Friday 28 January 2022 is Data Protection Day (or Data Privacy Day outside of Europe), which marks the anniversary of the Council of Europe’s Convention 108.
To mark Data Protection Day 2022, our Global Data Privacy and Security Team have provided a roundup of key trends and developments across the globe from a data protection perspective as well as looking ahead to what to expect in 2022.
There are new laws and developments to keep up with in various jurisdictions including the Personal Information Protection Law in China, new laws coming into force in Thailand, amendments to existing legislation in Singapore and Japan, as well as various state developments in the US, and reforms or proposals in Vietnam, Australia and other jurisdictions.
From an EU perspective, a key area companies will be focusing on in 2022 is updating existing data transfer agreements to replace them with the new EU Standard Contractual Clauses before the 27 December deadline, as well as associated compliance with the impact of the Schrems II decision. In addition, from a UK perspective the outcome of the ICO data transfer consultation was published on 28 January 2022, paving the wave for use of the UK International Data Transfer Agreement and UK Addendum to the EU Standard Contractual Clauses under the UK GDPR which are in force from 21 March 2022.
You can find more information on these developments and many others in our summary below. You can also jump to specific country overviews using the links below.
International data transfers
The ICO launched a consultation on data transfers under the UK GDPR, which closed at the end of last year. Following that consultation, on 28 January 2022 the Secretary of State laid the international data transfer agreement (“IDTA”) and UK addendum to the new EU Standard Contractual Clauses (“UK Addendum”) before Parliament, together with a document setting out transitional provisions for the purposes of the UK GDPR and UK Data Protection Act regarding the use of the standard data protection clauses for international transfers approved by the European Commission under the Data Protection Directive.
The IDTA, UK Addendum and transitional provisions will now lay before Parliament until they come into force on 21 March 2022.
The IDTA and UK Addendum will replace use of the previous EU Standard Contractual Clauses (approved by the European Commission) under the UK GDPR (“Directive SCCs”).
In terms of timings, contracts concluded on or before 21 September 2022 on the basis of the Directive SCCs continue to provide appropriate safeguards until 21 March 2024 for the purposes of the UK GDPR, provided the processing operations and the subject matter of the contract remain unchanged and reliance on those Directive SCCs ensures that the transfer of personal data is subject to appropriate safeguards. Therefore, there is some time for organisations to update existing agreements based on the Directive SCCs. For new contracts for data transfers from the UK entered into after 21 September 2022, the UK Addendum to the new EU SCCs or the IDTA will need to be used, although it can also be used for new contracts going forward once it comes into force on 21 March 2022
The IDTA uses the term “linked agreement”, which are agreements between the importer and exporter, for example if the importer is a processor and there are Art 28 data processing terms in place in an existing or separate agreement. The IDTA allows for the ability to cross refer to the relevant section of the linked agreement in certain circumstances.
An important difference between the new EU Standard Contractual Clauses and the IDTA is that the IDTA does not include Art 28 data processing terms. Instead, there is a provision which states if the importer is a processor or sub-processor, there is a linked agreement that includes those Art 28 obligations. In addition, the IDTA does not adopt the same “modular” approach as the new EU Standard Contractual Clauses.
In relation to the new EU Standard Contractual Clauses there is the option of a “UK Addendum”. This is a short template document which makes amendments or additions from a UK perspective (e.g. referring to the UK rather than the EU, UK Data Protection Laws rather than EU GDPR, ICO rather than supervisory authority etc).
It is likely that use of the EU Standard Contractual Clauses with a UK Addendum will be the most practical solution for many organisations that are transferring personal data from both the EU and UK in order to maintain consistency.
Consultation on reforms to UK data protection laws
The Department for Digital, Culture, Media and Sport published a consultation (“Data: a new direction”) on proposed amendments to UK data protection law, which closed in November 2021. Although the outcome of that consultation is yet to be published and there is no draft legislation at this stage, it indicates that the current government is considering various changes to UK data protection laws in the future.
In summary, some of the key proposed changes include:
- Legitimate interests: proposals to create a limited, exhaustive list of legitimate interests so that organisations can use personal data without applying the balancing of interests test. This could cover purposes such as reporting criminal acts or safeguarding concerns to appropriate authorities, delivering statutory public communications, monitoring, detecting or correcting bias in relation to developing AI systems, audience measurement cookies or similar technologies to improve web pages that are frequently visited by users, improving or reviewing the organisation’s network or system security, improving the safety of a product or service, de-identifying personal data through pseudonymisation or anonymization to improve data security, personal data for internal research and development purposes, or business innovation purposes aimed at improving services to customers;
- Flexible risk based accountability framework: the proposals include a requirement for a privacy management programme tailored to the organisation’s processing;
- Removal of requirements to designate a DPO: replacing the requirement for a DPO with a new requirement to designate a suitable individual to be responsible for the privacy management programme and oversee the data protection compliance of the organisation;
- Removal of requirement to conduct a DPIA: the consultation states the intention is to allow organisations to adopt different approaches to identifying and minimising data protection risks to better reflect their specific circumstances;
- Removal of requirement for prior consultation with ICO: there is a proposal that it would no longer be mandatory to (and organisations would not face penalties for failing to) consult with the ICO in advance of carrying out processing identified as high risk that cannot be mitigated in light of the assessment under a DPIA;
- Removal of Art 30 record keeping requirement: instead new requirements under the privacy management programme would require certain records to be kept but organisations would have more flexibility (e.g. a data inventory);
- Change to the breach reporting threshold: there is a proposal that breaches would be reportable to the ICO unless the risk to individuals are not “material”. Currently the threshold is “result in a risk” to individuals. The consultation suggests that the ICO would produce guidance and examples on what constitutes “non-material risk” in this context;
- Voluntary undertaking process: this would besimilar to Singapore’s Active Enforcement regime. For example, this would involve providing the ICO with a remedial action plan if an infringement is discovered, which could be accepted as part of a voluntary undertaking process;
- Subject Access Requests: there are proposals to introduce a fee regime for data subject access requests, for example by introducing a cost ceiling, which would operate as a cost limit to prevent organisations being overburdened by requests. In addition, there are proposals to change the threshold for response to a request. This would change the current threshold of “manifestly unfounded” to “likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation”, which would take into account the context and history of a request, including the identity of the requester and any previous contact with them;
- Fines under PECR: the proposals also include increasing the levels of fines for breaches of the Privacy and Electronic Communications (EC Directive) Regulations (“PECR”), which contain the rules on electronic direct marketing and cookies, in line with the levels of fines under the UK GDPR. At present, the maximum amount of fines under PECR is £500,000;
- Adequacy regulations: the consultation also sets out the Government’s intent to have an “ambitious programme of adequacy assessments” for third jurisdictions or groups of jurisdictions in relation to transferring personal data from the UK post Brexit.
Children’s Personal Data
The processing of children’s personal data will continue to be a focus area in 2022 and beyond. Organisations are now required to comply with the ICO’s Age Appropriate Design Code as of 2 September 2021. The Code applies to online services “likely” to be accessed or used by a child, which for these purposes is anyone under the age of 18.
The ICO stated in August 2021 that in its view some of the biggest risks in this context relate to social media platforms, video and music streaming sites and video gaming platforms, and that the ICO would be taking a proactive approach in requiring organisations in those sectors to explain how their services are designed in line with the Code. The ICO also published an opinion on age assurance under the Code in October 2021, which provided additional information on the ICO’s expectations regarding age assurance in the context of the Code (you can read more in our update here).
