first checking the DNC register. 364 valid complaints were lodged against the agency as a result. The DNC register already has around 600,000 names of people who have opted out of receiving marketing messages.
For more on developments in Singapore, see our dedicated country page.
Recent changes to the Australian Privacy Act 1988
Since 12 March 2014, private sector companies (with a turnover of more than AUS $3million) have needed to comply with new provisions in the Australian Commonwealth Privacy Act 1988 (Act). The Act now contains a new set of thirteen unified Australian Privacy Principles (APPs) which replaced the ten National Privacy Principles (NPPs) (and also the Information Privacy Principles which applied to Commonwealth agencies). Companies had fifteen months to prepare for the changes.
The Act does not distinguish between data controllers and data processors. The obligations in the APPs therefore apply to any company that collects and holds personal information (data).
For more, see our article, 'Overview of recent changes to the Australian Privacy Act 1988'.
Data protection laws in force in Malaysia
The sunrise period for the Personal Data Protection Act 2010 (PDPA) ended earlier this year regulating personally identifiable data collected in respect of a "commercial transaction" including employment data. The PDPA does not apply to information processed for the purpose of a credit report or by the Malaysian Federal and State governments.
Crucially, the PDPA imposes obligations on parties established outside of Malaysia but using equipment in Malaysia to process personal data other than for the purpose of transit through Malaysia.