28 January 2023 is Data Protection Day (or Data Privacy Day outside of Europe), which marks the anniversary of the Council of Europe’s Convention 108.
To mark Data Protection Day 2023, Baker McKenzie’s Global Data Privacy and Security Team is pleased to present this special edition update of key data protection and privacy developments and trends across the globe, as well summarising future legislative changes, predictions, and enforcement priorities to look out for during 2023.
International data transfers continue to be a significant area of focus, particularly from an EU perspective. The practical implications of the Schrems II judgment are still being felt by organisations and grappled with by data protection authorities, and related developments are on the horizon with the recently published draft adequacy decision for the EU-US Data Privacy Framework (you can read more in our update here). There are emerging trends in enforcement action from EU data protection authorities shining a light on issues such as transparency and privacy notice information, as well as the legal basis for processing personal data, particularly in the context of online behavioural advertising.
Outside of the EU, there is a proliferation of new privacy laws and amendments to existing privacy laws to keep up with. These range from new laws (or amendments to existing laws) which have now come into force, laws or amendments that are expected to come into force this year, as well as discussions or proposals for future reforms. In particular, there are developments to be aware of in Australia, Japan, Taiwan, Vietnam, India, Qatar, UAE, Saudi Arabia, Türkiye, Canada, Argentina, Vietnam, Switzerland, several US states and the UK. Almost half of these are G20 economies so we except such changes will be important given the inextricable link between information driven trade ecosystems.
Children’s personal data continues to be high up on the agenda across the globe. In the UK, this is reflected in the ICO’s Age Appropriate Design Code, and in the US, with the California Age-Appropriate Design Code Act (you can read more in our update here). Children’s online safety is also an important topic of wider focus in addition to data protection, and you can read more about this in our specially commissioned report “Online child safety: an opportunity to get it right” led by Elizabeth Denham of Baker McKenzie and produced jointly with Milltown Partners (available here).
You can find more information on these developments and trends and many others in our summary below. You can also jump to specific country overviews using the links below.
If you have any specific questions, please do not hesitate to get in touch with your usual Baker McKenzie Data Privacy and Security contacts.
UK Data Protection Reform
Following a public consultation process which took place in 2021, the Data Protection and Digital Information Bill (“DPDI Bill”) was published in July 2022. However, the DPDI Bill has not yet progressed further through the legislative process. Therefore, the proposals in the DPDI Bill may change if and when the DPDI Bill progresses through Parliament.
In summary, one of the Government’s key objectives with the DPDI Bill is to reduce the perceived compliance burdens on organisations by removing or replacing certain obligations, particularly record keeping obligations. Proposed amendments include removing the requirement for a DPO to be mandatory, changing records of processing obligations, changing requirements regarding data protection impact assessments, as well as removing the requirement to appoint a UK representative under Article 27 of the UK GDPR if an organisation outside of the UK is directly subject to the UK GDPR because it offers goods or services to data subjects in the UK or monitors the behaviour of data subjects in the UK.
The proposals are not a wholesale replacement of the UK GDPR, but are instead an incremental shift away from, in the UK Government’s view, perceived “box ticking” exercises and unnecessary administrative burdens in certain areas.
There are also proposals to expand the circumstances where consent is not required for placing cookies, for example, by expanding the list of circumstances where cookies are regarded as “strictly necessary”.
You can read more detail about the proposed UK reforms and the DPDI Bill in our update here.
International Data Transfers
UK Addendum and IDTA: As of 21 September 2022, for new contracts which involve the transfer of personal data to jurisdictions that are not deemed to be adequate under the UK GDPR, the International Data Transfer Agreement (“IDTA”) or the UK Addendum to the EU Standard Contractual Clauses should now be used.
For agreements that were entered into before 21 September 2022 on the basis of the previous EU Standard Contractual Clauses approved under the Data Protection Directive (“Directive SCCs”), these continue to be valid for the purposes of the UK GDPR until 21 March 2024, provided the processing operations and the subject matter of the contract remain unchanged, and reliance on those Directive SCCs ensures that the transfer of personal data is subject to appropriate safeguards. You can read more about this in our update here.
ICO Guidance and Transfer Risk Assessment Tool: The UK Information Commissioner’s Office (“ICO”) published new guidance and resources on data transfers in November 2022, including a new transfer risk assessment tool. The ICO’s guidance and transfer risk assessment tool adopts a different approach from the European Data Protection Board’s (“EDPB”) recommendation on supplementary measures, although the ICO has stated that, from a UK perspective, organisations can either follow the ICO’s approach in the TRA tool, or the EDPB’s approach. You can read more about this in our update here.
Future Adequacy Regulations: The UK Government has stated that it intends to expand the list of jurisdictions that are recognised as adequate for the purposes of the UK GDPR by issuing its own adequacy regulations post Brexit. The UK Government has a list of priority jurisdictions for these adequacy assessments. The top priority jurisdictions are Australia, Colombia, the Dubai International Financial Centre, Singapore, the US and South Korea. There are also longer-term priority jurisdictions which include India, Brazil, Indonesia and Kenya.
As of 19 December 2022, adequacy regulations under the UK GDPR in relation to South Korea are now in force. This is the first new adequacy regulation issued under the UK GDPR for one of the Government’s “priority” jurisdictions. Although the European Commission adopted an adequacy decision in relation to South Korea in December 2021, this did not apply under the UK GDPR as it was adopted after the Brexit transition period ended. The European Commission’s adequacy decision does not cover the processing of personal credit information under the Act on the Use and Protection of Credit Information by controllers that are subject to oversight by the Financial Services Commission (credit rating agencies, banks, insurance companies etc). However, the UK’s adequacy regulations are broader that the European Commission’s adequacy decision and also cover credit information processed by controllers subject to oversight by the Financial Services Commission.
ICO25 and future regulatory approach
On 14 July 2022, the ICO published its three year plan, ICO25, which sets out how the ICO will prioritise its work and regulate over the next three years.
ICO25 includes an action plan for the ICO’s focus areas, which includes areas intended to empower people such as:
- reviewing the impact of “predatory marketing calls”;
- reviewing the use of “algorithms within the benefits system”;
- reviewing the impact the use of “AI in recruitment could be having on neurodiverse people or ethnic minorities, who weren’t part of the testing for this software;” and
- “ongoing support of children’s privacy” which involves continuing to enforce the ICO’s Children’s Code.
You can read more in our update regarding ICO25 here.
In November 2022, the ICO also set out a new strategic approach to regulatory action, for example, opting to use reprimands instead of fines on public sector organisations, with all reprimands now being published on the ICO’s website.