International data transfers
International data transfers continue to be a hot topic. Companies must complete the implementation of the revised EU Standard Contractual Clauses for data transfers to third countries by end of 2022 (the relevant deadline could also be September 27, 2021 for example where the data processing operations have changed under existing agreements based on the previous EU Standard Contractual Clauses) and comply with the requirements of the Schrems II decision, in particular by carrying out transfer impact assessments and, if applicable, taking supplementary measures.
We expect an increase of enforcement in the aftermath of Schrems II in Germany, on the one hand due to complaints by individuals and on the other hand because some of the German data protection authorities have also started to actively enforce the Schrems II decision by reaching out to selected companies via questionnaires that they developed on the topics of mail hosting, website hosting, web tracking, applicant portals and intra-group data transfers. The questionnaires are quite detailed and contain questions such as: “If you have concluded that the recipient can in fact guarantee compliance with the contractual obligations under the SCCs: Please describe in detail your reasons for this conclusion and provide appropriate evidence.”
Ransomware attacks and other data security threats have increased during the last few years, and so have personal data breach notifications under Art. 33 and 34 of the GDPR. We expect more private actions as well as more enforcement from the data protection authorities on this topic. In December 2021 one of the German data protection authorities proactively started ransomware prevention audits by reaching out to companies with questionnaires on IT security. The goals are to increase enforcement in this area as well as increasing awareness and protection against cybersecurity threats.
Enforcement and data disputes
In the last few years, there have been a number of multi-million Euro fines in Germany. In the meantime, there have also been court decisions that significantly reduced a multi-million Euro fine, and declaring a multi-million Euro fine as invalid.
- The Regional Court of Bonn dealt with the 9.5 million Euro fine imposed by the Federal State Data Protection Commissioner in December 2019 against a telecoms company for insufficient authentication procedures in a customer call centre before disclosing customer data by customer service personnel to callers, significantly reduced the fine to 900,000 Euro. This was because, inter alia, the negative consequences of the violation apparently only affected one data subject, there was no specific guidance on how to act correctly and the company had cooperated.
- The Regional Court of Berlin dealt with the 14.5 million Euro imposed by the Berlin Commissioner for Data Protection and Freedom of Information in October 2019 against a real estate company for violating data retention requirements, discontinued proceedings since, according to the court, the order suffered severe deficiencies that cannot be the basis of proceedings. Unlike the Regional Court of Bonn, according to the Regional Court of Berlin a legal person cannot be the subject in an administrative fine proceeding in Germany. Since the public prosecution appealed, it remains to be seen how the next instance is decided.
In 2022 we expect to see more enforcement by the data protection authorities, such as audits and (high) fines – at the same time, more litigation challenging authority orders and fines is likely. Private actions, such as claims of individuals for non-material damages and other data disputes, such as claims between controllers and processors are also expected to increase.
More record sanctions
At the French Data Protection Authority (the “CNIL”), the end of the year 2021 had an “air of déjà vu”, with more high activity in terms of enforcement (investigations and fines). In December 2021, the CNIL issued fines of 150 million Euros and 60 million Euros in relation to the placing of cookies on users’ computers without their consent – topping the previous records of 100 million Euros. Among the numerous sanctions, the CNIL has also fined a company 400,000 Euros for failing to inform individuals about records used for lobbying purposes, and it is noteworthy that several of these sanctions demonstrate the strong interest of the CNIL in the security measures implemented by organisations and their effectiveness, which, in certain sanction decisions (such as in the 300,000 Euro sanction of December 2021 against a French Internet Service Provider) is combined with an interest in the obligation to protect individuals’ data by design.
Enforcement actions – focus on cookies and health data
In its communication on priority issues for 2021 released in March 2021, the CNIL announced that it will focus its inspections on three topics as part of that strategy:
- cybersecurity of the most popular French websites in all sectors;
- security of health data in particular in the context of the digitization of health services including in relation to Covid-19; and
Several new guidelines and sandboxes for innovation
The CNIL published new guidance on several other topics. In January 2022, two major sets of guidance were released by CNIL: (1) to establish a legal framework to determine if, and under which conditions, a processor can use personal data it obtained from a controller for purposes broader than just strictly providing services to the controller; and (2) to specify the conditions of access of employees to their personal data, including those contained in professional emails. In November 2021, the CNIL also published a practical guide to clarify the DPO missions and functions. Finally, as announced in the strategic roadmap in CNIL’s yearly report, the French regulator has started “sandbox” initiatives to accompany innovative projects, in the fields of digital health and in education.
Enforcement actions with (multi-)million Euro fines
The Austrian Data Protection Authority (“DPA”) has had an active year. Most notably, in 2021 and the beginning of 2022, the DPA issued several decisions imposing fines in the millions for alleged GDPR violations, including the following (not yet binding) decisions:
- The DPA imposed a 9.5 million Euro fine on the Austrian Postal Service for alleged infringements of the right to access for not providing the possibility to file access requests via email.
- For activities related to its customer loyalty programme, REWE International AG and its subsidiary operating the customer loyalty programme received fines of 8 million Euro and 2 million Euro respectively for not providing adequate conditions for the consent of data subjects to profiling as part of a customer loyalty programme and the ongoing use of the personal data that were received that way.
Hot topic for 2022: The practical application of Schrems II
In a landmark decision issued in January 2022, the Austrian DPA issued the first major DPA decision in Europe after Schrems II dealing with international data transfers from the EU to the U.S. In this declaratory decision, the DPA reasoned that the transferred data (the specific cookies, title of a visited website and date and time of a visit and browser-related information such as screen resolution and language settings) would qualify as personal data as they would make the user “distinguishable”, what the DPA essentially equated with “identifiable”. If the IDs stored in the cookies were combined with the browser-related data and the IP address, this would (in the DPA’s opinion) result in a digital fingerprint that would qualify as personal data in any case. Further, the DPA argued that U.S. intelligence authorities could identify the data subject anyway. Without considering the practical risk or practice of U.S. authorities, the DPA then found that widely used supplementary measures to assure an adequate level of protection of personal data would not suffice.
This decision will most certainly not be the last one that European DPAs issue on this topic, given that more than 100 similar complaints are pending with various EEA member states.
COVID-19 and data protection
The DPA had to decide a number of COVID-19-related complaints, including the following:
- The DPA decided in a case brought by a student, who even though not being classified as a contact person to an infected co-student in the same school has received an invitation to a PCR test from the municipal authority. The DPA ruled that a violation on the student’s right to privacy could not be found.
- In another school-related COVID-19 case, students of an elementary school (through their legal guardians) alleged a violation of their right to privacy because the schools mandated COVID-19 tests in class under the supervision of their head teacher. Also in this case, the DPA did not follow the students’ arguments and ruled that the processing of data in this case could be based on the teachers’ legal duty to secure the proper functioning of the school operations as well as their duty to ensure the safety of the students at school.
- In another case, the DPA found that a violation of a person’s right to privacy occurred where a physician checked the vaccination status in the public health record of an employee’s relative in order to assess the risk for COVID-19 infections in her practice after the employee attended a party with that relative.
The Belgian Data Protection Authority (“DPA”) has been active in 2021, including by:
- publishing guidance and recommendations, focusing on practical guidance on the processing of personal data in the context of the Covid-19 pandemic, recommendations on the processing of biometric data, practical tools to assist controllers and processors, DPOs and SMEs, etc.;
- approving its first European Code of Conduct (The EU Cloud CoC, a European code of conduct for cloud services) and first national Code of Conduct (by the National Chamber of Notaries);
- publishing a charter relating to the way investigations are carried out by the Inspection Body of the Belgian DPA;
- carrying out investigations and imposing sanctions such as reprimands, warnings, fines, etc. relating to non-compliance with GDPR; in particular, following an investigation of compliance of the TCF (Transparency & Consent Framework) of the Interactive Advertising Bureau Europe (IAB Europe) with GDPR, the Belgian DPA has drafted and communicated a draft decision to other concerned European authorities;
- investigating and following-up on personal data breaches;
- issuing opinions on draft bills relating to the processing of personal data, in particular in the context of Covid-19;
- implementing its strategic and operational objectives of its 2020-2025 Strategic Plan into concrete objectives for the year to come.