The ICO has also started to publish a list of data protection complaints from data subjects, a list of self reported personal data breaches by data controllers and a list of incidents and investigations regarding cyber attacks. These lists date back to Q4 2020 and were not previously published on the ICO’s website or publicly available.
Children’s Personal Data
Organisations have been required to comply with the ICO’s Age Appropriate Design Code since 2 September 2021. The Code applies to online services “likely” to be accessed or used by a child, which for these purposes is anyone under the age of 18.
As mentioned in ICO25, the processing of children’s personal data continues to be a focus area for the ICO.
The ICO has been proactive in reaching out to organisations in certain sectors to understand what compliance steps are in place to meet the requirements of the Code. This approach is likely to continue. For example, in September 2022, the ICO stated that it is looking into several different online services and their conformance with the Code as well as ongoing investigations.
2022 was an important year for data protection in Argentina, and much more is expected for 2023.
Last year started with the appointment of Ms. Beatriz de Anchorena as the new Director of the Argentine Data Protection enforcement authority, the Access to Public Information Agency (“AAIP” for its acronym in Spanish).
In line with the commitments she made during her candidacy, Ms. de Anchorena initiated the process of updating the Personal Data Protection Act (enacted in 2000). The aim is to be in a position to address the new challenges posed by advances in technology and the development of the digital economy, as well as harmonisation with regional and international standards from a human rights perspective. The proposal for the new law presented by the AAIP expressly contemplates extraterritorial application. The modernisation process included the opening of a public consultation on the draft bill inviting scholars, organisations, and other interested parties to submit their comments and opinions on the proposal. At present it is not clear when the draft bill will be discussed by congressmen and women or if it will be included in their short-term agenda.
In 2022, Argentina also ratified Convention 108+ on the Protection of Individuals with regard to the Automatic Processing of Personal Data. Argentina was the second Latin American country (following Uruguay) to ratify the Convention. This is aligned with the goal of helping Argentina maintain its EU adequacy decision, which is key for international data transfers, attracting investments and conducting business.
Most of the sanctions imposed by the AAIP in 2022 were related to breaches of the security duty, with the authority focusing its investigations on the lack of implementation of adequate technical and organisational measures to prevent and/or mitigate the effects of a data breach. Despite this, there is currently no explicit legal obligation under Argentine law to report a security incident/data breach, the AAIP simply recommends doing so and considers it best practice. We anticipate AAIP will become more interested in cybersecurity and related data protection safeguarding matters.
After a slow start, there were some sudden and important changes to Australia’s privacy laws in 2022, but more active enforcement and wider-ranging reform proposals are expected in 2023…
2022: the calm and then the storm
At the start of 2022, it was expected that the government of the day would introduce an Online Privacy Bill to parliament, which would have made a number of changes to the Privacy Act 1988 (“Privacy Act”), including significantly increasing maximum penalties for non-compliance. Following the mid-2022 federal election, however, the Online Privacy Bill lapsed and was not resurrected by the new Labour government. Meanwhile, privacy practitioners waited patiently for the Attorney-General to complete the lengthy and much overdue review of the Privacy Act.
All seemed relatively quiet on the privacy front until late in the year, when a flurry of high profile cyber-attacks and privacy breaches prompted the new government to increase funding for Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC), and urgently rush amending legislation through parliament aimed at encouraging better privacy practices and enabling the OAIC to respond more effectively to non-compliance.
- Increases to the maximum penalties for serious or repeated interferences with an individual’s privacy. Most significantly, the potential maximum liability for corporates is now set at the greater of: (a) AUD 50 million, (b) three times the value of the benefit obtained from the contravention, if this can be ascertained, or (c) if the court cannot determine the value of the benefit obtained, 30% of the body corporate’s adjusted turnover during the “breach turnover period” (being not less than 12 months).
- Expanded powers for the OAIC,including powers to request more information and documents about an entity’s compliance practices and to direct complaint respondents on rectification compliance failures. The regulator now also has greater abilities to share information with other regulatory authorities, make certain disclosures and publications in certain circumstances, and issue infringement notices with monetary penalties attached for failure or refusal to comply with requests to provide information, answers or records.
- A revision of the test for extra-territorial application of the Privacy Act, which means that the regulator only needs to demonstrate that an overseas entity is carrying on business in Australia in order to enforce the Privacy Act against it.
As regards the ongoing review of the Privacy Act, by the end of the year, it was unofficially reported in the media that the review was complete, and that a report on its findings had been handed to the government.
2023: change is coming
The media has suggested that the Privacy Act review report and associated government response will be published in the first half of 2023. In late December 2022, the Attorney-General tweeted of an intention to overhaul the legislation in 2023, reinforcing this in January 2023 with remarks confirming that there will be a “whole range of modernisations of the Privacy Act”.
Some uncertainty remains regarding exact timeframes and next steps.
Nevertheless, it seems reasonable to expect that the report will be published fairly soon and that the government will announce associated reform proposals, with a view to revamping the regulatory regime in 2023.
Potential reform ideas discussed in the 2021 discussion paper for the review included:
- various changes to enforcement and remedies including increases in and additions to penalties (note that these proposals were made prior to the 2022 reforms), and a direct right of action for individuals and potentially a statutory tort for invasion of privacy;
- broadening key definitions (e.g. “personal information” will clearly include certain technical and inferred information) and adding new definitions for concepts which currently only have regulatory guidance as to their meaning (e.g. “reasonably identifiable”, “consent”);
- amendments to requirements for collection practices, privacy notices and consents, including:
- pro-privacy default settings on a sectoral or other specified basis;
- an express requirement that privacy notices must be clear, current and understandable, and stronger requirements for when a notice is required; and
- the development of a code to introduce standardised layouts, wording, icons, and/or consent taxonomies.
- additional requirements and prohibitions relating to certain large scale or high risk acts and practices (e.g. direct marketing; use of sensitive information, children’s personal information, location data or biometric data; automated decision making with legal or significant effects), and further protections for children and vulnerable individuals;
- express rights for an individual to object or withdraw their consent to the handling of their personal information, and to request erasure of personal information in certain circumstances; and
- various changes relating to overseas disclosures including a new mechanism to prescribe certain jurisdictions and certification schemes as substantially similar to the Australian Privacy Principles and the development of standard contractual clauses for entities to use when disclosing personal information overseas.
While there is no concrete indication of which of the review’s proposals will be adopted, Australia’s privacy regulator has generally expressed approval for the proposed reforms and, with cyber-attacks and ransomware becoming ever more prevalent and significant threats, public sentiment seems to be swinging in favour of more stringent privacy regulation.