Guidance and Recommendations
In 2021, the Belgian DPA published key guidance and recommendations, notably on:
- Biometric data: The Belgian DPA had adopted its recommendation on the processing of biometric data following a public consultation on the draft recommendation. It appears therefore that, as there are no legal grounds under Belgian law allowing the processing of biometric data in the context of the authentication of persons, in cases where explicit consent cannot be used as a legal basis, such processing currently takes place without a legal basis.
- Covid-19 related guidance: the DPA has regularly published FAQs to respond to questions regularly raised to the DPA, such as temperature checks, travel questionnaires, vaccination, etc.
Adoption of Code of Conducts
The Belgian DPA has adopted its first national and transnational Codes of Conduct in 2021.
In particular, in May 2021, following a favourable opinion by the European Data Protection Board, the Belgian DPA approved its first transnational code of conduct: the EU Cloud CoC, a European code of conduct for cloud services.
The EU Cloud CoC incorporates the requirements applying to processors under Art. 28 GDPR and other relevant related articles of the GDPR as applicable to the cloud market (including IaaS, PaaS, SaaS).
- Following an inspection by the Inspection Body regarding the conformity of the so-called TCF (Transparency & Consent Framework) developed by IAB Europe, in November 2021, the Belgian DPA, as the lead authority in this case, communicated its draft decision to the other concerned European supervisory authorities, as contemplated under Art 60.3 GDPR.
According to the Belgian DPA, 27 authorities have indicated their willingness to be involved in the procedure. These authorities had 4 weeks to provide their feedback.
The next steps in the cooperation procedure are:
- If the concerned authorities express no relevant and reasoned objection to the Belgian DPA’s draft decision, the decision can be finalised as such; or
- If, one or more of the concerned authorities express a relevant and reasoned objection to the draft decision (Art 60.4 GDPR), either the Belgian DPA will submit a revised version of the draft to its European counterparts, taking this objection into account, or it will not consider these objections, which could trigger the dispute resolution mechanism under article 65 GDPR.
Developments expected in 2022
- The Belgian DPA has also initiated investigations relating to the processing of personal data in the context of Covid-19.
Over recent months, the Italian Data Protection Authority (the “Garante”) has been fairly active in terms of both enforcement and issuing guidelines and general provisions.
The Garante has been actively involved in all stages of the preparation and issuance of Covid-related provisions. Italy has been the first European country to adopt a national Covid certificate (the so-called Green Pass), to make the Green Pass check a pre-requisite to access the workplace for workers and also for individuals to access other spaces.
Recently, vaccination has been made mandatory for 50-year-old individuals, which has led to the launch of a ‘super’ Green Pass. Especially in the employment sector, checking of the Green Pass (both the base and super Green Passes) entails the processing of personal and also health data. The Garante has therefore worked closely with the Government to provide guidance on how to collect, process and store this information. The Garante has also been involved in the launch of new functionalities of the Italian Covid App (named Immuni).
The Garante has issued significant fines targeting the marketing/telemarketing sector, where companies from different industry sectors (from telecoms to utilities and call centres) have been sanctioned for the collection and use of personal data in breach of (mainly) the information and consent requirements.
The Garante has also been focused on the digital environment, especially IT platforms and social networks which resulted in investigations and also general guidance to individuals to protect their privacy rights while online.
The process of GDPR certification is continuing, through the adoption of additional requirements for accreditation of certification bodies, in coordination with the EDPB.
The Garante also tackled the issue of whistleblowing systems. In a proceeding where it was investigating the setup and functioning of a whistleblowing system, the authority has specified how these kinds of systems should be organised to fulfil, among others, the principles of Privacy by Design, by Default and proportionality. This proceeding took place before implementation in Europe of the EU Whistleblowing Directive 1937/2019 – nonetheless it has provided interesting indications to consider particularly for the adoption of whistleblowing systems under the new Directive.
The rules governing the public opt-out register for telemarketing calls have recently been modified further due to intervention by the Garante. In summary, individuals will have the possibility to opt-out not only from calls with an operator, but also from automated calls made for marketing purposes. In addition, an individual’s subscription to the public opt-out register will also entail revoking former consents provided by the individual, in order to avoid possible misuse of their personal data.
In terms of issues on the radar screen of the authority for investigations, further to the fines for marketing and profiling activities, there is specific attention on the issues of the right to be forgotten, the IoT environment, the HR sector and investigations following data breaches.
Lastly, the Garante confirmed its presence and commitment to the activities of the EDPB and European initiatives on data protection.
Polish Data Protection in 2021
The Polish Data Protection Authority (Prezes Urzędu Ochrony Danych Osobowych – “PUODO”) was very busy in 2021, to some extent catching up with slower approach in 2020. The focus of PUODO is clear: data breach reporting.
On 22 April 2021, the PUODO imposed a fine of approx. 250.000 Euros (PLN 1.100.000) on a Polish paid TV broadcasters for late identification of infringements. The company did not implement appropriate technological and organisational measures in its cooperation with the courier company. The lack of implementation of appropriate organisational and technical measures allowing for quick identification of violations resulted in the fact that for a long time data subjects were not aware of the risk of their data being used by unauthorised persons, e.g. risk of identity theft. Data subjects were also unable to take measures to limit such risks during that time. Meanwhile, the scope of personal data either lost or delivered to the wrong recipient was extensive. Despite the fact that the infringements were connected with irregularities on the part of the courier company, it was the data controller that incorrectly implemented supervision over the enforcement of contractual provisions, which resulted in late identification of infringements.
Similar decisions (although with lower penalties) were issued in a few other cases, with a focus both on notifications to the PUODO as well as notifying the data subjects.
PUODO already issued its inspection plan for 2022. This covers:
- Processes for securing and sharing personal data processed in connection with the use of mobile applications;
- Processing of personal data of customers and potential customers of banks in terms of profiling. It will also check the ways in which credit applicants are informed about their creditworthiness assessment. The focus on the bank’s profiling stems from a recent surge in cases (with a divisive administrative court approach) where PUODO requested deletion of the data by the banks and credit scoring companies; and
- The PUODO will verify the processing of personal data by processors in the Schengen Information System and the Visa Information System (public sector).
Enforcement – 2021 broke records
In 2021, the Dutch Data Protection Authority (Dutch DPA) imposed around a dozen fines on companies and governmental organisations for various types of data protection (GDPR) violations. The enforcement activities indicate that the Dutch DPA is increasingly focussing on corrective and punitive action, rather than focussing on education and prevention (which it did in the early GDPR years). This is in line with previous announcements made by the Dutch DPA. Examples of enforcement action in 2021 include:
- A penalty of 400,000 Euros imposed on an airline for lack of security. Hackers entered the airline’s systems and were able to access personal data pertaining to 25 million individuals, and downloaded personal data of 83,000 individuals. According to the DPA, the airline failed to adequately secure its systems; passwords could be easily guessed, multi-factor authentication was absent, and user accounts has broad access rights allowing the hackers to get deeper in to the airline’s systems.
- A penalty of 750,000 Euros imposed on a US-based social media platform for lack of transparency. According to the Dutch DPA, the social media platform’s young user group was not provided with appropriate data protection information; the privacy statement made available to young Dutch users was solely made available in the English language. Children’s rights protection seems to generate more and more attention from government, regulators and other stakeholders, which is also demonstrated by the launch of the Code for Children’s Rights; a self-regulatory code aimed at helping developers and designers focus on the rights of children when developing digital services.