It therefore seems likely that 2023 will mark the start of a major shift in Australia’s privacy laws, if not a wholesale revolution. Businesses should watch closely for the release of the report on the Privacy Act review, and be ready to digest and make submissions on any draft legislation that is released. Additionally, we expect the OAIC to be increasingly active in its policing of compliance with the Privacy Act throughout 2023, emboldened and empowered by the 2022 reforms and its increased funding. As a result, it is now more critical than ever that businesses have stringent compliance measures in place and are ready to respond to data breaches and regulatory requests for information.
Continuing hot topic: The practical application of Schrems II
In a landmark decision issued in January last year, the Austrian Data Protection Authority (“DPA”) issued the first major decision in Europe after Schrems II dealing with international data transfers from the EU to the US. In this declaratory decision, the DPA reasoned that the transferred data (the specific cookies, title of a visited website and date and time of a visit and browser-related information such as screen resolution and language settings) would qualify as personal data as they would make the user “distinguishable”, which the DPA essentially equated with “identifiable”. If the IDs stored in the cookies were combined with the browser-related data and the IP address, this would (in the DPA’s opinion) result in a digital fingerprint that would qualify as personal data in any case. Further, the DPA argued that US intelligence authorities could identify the data subject anyway. Without considering the practical risk or practice of US authorities, the DPA then found that widely used supplementary measures to ensure an adequate level of protection of personal data would not be sufficient.
Even though the DPAs in the EU were planning to take a coordinated approach to the more than 100 similar complaints lodged throughout the EU that was hashed out by a taskforce of the EDPB, so far, only the French and Italian DPAs adopted essentially the same position as the Austrian DPA. The DPAs of Spain and Luxembourg, however, dismissed complaints because the website operators had already removed the cookies in question.
The Austrian and French decisions have been appealed and are not yet final. It remains to be seen whether the appeals courts will side with the DPAs or take a different approach.
Hot topic for 2023: Consequences of sending mass cease-and-desist letters with damages claims based on the GDPR
In the latter half of 2022, on behalf of their client, an Austrian lawyer sent demand letters to at least 10,000 small Austrian businesses. With each letter, the lawyer claimed immaterial damages of EUR 100 and costs of EUR 90 based on the argument that the businesses had disclosed their client’s IP address to a third party via a tool embedded on their websites and thereby “massively annoyed” their client and caused “considerable discomfort”. The lawyer filed two lawsuits as “test cases”. The massive volume of websites concerned and other circumstantial evidence suggests that the claimant may not have accessed the websites, but rather used some kind of crawler to directly target websites using the tool in question. The implications of this will have to be assessed not only by the civil courts concerned with the lawsuits, but also by the Public Prosecutor in a criminal investigation against the lawyer and their client.
Austrian DPA issues FAQs regarding cookies
- Full compliance with data protection;
- No exclusivity with regard to the content or services offered, i.e. companies with an explicitly public (utility) mandate or universal service providers cannot permissibly use “pay or okay”;
- No monopoly or quasi-monopoly position in the market;
- A reasonable and fair price for the pay alternative;
- No processing of personal data for the purpose of personalised advertising if a user chooses the pay alternative.
Whistleblower Protection Act expected in Q1 of 2023
A draft law transposing the EU Whistleblower Protection Directive (Directive (EU) 2019/1937) is currently being reviewed by the Austrian legislator. The final law, the Whistleblower Protection Act (“HinweisgeberInnenschutzgesetz” or “HSchG”) is expected to take effect in Q1 of 2023. Based on the current draft whose material scope of reportable breaches is kept to a minimum, it appears that companies will have to deal with two whistleblowing regimes in Austria: the one within the scope of the new HSchG and one outside its scope. This will, in particular, also require differentiation regarding the legal basis of any data processing, the applicability of any data subject rights and the necessity of works council agreements and privacy impact assessments.
The Belgian DPA has been very active in 2022, including:
- investigating and following-up on personal data breaches;
- issuing opinions on draft bills involving the processing of personal data; and
- implementing its strategic and operational objectives of its 2020-2025 Strategic Plan into concrete objectives.
Processing of sensitive personal data, the legitimacy of the processing and online collection of personal data using cookies and similar technologies, especially in the context of the adtech industry, have been particularly scrutinised by the Belgian DPA in 2022.
- In February 2022, the Belgian DPA found that IAB Europe’s Transparency and Consent Framework (TCF), which facilitates the management of users’ preferences and consents in relation to online personalised advertising (in particular in the context of Real Time Bidding), infringed several provisions of the GDPR. The Belgian DPA therefore imposed a EUR 250,000 fine on IAB Europe and ordered the company to present an action plan to bring its activities into line with the GDPR within two months. IAB Europe appealed the decision of the Belgian DPA before the Brussels Market Court, which decided in September 2022 to refer preliminary questions to the Court of Justice of the EU (“CJEU”). The preliminary questions notably concern IAB Europe’s status of (joint) controller with respect to processing activities carried out in the context of the TCF as well as whether a “TC String” (i.e. a character string that captures the preferences of an Internet user in connection with the processing of his or her personal data in a structured and machine-readable manner) constitutes personal data within the meaning of the GDPR. The case is currently pending before the CJEU (Case C-604/22). In addition, on 11 January 2023, the Belgian DPA informed IAB Europe of the formal approval of its action plan to bring its activities into compliance, which means that IAB Europe now has up to six months to implement the suggested measures.
- Also in February 2022, the Brussels Market Court referred another preliminary question to the CJEU in a case involving the publication, requested by a public notary in accordance with the law, of certain personal data in the Belgian Official Gazette. The questions mainly concern the qualification of the Official Gazette as data controller and is currently pending before the CJEU (Case C-231/22).
- In April 2022, the Belgian DPA imposed fines on the Zaventem and Charleroi airports of EUR 200,000 and EUR 100,000 respectively, as it found that temperature checks which were put in place in because of the Covid-19 pandemic and involved the processing of passengers’ health data did not rely on a valid legal basis under the GDPR. Both airports appealed the decisions of the Belgian DPA before the Brussels Market Court, which partially annulled them in December 2022. The Court mainly found that the Belgian DPA did not sufficiently consider several mitigating factors mentioned in Article 83 GDPR when deciding the amount of the fines imposed, and therefore reduced the fines to EUR 50,000 for the Zaventem airport and EUR 25,000 for the Charleroi airport.
Belgian DPA’s key priorities for 2023
The Belgian DPA has defined its key priorities for 2023, which revolve around cookies, the role of the DPO, data protection in the context of the development of the “smart city” and continued control actions with respect to data brokers.
In 2022, the protection of personal data has been recognised as a fundamental individual right by an amendment to the Brazilian Federal Constitution, while the Brazilian DPA (“the ANPD”) has been granted more autonomy and has been converted into an autarchy (similar to an agency, with more independence).
On an administrative level, the ANPD has been active in issuing regulations, guidance and public consultations, as well as addressing incidents involving personal data that need to be notified according to the law. With a significant increase in the number of cyberattacks, there has been an increase in notifications to the ANPD, as well as governmental initiatives to publish sector-specific regulations on cyber security, with more to come.
The ANPD was previously associated with the Federal Presidency but has now been transferred to the organisational chart of the Ministry of Justice as of January 2023, although it still maintains independence. The ANPD disclosed a revised regulatory agenda for 2023 and 2024, with the main regulatory priorities for 2023 including:
- Regulation on application of administrative sanctions;
- Data subjects rights;
- Security incident notification requirements;
- International transfers of personal data;
- Personal Data Protection Impact Assessments;
- The role of the “Person-in-Charge” (similar, but not totally equivalent, to the role of a data protection officer);
- Legal bases for the processing of personal data;
- Definition of high-risk and large-scale processing activities;
- Processing of sensitive personal data by religious organisations;
- Use of personal data for academic purposes and for carrying out studies by a research body;
- Anonymisation and pseudonymisation procedures; and
- Regulation of processing of personal data for research purposes.
Under Brazilian law, enforcement of data protection rights is not limited to the ANPD. Companies can also be subject to individual or collective claims for failure to comply with Brazilian General Data Protection Law (“LGPD”), by data subjects or associations and other authorities representing a group of data subjects seeking indemnification or other measures. Since the enactment of the LGPD, there has been an increase in consumer, civil and employment litigation involving data protection matters, and we expect that cyber security litigation, as well as consumer and employment disputes involving personal data, will continue to increase.
In Canada, privacy laws are enacted at the federal and provincial/territorial level, and are applicable to private sector entities, public sector entities, and health information custodians. In 2022, there were notable legislative and policy developments to modernise and reform private sector privacy legislation at the federal level and in the Province of Quebec, which will carry-over into 2023.
In June 2022, the federal government introduced Bill C-27 (Digital Charter Implementation Act, 2022) to overhaul and modernise the current private sector privacy regime under the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-27 proposes the following new laws:
- Consumer Privacy Protection Act: If passed, this new law would repeal a part of PIPEDA and replace it with a new legislative regime, to govern the collection, use, and disclosure of personal information for commercial activity in Canada. This new law would provide:
- heightened data protection measures for individuals with respect to their right to request, access, delete and transfer their personal information;
- enhanced data breach reporting, breach notification, and security safeguard requirements for organisations;
- new privacy protections for minors, such as limitations on the collection and use of a minor’s personal information and higher standards for organisations to meet in handling a minor’s personal information;
- broader regulatory powers for the federal privacy regulator, the Office of the Privacy Commissioner of Canada (OPC); and
- significant fines for non-compliance of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offences.
- Artificial Intelligence and Data Act (AIDA): Currently, there is no AI specific legislation in Canada. If passed, AIDA would require organisations that design, develop and use AI systems to identify, assess, manage, and mitigate risks and biases associated with high-impact AI systems. AIDA introduces new criminal prohibitions and penalties related to the use of unlawfully obtained data for AI development, instances where the careless deployment of AI systems poses serious harm, and where there is fraudulent intent to cause substantial financial loss through the deployment of the AI system.
- Personal Information and Data Protection Tribunal Act: If passed, this new law would establish a new regulatory authority, the Personal Information and Data Protection Tribunal, which would play a role in the enforcement of the Consumer Privacy Protection Act. This new authority would be able to impose administrative monetary penalties, as well as, upon the request of organisations and individuals, review decisions of the Office of the Privacy Commissioner of Canada (OPC).
In the coming year, Bill C-27 will continue undergoing legislative review. If this legislation is passed, the OPC will be significantly engaged in developing and implementing transitional measures for the new privacy requirements. The OPC may also consider the development of regulatory tools and enforcement mechanisms for the new privacy measures. Private-sector organisations will also need to assess, revise, and update their privacy practices and policies in relation to the new privacy requirements.
The first phase of amendments introduced by Bill 64, an Act to modernise legislative provisions as regards the protection of personal information, to the private sector privacy legislation in Quebec, an Act Respecting The Protection Of Personal Information In The Private Sector, came into force on 22 September 2022. As of this date, organisations are required to appoint an internal privacy officer and notify Quebec’s privacy regulator, the Commission d’accès à l’information du Québec, of any data breach that presents a “risk of serious injury” to an individual.
The last phase of amendments related to data portability will come into force on 22 September 2024, through which individuals can request that an organisation disclose their personal information to another individual or business. In the coming year, the Commission d’accès à l’information du Québec will continue to monitor an organisation’s compliance with and enforce provisions under the amended Act Respecting The Protection Of Personal Information In The Private Sector. Private sector organisations will need to ensure that they are complying with the updated and new privacy requirements ahead of the various enforcement dates (as set out above).
The Colombian DPA (i.e. the Superintendence of Industry and Commerce – “SIC”), was very active during 2020 and 2021, issuing orders and opening investigations particularly against companies engaged in digital services whose activity grew exponentially during the Covid-19 pandemic. Although the SIC’s activity was not as intense in 2022, perhaps given the changes in the leadership of the agency’s data protection team, there were still several interesting developments in Colombia.
In February 2022, the Colombian Ministry of Commerce, Industry and Tourism issued Decree 2555 of 2022, which regulates the recognition of Binding Corporate Rules in Colombia. The Binding Corporate Rules are self-regulatory systems adopted by a business group, which are put in place by the controller of personal data established in Colombia, to facilitate the transfer of personal data to other controller(s) located outside the national territory and that are part of the same business group.
In 2022, the SIC also fined the largest Latin American marketplace for exposing customers data. In this case, an employee of the company sent a promotional email to several customers, which exposed to all the email addresses, names, and surnames of the recipients. This information was used by unauthorised third parties to contact these individuals with unsolicited messages.
The SIC also sanctioned a major financial services firm. According to the authority, the financial services company systematically disregarded complaints from citizens related to the use of their personal financial information. In its decision, the agency issued a general warning to companies that process personal data in the financial services industry, advising them to adopt measures to ensure such issues do not occur in the future.
The SIC opened an investigation on the largest company in the Colombian aerospace sector after reaching a preliminarily conclusion that the carrier collected personal data through its applications using mechanisms that the SIC considered to be illegitimate. The SIC continues to focus on digital service providers. In one decision, the agency imposed an order on a tech company not domiciled in Colombia on the basis that cookies were used to collect data from Colombian users. The company has since challenged the decision.