- A penalty of 525,000 Euros was imposed on a US based platform for failure to appoint an EU representative (article 27 GDPR). The penalty is accompanied by an administrative order to appoint an EU representative, subject to a penalty of 20,000 Euros for every two weeks the company fails to comply with the order (with a maximum fine of 120,000 Euros).
Until recently, all penalties imposed by the Dutch DPA since the GDPR came into force have not exceeded 900,000 Euros. This is in line with the Dutch DPA’s sanction policy rules, on the basis of which the Dutch DPA determines the height of fines for GDPR violations (and on the basis of which the Dutch DPA’s fines have not, and unlikely will, reach the GDPR maximum).
However, in December 2021 the Dutch DPA imposed a fine of 2,750,000 Euros on the Dutch Tax Authority for conducting years of unlawful, discriminatory processing of personal data pertaining to the (double) nationality of individuals for automated decision making around (childcare) allowances. This controversy caused serious (financial) harm to affected individuals, led the Dutch government to resign and shocked Dutch society, enough reason for the Dutch DPA to impose a record-breaking fine.
Civil law action – incentive to claim
More and more individuals and other stakeholders are finding ways to civil courts in cases of privacy (GDPR) violations. As in principle, Dutch civil law does not leave room for punitive damages; individual court cases generally do not lead to significant amounts of damages being awarded for data protection law violations.
With that said, since the introduction of a new bill in 2020 it is legally possible for representative bodies to claim mass damages on behalf of a group of individuals in class action proceedings. A number of class actions with mass damage claims have been initiated against (tech) companies allegedly violating privacy legislation, with claims going up to 6 billion Euros (comprising of an amount for each of the individuals represented). At this moment in time, the cases initiated have not yet been decided upon, and it remains to be seen how these claims are handled by Dutch courts.
Dutch DPA focus areas 2022
At the end of 2019, the Dutch DPA announced its focus areas for 2020-2023, with the overarching theme being “data protection in a digital society”. In its announcement, the Dutch DPA identified three key topics that it will keep a particularly close eye on and enforce as a matter of priority:
- Data brokering. The data brokering area includes the sub-topics (re)sale of data, internet of things, profiling and behavioural advertising. Though the Dutch DPA recognises that digitization and the data economy may have its benefits, it also flags that individuals are not always fully aware that their personal data is collected, sold and used for commercial purposes and are unable to exercise control of their personal data. This reminds us that transparency and respecting data subjects’ rights are key aspects of compliance in relation to the commercial use of personal data.
- Digital government. The digital government focus area addresses the sub-topics of data security, smart cities, data exchange and elections and micro-targeting. To illustrate, in April 2021, the Dutch DPA fined the Dutch municipality of Enschede for making use of Wi-Fi tracking to measure the crowd in the city centre. The tracking technique could be used to follow individuals in the city centre, and although there was no indication that persons were actually followed on an individual basis, the Dutch DPA considered that the technique used was disproportionate for its purpose and therefore had no legal basis under the GDPR.
- Artificial intelligence and algorithms. In respect of its third focus area, the Dutch DPA previously announced that it will work together with various stakeholders on the development of a supervisory framework in relation to artificial intelligence and algorithms that make use of personal data, in particular where these techniques are used for automated decision making and profiling. Again, the Dutch DPA flags that transparency and data subjects’ rights are key elements of compliance when it comes to AI and the use of algorithms.
The Dutch DPA’s focus is built around its risk-based approach to supervision; in addition to its regular enforcement activities such as investigating data breaches, handing complaints of civilians and supporting DPOs, the Dutch DPA focuses on those subjects that it considers come with a high privacy risk for the general public. The Dutch DPA may use various instruments to effectuate its supervisory focus, including the issuance of regulatory guidance, information campaigns aimed at the general public, and enforcement action.
The Hungarian Data Protection Authority (“NAIH”), acting either ex officio or at the request of a data subject, regularly imposes data protection fines. However, these have been moderate amounts to date. The highest fine imposed to date was HUF 100,000,000 and fines rarely reach HUF 10,000,000. Further, most NAIH enforcement procedures resulting in fines to date began with a data subject complaint lodged with the NAIH.
The NAIH investigations regularly focus on data breaches, infringement of data subject rights, determination and documentation of proper legal bases (e.g., legitimate interest balancing tests), CCTV and voice recordings, and processing of minors’ personal data. The NAIH published several notifications regarding the COVID-19 pandemic, including regarding processing data related to the coronavirus pandemic at workplaces.
International data transfers
International data transfers remain a hot topic in Switzerland as well. The Federal Data Protection and Information Commissioner (FDPIC) communicated in August 2021 that it recognises the revised EU Standard Contractual Clauses, in connection with Swiss specific amendments published by the FDPIC, as the basis for personal data transfers to a country without an adequate level of data protection.
The old EU Standard Contractual Clauses may be used during a transitional period until 31 December 2022.
Entering into force of the revised Federal Data Protection Act
The revised Federal Data Protection Act (revFADP) was passed by the Federal Council in September 2020. Per official communication, it will enter into force in the second half of 2022, although an official date has not yet been announced. On 23 June 2021, the draft of the totally revised ordinance to the revFADP was published. However, the text of the ordinance was criticized vehemently during the subsequent consultation process, in particular because of the imprecise language and provisions that are stricter than those listed in the underlying revFADP. It is not yet clear when the final text of the ordinance will be published, and extensive revisions are expected.
The revFADP introduces significant changes compared to the current FADP. This mainly concerns governance obligations and new, higher fines. However, the basic principles remain the same. The principle of permissibility of data processing continues to apply in Switzerland. A specific basis for the legitimisation of data processing, such as consent, is only required under certain circumstances.
The most important changes include the following:
- Narrower personal scope of application: Compared to the current FADP, the revFADP only protects data of natural persons and no longer data of legal persons. In this respect, the revFADP is therefore “less strict” than the current FADP.
- New governance obligations:
- With very few exceptions, data controllers must keep a register of processing activities;
- Data controllers domiciled abroad have to designate a representative in Switzerland if they process personal data of persons in Switzerland and the data processing meets certain requirements;
- Data controllers must perform a data protection impact assessment, if a processing operation may entail a high risk to the personality or fundamental rights of the data subject;
- The legal grounds for data transfers to countries with insufficient data protection from the perspective of Swiss law were adjusted; and
- The revFADP also introduces a notification obligation in case of data breaches.
- Extended obligations to provide information: The provisions concerning the right to information have been clarified and expanded. The data subject now has the very extensive right to receive all information that is necessary for the data subject to be able to assert their rights under the revFADP.
- New information requirements: The duty to provide information when collection personal data was expanded in terms of content; companies must therefore review their data protection declarations and adapt them if necessary. A new duty to provide information in the case of automated individual decisions has also been introduced.
- Criminal sanctions: The fines were raised to up to CHF 250,000. The fines are aimed at responsible employees, not at the respective companies.
By and large, companies that are compliant with the GDPR will be in a good position and will likely only need to make a few adjustments in order to meet the requirements of the revised Federal Act on Data Protection. On the other hand, companies that previously only met the requirements of the current law are advised, in particular due to the newly introduced governance obligations and the new, higher fines, to immediately address with the new provisions and introduce corresponding processes. This is all the more important as the revFADP does not contain any relevant transition periods.
GDPR Compliance – Cross Border Data Transfers and Sensitive Data Processing
On March 23 2021, the Turkish Ministry of Treasury and Finance published the Economy Reform Package, which contains action items relating to the amendments to the Turkish Data Protection Law No. 6698, in particular, provisions on cross-border data transfers, as part of legislative efforts to comply with the EU’s General Data Protection Regulation (GDPR). The deadline for this action item is March 31 2022.
Although no official draft law has been published by the Turkish Parliament, the Turkish Data Protection Authority mentioned on a number of occasions of their legislative efforts for compliance with the GDPR, and it was noted that the amendments to the Turkish Data Protection Law will mainly concern: (i) Article 6, which regulates the processing of special categories of personal data (i.e. sensitive data) and (ii) Article 9, which regulates cross-border data transfers.
Cross-border data transfer rules have been a hot topic since the Turkish Data Protection Law entered into force back in 2016. The debates regarding this topic have mainly been due to the lack of: (i) a “safe country” list, which hasn’t been published by the Turkish Data Protection Authority; and (ii) alternative short-term legal mechanisms for cross-border data transfers, other than explicit consent.
On January 11 2021, Turkish Data Protection Authority officially opened the Draft Cookie Guidelines for public consultation, marking the first ever extensive cookie guidance in relation to Turkish data privacy law. Stakeholders will have until February 10 2022 to submit their responses to the Turkish Data Protection Authority. The draft guidelines largely follow the EU based cookie rules published by a variety of data protection authorities, including the Information Commissioner’s Office (“ICO”) of the UK and Commission Nationale Informatique & Libertés (“CNIL”) of France.
Under the guidelines, the Turkish Data Protection Authority makes the distinction between essential and non-essential cookies, and explains that the use of certain types of cookies for data processing require data subject’s consent. In line with EU practices, the Turkish DPA evaluates granular consent mechanisms, cookie walls and notice requirement while providing examples of “good” and “bad” cookie practices.
In 2020 and 2021, the Turkish Data Protection Authority published various guidance for data processing activities during the COVID-19 pandemic. In its announcements, the Turkish Data Protection Authority underlined the importance of compliance with health data processing rules and notice requirements, and clarified certain exemptions from data privacy law requirements in connection with COVID-19 measures.
Despite the negative impact of the pandemic on the administrative processes of the Turkish Data Protection Authority, the Authority has still been quite active in issuing new decisions and guidance. The Turkish Data Protection Authority announced that it issued a total of TRY 57.4 million (approx. USD 4 million) administrative fines as of October 2021. The Authority has also imposed its largest administrative fine to date at TRY 1,950,000 (approx. USD 150,000) in 2021.
Australia is in the process of reforming the Privacy Act 1988 (Cth) (the “Privacy Act”), in response to growing criticism that the legislation does not adequately address modern technology and data handling practices, and that Australia has fallen behind other regions with more stringent data protection laws, such as the European Union’s General Data Protection Regulation. However, changing a long-established data protection regime is not a quick or easy process, and requires considerable consultation. Although the Federal government first announced plans for some reforms and an extensive review of the Privacy Act in 2019, it was not until late 2020 that consultation began, with the publication of a high level issues paper. Progress then slowed until late 2021, when the government published an exposure draft of an Online Privacy Bill to introduce a first set of legislative changes and a discussion paper containing proposals for more extensive reforms.
Stage One Reforms: Online Privacy Bill
The exposure draft of the Online Privacy Bill proposes to create a binding online privacy code which will apply to social media services, data brokers, and certain large online platforms operating in Australia. Service providers and platform operators subject to the code will need to comply with strict new privacy requirements, including stronger protections for children on social media. Among other things, this code will:
- require social media services subject to the code to take all reasonable steps to verify their users’ age, obtain parental consent for collection of personal information of users under the age of 16, and give primary consideration to the best interests of the child when handling children’s personal information;
- prescribe how privacy policies, notices and consents are to be drafted and delivered;
- detail when consent will be valid and, for sensitive information, when it needs to be renewed; and
- deal with the process for user requests to cease handling of personal information.
The draft Online Privacy Bill also seeks to implement harsher maximum penalties for breach of the Privacy Act, of potentially A$10million or more (to match the Australian Consumer Law), and additional enforcement powers for Australia’s privacy regulator, the Office of the Australian Information Commissioner (“OAIC”). The scope of the Privacy Act’s extra-territoriality provisions would also be clarified, with the effect that foreign organisations who carry on a business in Australia will generally be regulated, even if they do not collect or hold personal information directly from a source in Australia.
A public consultation on the Online Privacy Bill closed on 6 December 2021, and the government is currently considering submissions received.
Stage Two Reforms: Discussion Paper
The government’s discussion paper for review of the Privacy Act proposes significant further reforms, building on the Online Privacy Bill, including:
- various changes to enforcement and remedies including a direct right of action for individuals and potentially a statutory tort for invasion of privacy;
- broadening key definitions (e.g. “personal information” will clearly include certain technical and inferred information) and adding new definitions for concepts which currently only have regulatory guidance as to their meaning (e.g. “reasonably identifiable”, “consent”);
- amendments to requirements for collection practices, privacy notices and consents, including:
- pro-privacy default settings on a sectoral or other specified basis,
- an express requirement that privacy notices must be clear, current and understandable and stronger requirements for when a notice is required, and
- the development of a code to introduce standardised layouts, wording, icons, and/or consent taxonomies;
- additional requirements and prohibitions relating to certain large scale or high risk acts and practices (e.g. direct marketing; use of sensitive information, children’s personal information, location data or biometric data; automated decision making with legal or significant effects), and further protections for children and vulnerable individuals, linking in to proposals under the Online Privacy Bill;
- express rights for an individual to object or withdraw their consent to the handling of their personal information, and to request erasure of personal information in certain circumstances;
- various changes relating to overseas disclosures including a new mechanism to prescribe certain jurisdictions and certification schemes as substantially similar to the Australian Privacy Principles and the development of standard contractual clauses for entities to use when disclosing personal information overseas.
Looking Ahead to 2022
During 2022, we would expect that the government will introduce the Online Privacy Bill to parliament, although an upcoming Federal election does create some uncertainty. The stage two reforms will take longer to progress, with the next step expected to be publication of draft legislation. It remains to be seen exactly how many of the discussion paper’s proposals will be adopted. However, given that the OAIC has recently reiterated its support for the proposed reforms, we expect many of the proposals will progress and there will be a significant step change in Australia’s privacy legislation in the near future. Additionally, the government has recently instigated a parliamentary inquiry into social media and online safety, which is investigating matters that may ultimately lead to further measures targeting digital platforms’ activities, including their collection and use of data. All in all, 2022 is shaping up to be an interesting year for privacy in Australia; watch this space for further developments.
Following two year-long postponements by the Thai Government due to the COVID-19 pandemic, Thailand’s Personal Data Protection Act B.E 2562 (2019) (“PDPA”) is finally due to come into effect on 1st June 2022. The PDPA provides a set of comprehensive regulations on the collection, use, disclosure and cross border transfer of personal data, as well as corrective measures for data subjects whose data protection rights are violated.
The foundations of the PDPA were inspired by the EU General Data Protection Regulation (GDPR), which provides broad protection for data subjects, whilst simultaneously aiding international businesses in allowing them to implement similar security measures across ASEAN countries. The most notable PDPA requirements that have been influenced by the GDPR include sensitive personal data (although the PDPA provides more restrictive legal exemptions), lawfulness of processing, consent requirements, privacy notices, and the rights of data subjects. However, before the PDPA comes into effect, Thailand’s competent authority, the Personal Data Protection Committee (“PDPC”), are set to announce supplementary rules to ensure that other Thai laws are not contradicted. The PDPC was officially established in January this year and are expected to hold their first meeting in February, which should further shed some light on the specifics of the new law as the PDPC look to ensure that the PDPA is fully enforced from the 1st of June.