Amendments to the Czech Telecommunications Act entered into force in 2022. These amendments implemented the opt-in consent requirement for cookies under the ePrivacy Directive, aligning the Czech cookie rules with the EU requirements. In addition, the amendments significantly changed the rules for telemarketing in the Czech Republic (generally, opt-in is now required). The Czech DPA jointly with the Czech Telecommunication Office, has published detailed guidance on the new telemarketing rules. Around 800 complaints have already been submitted to the Czech Telecommunication Office as the competent authority supervising compliance with the telecommunication rules. The first fine for a breach of the new telemarketing rules was issued in 2022 for CZK 420,000 (approximately EUR 17,500).
The Czech DPA has been active in 2022 with investigations and publishing guidance. During its investigations, it has focused on cookies, smart quarantine and direct marketing, as well as processing relating to offers of goods and services. It also inspected processing activities relating to audio-visual recordings in a business establishment and processing by the executor’s office. In the first six months of 2022, the DPA concluded 11 investigations relating to the GDPR and five investigations relating to the sending of commercial communications. While the highest fine imposed by the DPA for a GDPR breach is CZK 2,000,000 (approximately EUR 83,400), in 2022 the DPA only imposed four enforceable fines, the highest of which amounted to CZK 70,000 (approximately EUR 3,000).
In 2023, the DPA plans to investigate the following in relation to the private sector:
- processing personal data by a significant processor and the involvement of sub-processors, including changes to sub-processors as well as compliance with the contractual provisions under Article 28(3) and (4) GDPR and documenting audits carried out;
- processing personal data in connection with telemarketing, in particular whether personal data is lawfully processed and whether transparency obligations are complied with;
- processing of personal data by employers in attendance systems, in particular regarding categories of personal data processed, retention periods and purpose limitation;
- processing of personal data in a database, in particular regarding sources of personal data, legal basis for the processing as well as transparency and handling of data subject rights;
- sending commercial communications via SMS.
Jointly with other European authorities, the DPA will also participate in an investigation within the EDPB Coordinated Enforcement Framework concerning data protection officers. In addition, the DPA plans to carry out various investigations in relation to the public sector, including Eurodac, processing during the visa process, CCTV system with biometric functions by a public body as well as processing by police. We expect to see more enforcement actions and fines from the DPA in 2023.
CNIL enforcement action
The trend of the CNIL imposing more and more sanctions showed no signs of slowing in 2022, with 22 sanctions (totalling EUR 100,927,900) imposed on various entities during the year. The total sum of administrative fines was lower than in 2021 when the CNIL issued sanctions which totalled EUR 214,106,000. The CNIL’s decisions in 2022 concerned a wide range of sectors and players, with fines of millions of euros against bigger tech companies to fines of thousands of euros against small and medium companies (including a restaurant, a notary, a physician, etc.). Fines of hundreds of thousands of euros were also imposed on large French groups (in various sectors such as telecommunications, energy, hotel, automotive, etc.). It seems that for the CNIL, the protection of personal data is now everyone’s business.
Among the most frequent breaches were failures to respect the right of access, to obtain valid consent and to define appropriate data retention periods. In December 2022, three significant sanctions concerned mismanagement of cookies and other similar technologies.
Another important sanction was issued in October 2022 (EUR 20 million), against a provider of facial recognition technology not established in France and without any representative within the EU. Following a formal notice which remained unaddressed, the CNIL imposed the financial penalty and ordered the provider to stop collecting and using data on individuals in France without a legal basis and to delete the data already collected. The lack of cooperation with the CNIL (the company only replied partially to the investigation form that was sent to it and did not provide any response to the formal notice) was considered an aggravating factor.
CNIL investigation and strategic plans
The CNIL has published its annual investigation plan in 2022 focusing on three main topics:
- Commercial prospecting: On 3 February 2022, the CNIL published a standard on commercial management focusing on commercial prospecting. The CNIL will verify the compliance of professionals with its recommendation.
- Cloud services: The CNIL will specifically control data transfers and contractual relations between controllers and sub-processors providing cloud solutions. The CNIL is also part of the coordinated enforcement on the use of cloud services by the public sector that was launched by the EDPS on 15 February 2022. The supervisory authorities will launch investigations together into the use of cloud-based services by the public sector. However, the CNIL has not yet published any deliberation.
- Remote working monitoring: The CNIL wants to ensure that a fair balance is respected between private life at work and control of workers’ activity.
The CNIL is expected to release its next investigation plan (for 2023-2024) in Spring 2023.
It is important to note, however, that 75 % of CNIL’s inspections flow from complaints and/or data breaches notifications. As a result, CNIL’s annual control plan benefits from only 25 % of its available resources.
In March 2022, the CNIL also published its strategic plan for 2022/2024 focusing on three priority axes:
- Promoting the control and respect of data subjects’ rights;
- Promoting the GDPR as a trusted asset for organisations; and
- Prioritising targeted regulatory actions on topics with high privacy stakes such as (1) augmented cameras and their uses on the basis of the CNIL’s upcoming guidelines on “smart or augmented cameras in public spaces”, (2) data transfers as part of cloud computing and (3) collection of personal data by smartphones’ applications.
The Digital Innovation Lab of the CNIL (LINC) has published its research strategy plan for 2022/2023 focusing on four main subjects:
- The impact of data protection on the protection of the environment;
- The new economies of data (in particular the topic of data brokers);
- The practices and perceptions of the data subjects regarding the means available to protect their privacy and the exercise of their rights; and
- Capturing the data.
Security and cybersecurity
In 2021, the cybersecurity of websites was one of the three priority themes for the CNIL. As a result, the CNIL inspected 21 organisations’ websites in the first half of 2021 and issued a publication in July 2021 on its website, which explained that among these organisations, 15 were issued formal notices for defects in data encryption or in the management and security of user accounts.
With this action and publicity, the CNIL intended to emphasise the fact that websites with insufficient security are more likely to be the victims of cyberattacks such as ransomware.
In light of the increase in the number of cyberattacks, the CNIL has multiplied the practical recommendations intended for individuals and companies (on ransomware, encryption, passwords), in cooperation and alignment with the ANSSI (the French national authority for cyberdefence and network and information security).
CNIL guidelines on Transfer Impact Assessments (required following the Schrems II decision, according to the recommendations of the EDPB) may be in the works according to certain CNIL representatives. However, the only publication from the CNIL on the topic of transfers in 2022 was a reminder that the old Standard Contractual Clauses cannot be used from 27 December 2022 and that new Standard Contractual Clauses (adopted in June 2021) must now be used in data transfer agreements to lawfully transfer data to a third country.