Compliance with the PDPA is mandatory for all businesses and organisations that handle personal data and operate in Thailand. Throughout the postponement period, businesses have been encouraged to implement security measures in preparation for the launch of a new data protection law this year and further sub-regulations have been issued during this time that will aid businesses in effectively protecting personal data. Security obligations that have been set out for businesses and organisations include, among others:
- administrative, technical and physical safeguards;
- informing its personnel of all security measures implemented;
- data breach notification procedures; and
- the assignment of Data Protection Officers and representatives.
For any businesses operating in Thailand that have yet to implement the measures set out in the PDPA, it is imperative that they use the next five months to do so and to train all staff to allow them to competently deal with any data protection issues that may arise once the PDPA goes live in June. As Official Sources have indicated that there will not be another postponement, this really is the last chance for those who will be affected to become compliant.
At present, Vietnam does not have a unified legal framework regulating data privacy related issues. However, in February 2021, the Ministry of Public Security (“MPS“) proposed the first comprehensive legislation in Vietnam for personal information protection under the form of a Governmental Decree, with the draft decree being published in April 2021 and a revised draft in September 2021. You can read more about the key points in the proposed reforms in our update here.
Most of the major amendments to the Personal Data Protection Act (“PDPA”) came into effect on 1 February 2021. The amendments that have yet to be commenced relate to: (i) provision for increased financial penalties of up to 10% of an organisation’s annual gross turnover in Singapore for breaches of the PDPA; and (ii) data portability. There may be renewed focus on these provisions this year. The Personal Data Protection Commission (PDPC) had previously indicated that it does not intend to commence with increased financial penalties until at least 1 February 2022. The exact commencement date is pending further guidance. On the data portability provisions, the PDPC intends to issue further regulations before commencement of these provisions. Additional information on these data portability regulations could be made available if the PDPC decides to proceed with a public consultation of these regulations this year. With the combination of increased prevalence of cybersecurity incidents and the commencement of the mandatory data breach regime in 2021, we expect more organisations to be handling data breaches and navigating the associated legal nuances.
Hong Kong’s data protection law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), has been amended to introduce “anti-doxxing” provisions. The new regime creates offences to curb doxxing activities, and empowers the Privacy Commissioner for Personal Data (“Commissioner”) to carry out criminal investigations, institute prosecutions, and issue cessation notices. The changes came into effect on 8 October 2021.
“Doxxing” refers to the gathering of personal data of a specific targeted person and/or related persons (such as family members) through various means, e.g. public registers and discussion platforms, and disclosing this personal data on the Internet, social media or other open platforms (such as public places).
Major “anti-doxxing” provisions
- First-tier offence: It is a summary offence to (i) disclose a data subject’s personal data without consent; and (ii) the discloser has an intent to or is reckless as to whether any “specified harm” would be, or would likely be, caused to the data subject or any family member. In other words, no actual harm has been caused by the disclosure. The maximum penalty is a fine of HKD 100,000 (approximately USD 12,770) and imprisonment for 2 years.
- Second-tier offence: It is an indictable offence to (i) disclose a data subject’s personal data without consent; (ii) the discloser has an intent to or is reckless as to whether any “specified harm” would be, or would likely be, caused to the data subject or any family member; and (iii) the disclosure causes specified harm to the data subject or any family member. In other words, actual harm has been caused by the disclosure. The maximum penalty is a fine of HKD 1 million (approximately USD 127,700) and imprisonment for 5 years.
The Commissioner’s new powers
The Commissioner may issue a written notice to request any person to provide relevant materials and answer questions to facilitate the investigation, apply for a warrant to enter and search premises and seize materials for investigation, or access an electronic device, stop, search and arrest any person who is reasonably suspected of having committed a doxxing-related offence, and prosecute in the name of the Commissioner a doxxing-related offence triable summarily in the Magistrates’ Court.
The Commissioner may serve a cessation notice on a Hong Kong person, or a non-Hong Kong service provider that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person, who is able to take a cessation action. A cessation notice may only be served on non-Hong Kong service providers in relation to electronic messages. Cessation actions, in relation to an electronic message, include removing the subject message, ceasing or restricting access to the message or the relevant platform (in whole or in part), and discontinuing the hosting service for the relevant platform (in whole or in part).
The changes are most relevant to platform and online service providers (such as social media platforms). Where doxxing occurs on or via their platforms or services, they may be the recipient of a cessation notice from the Commissioner which requests the removal of doxxing messages, and it is a criminal offence to contravene a cessation notice (the person who commits the offence is liable to a fine and imprisonment). As cessation notices may be served on non-Hong Kong service providers, the amendments impact both Hong Kong and overseas businesses.
From an enforcement perspective, the Commissioner made its first arrest under the regime on 13 December 2021. An individual was arrested after the Commissioner received a report from an alleged victim that the suspect had posted the victim’s personal details on an online platform. The matter is said to relate to a monetary dispute between the suspect and the alleged victim. During the course of its operation, the Commissioner also seized one smartphone in relation to the case.
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) was passed on 20 August 2021 and came into effect on 1 November 2021. This is the first piece of consolidated and comprehensive legislation in China that seeks to regulate the processing of personal information and address personal information protection.
The law has introduced specific obligations that apply to individuals and organisations that process the personal information of natural persons residing in China (we have used the term “Chinese residents” in this section for convenience). The scope and structure of the PIPL is similar to the GDPR in many aspects yet the PIPL also differs from the GDPR in various ways. Some of the requirements under the PIPL are in fact more stringent than that under the GDPR and so companies and organisations cannot assume that measures or practices that are GDPR-compliant are necessarily PIPL-compliant.
The geographical scope of application of the PIPL regime is beyond the domestic jurisdiction. It also applies to processing activities conducted outside China involving personal information of Chinese residents where the processing activities: (i) are for the purpose of offering products or services to individuals in China, (ii) analyse and evaluate the behaviour of individuals in China, or (iii) meet other circumstances provided under Chinese laws or administrative regulations.
Among other things, the PIPL imposes heightened disclosure and consent requirements with respect to the processing of sensitive information and cross-border provision (transfer) of personal information: the name and contact details of each and every foreign recipient must be disclosed and separate consent from the data subjects is required. In addition, controllers are mandated to conduct personal information protection impact assessments (akin to Data Protection Impact Assessments (DPIAs) under the GDPR) under a number of data processing scenarios, which are more extensive than that prescribed for DPIAs under the GDPR. Further, there are data localisation requirements for operators of critical information infrastructure and controllers who process personal information above the statutory volume threshold (which is to be announced but likely to be 1 million data subjects), as well as strict cross-border data transfer controls.
Another key development is the passing of the Data Security Law of the People’s Republic of China (DSL) on 10 June 2021 and came into effect on 1 September 2021. The DSL establishes a categorised and classified data security system and regulates the storage and transfer of information. One of the key focuses is the protection of data that is relevant to national security, lifeline of the national economy, people’s livelihoods and public interests. It is worth noting that the DSL also applies to data processing activities conducted outside China that may “harm China’s national security or public interests, or the lawful rights of any Chinese citizen or organisation”.
The detailed requirements under the new laws are yet to be fleshed out by the Chinese authorities by way of Implementing Regulations / Rules, although some draft rules were released in the past few months. Companies and organisations should closely monitor the legislative developments to ensure that their China-related practices are compliant with the new laws.