In addition, in formal notices (“mises en demeure”) sent to several French companies because of their use of an analytics tool which involves the transfer of personal data to the US, the CNIL has paved the way for sanctioning companies for not putting in place sufficient guarantees for the rights of European users. The companies had one month to comply and to justify their compliance with the GDPR to the CNIL.
The companies ordered to comply had established Standard Contractual Clauses with the provider, however, the CNIL considered that the Standard Contractual Clauses alone could not provide a sufficient level of protection in the event of a request for access from foreign authorities, in particular if such access is permitted by local laws. The provider indicated that it had put in place additional legal, organisational and technical measures, however, the CNIL deemed them insufficient to ensure the effective protection of the personal data transferred, particularly against the risk of requests for access to the data by US intelligence services. In an FAQ published in June 2022 to address challenging questions on the available additional measures that French or European companies can use to continue to transfer personal data to the US, the CNIL stated that a solution could involve using a proxy server to avoid any direct contact between the user’s terminal and the servers of the measurement tool. However, the server must meet a number of criteria in order for this additional measure to be in line with the recommendations from the EDPB of 21 June 2021.
We expect international data transfers to continue to be a hot topic, particularly against the backdrop of the draft adequacy decision of the European Commission published on 13 December 2022. Following the Executive Order of the US president in October 2022 to address points raised by the Court of Justice of the EU in the Schrems II decision, one of the German DPAs published a statement pointing out unanswered questions and concluding there were deficiencies with the Executive Order.
In addition, since the EDPB announced its plan to focus on data protection officers, we expect this to be a relevant topic in Germany particularly because German local data protection law requires the appointment of a data protection officer in most cases, and in particular, where a company employs at least 20 persons dealing with automated processing of personal data. Notably, Germany required the appointment of data protection officers in most cases pre-GDPR.
Guidance from German data protection authorities
The German Data Protection Conference, consisting of all German DPAs, updated guidance and published new statements/guidance, for example:
- In February 2022, the German Data Protection Conference updated its guidance on the processing of personal data for the purposes of direct marketing under the GDPR (available in German here); and
Enforcement and data disputes
German DPAs continued to impose fines. For example, in July 2022, the DPA of the German state Lower Saxony imposed a fine of EUR 900,000 on a bank because the DPA deemed it insufficient to base the bank’s profiling activities for advertising purposes on legitimate interests (Art. 6 (1) lit. f GDPR). According to the press release from the authority, the bank analysed personal data of former and active customers, including, inter alia, their digital usage behavior, the volume of purchases in app stores, and the volume of bank transfers using online banking, and used an external service provider for this purpose. In addition, the results of the analysis were compared to and enriched with the analysis of a credit agency. The authority stated that informing customers does not replace the necessary consents. According to the press release the fine is not yet binding.
In 2023 we expect to see continued enforcement by DPAs, in the form of fines and audits – the latter likely primarily triggered by complaints from individuals. At the same time, we anticipate an increase of private actions under the GDPR. Claims of private actors have become more popular; this includes private actors whose goal appears to be to collect damages and legal fees in large numbers, as well as introducing privacy claims in proceedings between employers and (former) employees (such as data access requests). We also expect an increase in claims by private associations. In April 2022 the Court of Justice ruled that the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings in the absence of a mandate and independently of the infringement of specific rights of data subjects, for infringements of laws protecting personal data (28 April 2022, case C-319/20). The risk of private enforcement will likely gain momentum once the Representative Actions Directive, which should have been implemented into national law by 25 December 2022 and which must be applied by 25 June 2023, is implemented into German law.
Preparatory work for the introduction of cybersecurity legislation
The Hong Kong Government is currently undertaking preparatory work for the enactment of cybersecurity legislation in Hong Kong, which aims to strengthen cybersecurity of critical information infrastructure (CII) by imposing network security obligations on operators of CII. The Secretary of Security has indicated that examples of CII include water, electricity, coal supply, communication networks, transport services and financial institutions.
Details of the legislative proposal are not yet available. However, the Government has noted that in preparing for the impending cybersecurity legislation, it will make reference to relevant legislation around the world and focus on the following seven areas:
- Establishing a preventive management regime for critical infrastructures;
- Devising a cyber security plan;
- Conducting regular security assessments;
- Putting in place a comprehensive incident response plan;
- Conducting frequent drills;
- Resilience; and
- Prompt notification mechanism.
Based on the Chief Executive’s 2022 Policy Address and an October 2022 Legislative Council discussion paper, the Government will launch a public consultation on the legislative proposal to enhance protection of cybersecurity of critical infrastructure in early 2023.
Active enforcement of “anti-doxxing” provisions
“Doxxing” is gathering personal data of a specific targeted person and/or related persons (such as family members) through various means, e.g. public registers and discussion platforms, and disclosing this personal data on the Internet, social media or other open platforms (such as public places).
Following amendments to Hong Kong’s data privacy law (the Personal Data (Privacy) Ordinance (Cap. 486)) in October 2021, which introduced “anti-doxxing” provisions, we have seen regular enforcement in this area by the Privacy Commissioner for Personal Data (“Commissioner”).
The first conviction and sentencing case under the new anti-doxxing regime occurred in 2022. On 6 October 2022, the Shatin Magistrates’ Court convicted an individual of seven charges of the doxxing offence and sentenced them to eight months’ imprisonment. The facts of the case are that the defendant and the victim had a relationship before parting ways. Subsequently, the defendant disclosed the personal data of the victim on four different social media platforms without her consent, including her name, photos, residential address, private and office telephone numbers, name of her employer and her position. The defendant had also impersonated the victim on social media platforms, welcoming others to visit her at her residential address.
In early 2023, the Commissioner arrested a suspect for disclosing the personal data of another person without their consent. The investigation revealed that the victim and the arrested person were former colleagues in a school whose relationship turned sour due to differences at work. Subsequently, posters were displayed near the school on two occasions disclosing copies of the victim’s Hong Kong Identity Card as well as negative remarks about the person.
These cases show proactive enforcement and prosecution of the anti-doxxing offences by the Commissioner, and we expect this trend to continue through 2023.
International data transfers have been a hot topic in recent years across the EU, including in Hungary.