The latest amendments to Japan’s privacy law, the Act on the Protection of Personal Information (“APPI”), will come into effect from 1 April 2022. The amendments, among other things, expand the scope of the data subjects’ rights, restrict the range of personal data that may be provided to third parties (including cookie data), and introduce mandatory obligations to report and notify data breach incidents. If an international data transfer is to be made based upon consent, then the name of the jurisdiction to which the data will be imported and certain information on the data protection laws of such jurisdiction will need to be provided to the data subject.
In an effort to build and develop legal frameworks that support the growth of the digital economy, governments in the region are more focused than ever before on the critical importance of data and the regulations in place to control its processing. Permissive frameworks are tempered by data localisation requirements in respect of certain types of data and data gathered by certain technologies.
UAE and Saudi Arabia
To support their digital transformation mandates, the governments of both the UAE and Saudi Arabia passed their first standalone personal data protection laws towards the end of 2021. The establishment of new data protection regulators in both countries and the prospect of sanctions for breach mark the beginning of a new chapter for data protection compliance in both states. Both laws afford in-scope companies a grace period to bring their operations into line with the new requirements. However, certain key requirements remain to be addressed in the executive regulations, which are set to be issued in 2022. We will be monitoring developments closely and in particular we hope to learn when the executive regulations are published whether:
- more flexible, legal bases will be introduced to legitimise the processing of personal data, and in particular whether they will include a legal basis equivalent to the legitimate interests under Article 6(1)(f) of the GDPR;
- further guidance will be issued on the process for the notification of personal data breaches, including the circumstances in which data subjects must be notified;
- for the UAE, what the sanctions regime will look like and whether, like Saudi, certain breaches of the data protection law will give rise to custodial sentences as well as fines;
- the personal data transfer mechanism in Saudi Arabia will reflect the non-binding requirements published by the National Data Management Office in 2021; and
- the conditions that must be satisfied for obtaining valid consent in Saudi Arabia will be equivalent to those contained in Article 7 of the GDPR.
DIFC and ADGM
In terms of enforcement priorities, the DIFC Information Commissioner has confirmed that:
- it is in favor of adopting a balanced and objective approach to enforcement of the law;
- that it does not envisage imposing significant fines for minor breaches;
- that the imposition of general fines, which are not subject to a statutory maximum, will only be applied in exceptional cases; and that
- where businesses are more proactive in their efforts to achieve compliance with the law, if they are found to have committed a breach the DIFC Data Protection Law, the Commissioner’s Office is more likely to look upon them favourably in comparison to a business that has made little effort to reflect the requirements of the law in its processes and procedures.
The grace period for achieving compliance with the updated ADGM Regulations will end on 14 February 2022, following which we are likely to see the ADGM Commissioner of Data Protection make an increased number of enquiries regarding the data protection compliance of ADGM businesses. These enquiries are most likely to be prompted by anomalies in the mandatory data processing filings, or indeed, the failure to file one in the first place.
Various new regulations were adopted by the Kuwaiti Communications and Information Technology Regulatory Authority (CITRA) over the course of 2021 and have established a data protection framework for the public and private sector in Kuwait. The most notable regulations are the Data Classification Resolution and the Data Protection Resolution. In 2022 we will find out how CITRA intends to interpret and apply these requirements in practice.
Qatar published a long awaited suite of regulatory guidelines in 2021, which are intended to implement the requirements of its 2016 Personal Data Protection Law. Whilst they are not legally binding, the guidelines set out helpful controls and checklists to support companies achieve compliance with the Personal Data Protection Law. These guidelines are set to bridge the gap between the requirements of the law and their practical application, to help parties understand their regulatory responsibilities. In some cases the requirements introduced go further by implementing new standards that were not necessarily mentioned in the 2016 law. In light of these guidelines we expect to see a fundamental shift in how businesses in Qatar process and handle personal data.
Oman’s authorities reportedly continue work on their first standalone data protection law, which we understand is in the final stages of being drafted. We expect the law to be promulgated during the course of 2022, making it the final of the six Arab States of the Gulf Cooperative Council to do so.
In Canada, privacy laws are enacted at the federal and provincial/territorial level, applicable to private-sector entities, public sector-entities, and health information custodians. In 2021, there were notable legislative and policy developments to modernize and reform private-sector privacy legislation at both the federal and provincial levels, which will carry-over into 2022:
The proposed federal private-sector privacy reform legislation, the Digital Charter Implementation Act, 2020 (“Bill C-11”) did not complete the legislative process and died on the order paper with the announcement of a September 2021 federal election. Although, Bill C-11 attempted to address the various privacy issues stemming from the modern digital economy, the Office of the Privacy Commissioner of Canada (“OPC”) raised several concerns that the bill failed to provide adequate privacy protections for Canadians and would require significant amendments (e.g., weighing privacy rights and commercial interests, providing specific rights and obligations in relation to consent and accountability, providing effective means for access to quick and effective remedies, and defining the role of the OPC).
On December 9, 2021, the OPC issued a final annual report, which highlighted the government’s commitment to prioritise privacy legislative reform in an effort to ensure effective privacy protection, responsible innovation, and strengthened consumer trust. The annual report outlined the following key issues that will be considered when designing a modern private-sector privacy law: (i) defining permissible uses; (ii) need for a rights based framework; (iii) defining corporate accountability; (iv) need for common, or at least similar, principles for public and private sectors; (v) need for interoperable laws both internationally and domestically; and (vi) need for quick and effective remedies and the role of the OPC. Until such privacy reform legislation is re-introduced and enforced, the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”), continues to govern privacy in the federal and provincial private-sector, with the exception of provincially-regulated organisations in the Provinces of Alberta, British Columbia, and Quebec.
The Province of Alberta is considering privacy legislative reforms to strengthen privacy protections for Albertans and improve government services. In August 2021, the Ministry of Service Alberta concluded its public consultation for proposals to reform the province’s private-sector and public-sector privacy laws including: (i) establishing stronger transparency requirements such as mandatory reporting; (ii) enhancing the rights of Albertans to access and control their own privacy when interacting with government, other public bodies, and private sector organizations; (iii) establishing parameters and legal requirements for collecting, using, and disclosing data that has been de-identified; and (iv) enhancing oversight to ensure the Government of Alberta, public bodies, and/or private sector organizations will protect personal information and privacy as new technologies and/or digital business models are implemented. Until any such privacy reform legislation is introduced and enforced, Alberta’s current Personal Information Protection Act, SA 2003, c P-6.5 will continue to govern privacy in the province’s private-sector.
The Province of British Columbia (BC) is seeking to reform its private and public sector privacy legislation in an effort to ensure harmonisation with any federal efforts to modernise PIPEDA and introduce federal consumer privacy protection legislation. The BC Legislative Assembly appointed a Special Committee to review the province’s current private-sector legislation (Personal Information Protection Act, SBC 2003, c 63 (“BC PIPA”)). In December 2021, the Special Committee submitted a report to the BC Legislative Assembly on input and recommendations gathered from privacy stakeholders on modernising the BC PIPA, including introducing mandatory breach reporting requirements, updating consent requirements, and adding financial penalty provisions. Until any such privacy reform legislation is introduced and enforced, the BC PIPA will continue to govern privacy in the province’s private-sector.
The Province of Ontario, is seeking to introduce its own private-sector privacy legislation. In June 2021, the Ontario government released for public consultation a white paper seeking feedback for its proposals on the following topics: (i) rights-based approach to privacy; (ii) safe use of automated decision making; (iii) thoughtful consent and lawful uses of personal data; (iv) data transparency for Ontarians; (v) protecting children and youth; (vi) a fair, proportionate and supportive regulatory regime; and (vii) support for Ontario businesses and innovators. In September 2021, the Information and Privacy Commissioner of Ontario in response to these proposals emphasised the need for a provincial-level privacy regime which should be substantially similar to federal privacy legislation however, address regulatory gaps found under PIPEDA which include a lack of privacy protections for provincially regulated employees in Ontario and absence of privacy regulations for non-commercial activities (e.g. unions, charitable organisations, and professional associations). Until any such privacy reform legislation is introduced and enforced, PIPEDA will continue to govern privacy in the province’s private-sector.