In addition, we have summarised below the issues the Hungarian Data Protection Authority (“NAIH”) has focused on in recent enforcement action in Hungary:
- The NAIH imposed the highest fine to date in late 2021, with the resolution being published in 2022. The amount of the fine was HUF 250,000,000 and it was imposed on a bank in relation to the bank’s unlawful data processing regarding the recording of customer service calls. The bank recorded such calls automatically and analysed the audio recordings using artificial intelligence. The bank used the results of this analysis to decide which customers to call back. In addition, during this analysis the bank assessed the data subjects’ emotional state.
- The NAIH imposed a fine of HUF 80,000,000 on a company in the life sciences sector in relation to the company’s processing of personal data for “market research”. The company (i) processed the personal data for direct marketing purposes; (ii) indicated the data subjects’ consent as the legal basis of such data processing, but in practice it collected the personal data from a public registry without the data subjects’ consent; and (iii) did not provide the data subjects with clear and fair information about its data processing.
- The NAIH imposed a fine of HUF 30,000,000 on a bank, because the bank: (i) did not properly justify the existence of a legitimate interest indicated as the legal basis for retaining personal data obtained during preliminary credit assessments; (ii) did not comply with the GDPR in its legitimate interest balancing test because such test included incorrect conclusions; and (iii) did not notify the data subjects about its data processing properly.
- The NAIH imposed a fine of HUF 30,000,000 on a controller in relation to a company’s direct marketing activities. The company (i) did not enable the data subjects to choose the communication channels through which they would wish to subscribe to direct marketing messages (e.g. only by post, only by phone, only by email, or by all of such channels), and whether, in the course of online orders, they would consent to receive targeted advertisements, related to the controller, on certain social media platforms; and (ii) did not notify the data subjects properly about all the purposes of its data processing operations and, consequently, did not obtain valid consents. The NAIH highlighted that in cases of large-scale and regular data transfers, the controller must make it clear to the data subjects that their personal data is transferred to another country, even if the destination country is a member state of the European Union.
- The Court of Justice of the European Union, in relation to a request for a preliminary ruling submitted in connection with the judicial proceedings between a Hungarian telecommunications company and the NAIH, held that: (i) it is not contrary to the principle of purpose limitation if the controller stores personal data, previously stored in another database, in a database created for the purpose of conducting tests and correcting errors, provided that such further processing is compatible with the purposes for which the personal data was originally collected; however, (ii) it is contrary to the principle of storage limitation if the controller stores personal data, previously collected for other purposes, in a database for the purpose of conducting tests and correcting errors for a time period that is longer than the time period necessary for conducting such tests and correcting such errors.
We expect that in 2023 the NAIH’s investigations will continue to focus on data breaches, infringement of data subject rights, determination and documentation of legal basis for processing (e.g. legitimate interest balancing tests), CCTV and voice recordings, telework and processing of minors’ personal data.)
(Provided by JSA Law: Sajai Setlur, Sajai Singh and Probi Roy Chowdhury)
In November 2022, the Ministry of Electronics and Information Technology of India introduced a draft of the Digital Personal Data Protection Bill 2022 (“DPDP Bill”) and called for public comment. The DPDP Bill comes after its predecessor, the Personal Data Protection Bill 2021 (“2021 Bill”), which was withdrawn by the government in August 2022 following pushback from stakeholders and multiple changes recommended by a joint parliamentary committee set up to review the bill.
The DPDP Bill has been built on the principles of: (a) fair and lawful use, (b) purpose limitation, (c) data minimisation, (d) accuracy, (e) storage limitation, (f) reasonable safeguards, and (g) accountability. It provides for the way personal data may be collected, stored, processed and transferred. It introduces concepts such as a Data Fiduciary (similar to a data controller), Data Principal (similar to a data subject) and data processor, and also sets out the rights and obligations of these parties with respect to personal data. Crucially, the DPDP Bill provides certain restrictions on the transfer of personal data outside of India. It also proposes to introduce significant monetary penalties for material contraventions.
While there is no definitive timeline for when the DPDP Bill will come into effect, it is expected that it will come into effect by the end of 2023. We have summarised some of the key provisions of the DPDP Bill below:
- No Implementation Period: The DPDP Bill does not contain an implementation period, it simply states that its provisions will come into effect on the date(s) appointed by the government. The 2021 Bill provided an 18-month implementation period and stakeholders had hoped that this would be reintroduced in the current draft of the DPDP Bill.
- Covers all digital ‘Personal Data’; No concept of “Sensitive” or “Critical” Personal Data: The DPDP Bill does not define “Sensitive” or “Critical” Personal Data or recognise any other sub-set of Personal Data. It merely defines “Personal Data” as “any data about an individual who is identifiable by or in relation to such data”. The DPDP Bill does not apply to offline Personal Data or non-automated processing of Personal Data.
- Excludes Non-Personal Data: The DPDP Bill does not define or seek to cover “non-personal data” or anonymised data.
- Territorial applicability: processing of digital Personal Data within India, where:
- Personal Data is collected online; or
- Personal Data is collected offline and then digitised.
The DPDP Bill now contains an exemption for the processing of Personal Data belonging to foreign Data Principals (i.e. data subjects) by an Indian entity pursuant to a contract with a foreign person/entity. Such Indian entities are exempt from the requirements of the DPDP Bill that deal with consent (Chapter 2). This is a positive development that will benefit the Indian outsourcing/BPO industry which routinely processes data of foreign nationals.
- Extraterritorial applicability: processing of digital Personal Data outside India, if it is in connection with offering goods or services to Data Principals within India.
- Cross-Border Transfer of Data: The DPDP Bill does not expressly prohibit cross-border data transfers or prescribe any specific requirements (such as standard contractual clauses or prior government approval) for the transfer of Personal Data (or any subset of Personal Data) outside of India. Instead, it permits a Data Fiduciary (i.e. a data controller) to transfer Personal Data outside of India to such countries as may be notified by the Central Government (i.e. trusted jurisdictions).
- No Criminal Liability: The DPDP Bill only prescribes monetary penalties (under Schedule I) for breaches and non-compliances that the Data Protection Board determines to be “significant”. The DPDP Bill does not include criminal liabilities, or penalties that are directly linked to the turnover or revenue of the Data Fiduciary that violates the law.
- Processing of Children’s Data Simplified: Provisions relating to the processing of Children’s Personal Data have been considerably simplified from the 2021 Bill. Data Fiduciaries that process Children’s Personal Data are still required to obtain consent from the parents/guardians. However, the following requirements/provisions from the 2021 Bill have been removed:
- The need to verify the age of the child; and
- The automatic classification of such Data Fiduciary as a “Significant Data Fiduciary”.
However, the DPDP Bill retains the age threshold for “Children” at 18 years. Many companies had hoped that the age threshold would be lowered to 13 years.