On September 22, 2021, the Province of Quebec’s Bill 64 (An Act to modernize legislative provisions as regards the protection of personal information) received royal assent and will be entering into force in phases over the next three years. Until the provisions of Bill 64 enter into force, Quebec’s current private-sector legislation, the Act respecting the protection of personal information in the private sector (“CQLR c P-39.1”) will remain in effect. Bill 64 imposes new requirements on businesses and provides new rights for data subjects including (but not limited) to enhanced consent requirements, data portability rights, data breach notification requirements, and introduction of greater fines and administrative penalties.
From September 22, 2022, the following provisions of Bill 64 will be applicable for businesses: (i) requirement to appoint an internal privacy officer; (ii) requirement to notify Quebec’s privacy regulator, the Commission d’accès à l’information du Québec, of any data breach that presents a “risk of serious injury” to an individual; and (iii) right to disclose personal information without consent when it is necessary for the fulfilment of a commercial transaction or for scientific research purposes.
From September 22 2024, the “data portability” provision of Bill 64 will be effective under which data subjects can request that a business disclose their personal information to another individual or business.
State privacy laws continue to develop, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA). Regarding California, although CPRA extended the sunset provisions for CCPA’s employee and B2B exemptions, without further action from the California State Legislature, such exemptions are set to expire on January 1, 2023, at which point employee and B2B data will be subject to CCPA/CPRA in their entirety. As such, we anticipate that companies subject to CCPA/CPRA will want to spend some time this year expanding their CCPA/CPRA compliance program to cover employee and B2B data. Both CPRA and VCDPA come into effect on 1 January , 2023, and CPA will follow shortly thereafter and come into effect on 1 July , 2023. With the effective date getting closer, we expect companies will focus on complying with these state privacy laws during the course of this year, and companies will begin preparing for the possibility that the privacy bills currently being considered in other states are passed, as well. Meanwhile, we anticipate that members of the US Congress in both houses will continue their efforts to create a federal privacy act.
Ransomware and significant cybersecurity incidents continue to be on the rise, and pose significant risks, such as business interruption, customer churn, regulatory scrutiny, and liability claims. In the United States, there has been an increased focus by federal and state authorities and legislatures on privacy and data security. Many state data breach notice laws require companies to have reasonable safeguards in place to protect personal information. State regulatory authorities continue to investigate and bring enforcement actions after data security incidents, citing the relevant unauthorized access as indication that the security of personal information in place was insufficient.
The Federal Trade Commission (FTC) has focused on strengthening and enforcing existing rules, as well as introducing new rules related to safeguarding data, in light of the increased number of security incidents and data breaches, both domestic and international. The FTC also included “deceptive and manipulative conduct on the internet” as one of its key enforcement priorities published in September 2021, alongside “harm to children under 18” (which includes increased scrutiny for violations of the Children’s Online Privacy Protection Act) and “algorithmic and biometric bias.” Looking more broadly at a continually increasing and valuable use of data in support of artificial intelligence, the FTC has emphasized the importance of truth, fairness, and equity and the FTC’s enforcement of those principles.
The Mexican Data Protection Regulator (“INAI”) has been very active in 2021, including by:
- publishing guidance and recommendations;
- carrying out investigations and imposing fines on individuals or organizations whose processing activities were not in line with The Federal Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares). During 2021 the number of requests for access to information and protection of personal data submitted by data subjects to INAI, increased by 10.2 %, as compared to 2020. In addition, during 20221 the INAI imposed a total of USD $4.5 million in fines; and
- the INAI hosted the 43rd Global Privacy Assembly.
It is expected that the DPA will proceed along these lines in 2022.
Guidance and Recommendations
In 2021, the INAI published guidance and recommendations, notably on:
- Guidance “Protection of personal data as a tool to prevent digital violence”: The INAI co-published new guidance and recommendation in connection to the protection of personal data, as a tool to prevent digital violence. This guidance allows people to identify what is considered personal data and the importance of protecting it in light of the exponential growth in the use of and access to information, technology and communications tools, so that they may adopt concrete measures to prevent, address and eradicate digital violence.
- Recommendations for processing personal data and complying with the duty of security for financial technology institutions (FTIs): In January 2021, the INAI published new recommendation regarding the processing personal data and the security of the personal data for financial technology institutions. The guidance focuses on the different types of processing activities by financial technology institutions and the necessary security requirements.
- Recommendations for recognizing the main threats to personal data based on risk assessment: In April 2021, the INAI published new recommendations regarding the main threats to personal data based on risk assessment. As part of these recommendations, the INAI recognises thatthe identification of circumstances or events with the ability to cause damage to an organisation (threats) help data controllers for the processing of personal data, through the identification and catalog of the threats, as part of risk management protocol.
- Covid-19 related guidance: Throughout 2021, the INAI updated their Covid-19 FAQs site to respond to questions regularly raised to the INAI, such as temperature checks, etc.
During 2021 the number of requests for access to information and protection of personal data submitted by data subjects to INAI, increased by 10.2 %, as compared to 2020. In additions, the INAI has confirmed that the USD $4.5 million in fines imposed by them during 2021, derive from 83 new sanctioning procedures and 43 sanctioning procedures that initiated in other years but that were resolved during 2020.
In addition, the INAI has confirmed that during 2020 there were a total of 278 Procedures for the Protection of Rights; of which 143 dealt with the right of Access to personal data, 19 for Rectification, 106 for Cancellation and 57 for Opposition to the processing of data. These numbers are complemented with the previous confirmation by INAI that, the most requested rights by data subjects were: (1) rights of access to medical records or medical history; (2) certificates of vaccination; (3) payroll receipt or proof of payment; (4) pension and retirement records; (5) specific documents with personal information; and (6) the correction of data in the certificate of vaccination against the SARS CoV-2 virus.
According to the INAI’s records, the most sanctioned activities, from highest to lowest, were: (1) financial services and insurance; (2) mass media information; and (3) health and social welfare. In most cases, the origin of such fines were: (1) the collection and/or transferring of personal data without the necessary consent; and (2) delivery of privacy notices that do not fully comply with the requirements under the law.
Brazilian Data Protection Law has been in force for more than one year, and administrative penalties are enforceable as of August 2021. Last year, we have seen a significant increase in the enforcement of the Brazilian Data Protection Law not so much by the Brazilian Data Protection Authority, but rather by consumer authorities and in civil, consumer and employment litigation. Brazilian Data Protection Authority (ANPD) has been active issuing regulations, liaising with other authorities and also very active in cases of incidents involving personal data that need to be notified according to the law.
For 2022, we can expect significant developments. Data incidents will continue to be a high priority for the Authority, and we expect an increase in cybersecurity litigation, as the market matures and notifications get more frequent. We also expect that the volume of consumer, employment and civil litigation involving personal data will continue to increase. In terms of regulation, in 2022 the Brazilian Data Protection Authority is expected to regulate, according to the Regulatory Agenda published in 2021:
- Data Protection Impact Assessments
- The role of the “Person-in-Charge” (similar but not totally equivalent to the Data Protection Officer)
- International Data Transfers
- Data subject rights
- Guidance on the Legal bases for processing
The regulations have been long expected in Brazil and will provide the much needed guidance for controllers and processors involved in the processing of personal data in Brazil or collected in Brazil, in areas that are particularly unclear in the law.