- Data Protection Board of India: A Data Protection Board of India (“Board”) is proposed to be set up by the Central Government to enforce the provisions of the law and impose penalties on entities that violate the law. The Board would be empowered to direct Data Fiduciaries to adopt urgent measures to respond to Personal Data breaches. Any appeal against an order of the Board would lie before the jurisdictional High Court.
- Significant Data Fiduciaries (SDFs): The DPDP Bill retains the concept of SDFs and allows the government to notify a SDF based on, among other things, the volume and sensitivity of Personal Data processed by it, risk of harm to Data Principals, potential national impact and impact on public order. Certain additional requirements continue to apply to SDFs, including:
- The requirement to appoint: (i) a Data Protection Officer as the representative/point of contact for grievances; and (ii) an independent data auditor to evaluate compliance; and
- The obligation to undertake Data Protection Impact Assessments (DPIA) and periodic audits.
- Notice and Consent Requirements: The DPDP Bill contains significantly less onerous notice requirements as compared to the 2021 Bill. The DPDP Bill requires Data Fiduciaries to obtain consent from Data Principals, prior to processing of their Personal Data, through an itemised notice containing a description of the Personal Data being collected and purpose of processing. The request for consent must be in clear and plain language and made available in the 22 languages listed in the 8th Schedule of the Constitution of India. Notably, the DPDP Bill does not discuss unbundled consents or any requirement for specific consent for individual processing activities.
- Introduction of “Deemed Consent”: The DPDP Bill introduces the concept of “deemed consent”, which enables the processing of Personal Data without explicit consent where it is “reasonably expected that the Data Principal would provide such Personal Data”. This is a departure from the position under previous iterations of the DPDP Bill, and would likely simplify the consent collection process for businesses.
- Clarity on Consent Managers: The DPDP Bill provides further clarity on the role of “Consent Managers”. It clarifies that Consent Managers will be interoperable platforms registered with the Board. These platforms will enable individuals to manage, review and withdraw consents provided across Data Fiduciaries and platforms.
- No Right to Portability: While the DPDP Bill continues to grant Data Principals rights in relation to their Personal Data, such as the right of correction, right of erasure and right to be forgotten, it does not grant the right to data portability which was proposed under previous iterations of the DPDP Bill.
In 2022 a memorandum of understanding was put in place between the Italian DPA (the “Garante”) and the Italian Cybersecurity Agency. The aim was to facilitate interaction between the two authorities, to share information on data breaches/cybersecurity incidents and to foster the adoption of good cybersecurity practices in the public and private sectors, while also leveraging collaboration with universities and researchers.
In December 2022, the Garante launched an awareness campaign (“Finally, a bit of privacy”) aimed at providing good practices and guidelines to individuals on how to protect privacy in their everyday life as well as a set of suggestions for a privacy-safe Christmas, named “Christmas in privacy”.
The Garante has confirmed its focus on enforcement of marketing and profiling activities. The main issues the Garante has identified have been the lack of transparency in privacy notices, the lack of consent as the legal basis for such activities and failure to comply with the accountability principle.
The Garante also focused on the use of marketing lists from vendors and the need to perform accurate due diligence on the lawfulness of the lists and the management of customer lists.
The Garante is also interested in Covid-19 related initiatives and the HR sector. For example, the conditions for the lawful use of biometric data such as fingerprints in an employment context and the requirements and guarantees required in the context of investigations involving employees’ corporate email accounts.
The online/digital environment at large has been scrutinised, together with the banking sector (especially for the legitimate sharing of bank clients’ data with third parties) and the health sector. Recently, the Garante expressed a positive opinion on a consent-by-step solution in clinical trials under certain circumstances. The Garante has also been following-up on data breaches over the past year.
The Garante has also intervened in legislative developments in a consumer context, welcoming the new framework to protect consumer rights and emphasising the deep interaction with GDPR provisions. In terms of data monetization, the Garante takes the view that personal data ‘commoditization’ should be considered in more detail and subjected to specific rules to avoid degradation of personal data, which is a fundamental right of citizens. The Garante has proposed closer cooperation with the consumer authority, for example, with a mechanism allowing one authority to intervene in the other’s proceedings, requiring the Garante to set specific rules and standards for the processing of data in certain situations, etc.
Finally, in relation to participation with the EDPB and on European initiatives on data protection, the Garante confirmed its commitment, by joining, for example, the joint European initiative aimed at investigating the use of cloud solutions in the public sector.
The amended Act on the Protection of Personal Information (“APPI 2022“) took effect on 1 April 2022. The amendments introduced significant reforms that have an impact on a company’s privacy practices and business operations. Key changes to the APPI 2022 include:
- tougher statutory penalties;
- enhanced rights for data subjects;
- mandatory data breach notification requirements;
- a new concept of “pseudonymised information”;
- new restrictions on data transfers to third parties (“personally referable information”); and
- stricter limitations on international data transfers.
The changes to statutory penalties, the shift to the mandatory data breach notification and the new obligations regarding international data transfers are having the greatest impact on businesses.
If an individual violates an administrative order issued by the Japanese DPA, this is now punishable by imprisonment with labour for not more than one year or a fine of not more than JPY 1 million (approximately USD 7,800, an increase from the previous penalties of imprisonment with labour for not more than six months or a fine of not more than JPY 300,000 (approximately USD 2,300)).
Submission of a false report to the DPA during an investigation is now punishable with a fine of not more than JPY 500,000 (approximately USD 3,900, an increase from a fine of not more than JPY 300,000 or approx. USD 2,800).
Entities which engage in the wrongful provision or utilisation of a personal information database or which violate an order issued by the Personal Information Protection Commission will have imposed a fine of not more than JPY 100 million.
Further, the maximum financial penalty that may be imposed on a business for engaging in the wrongful provision or utilisation of a personal information database or violating an administrative order issued by the Japanese DPA was increased to JPY 100 million under the APPI 2022.
To date, the DPA in Japan has never imposed a monetary penalty on any business. This is because, for violations of an administrative order, fines may only be imposed when a company does not remedy the situation despite the authority’s repeated enforcement actions. However, in general the risk level of enforcement was heightened by the introduction of tougher statutory penalties.
Mandatory Data Breach Notification
Until the APPI 2022 came into force last year, Japanese privacy law only imposed a duty to make an effort to notify data subjects of a data breach. However, under the APPI 2022, a business must notify the Japanese DPA and data subjects of certain data breaches (“Notifiable Data Breaches“), unless sophisticated encryption or other measures necessary to protect the right and interest of the data subject have been taken in accordance with the APPI 2022 and relevant regulations. Under the APPI 2022 and relevant regulations, Notifiable Data Breaches are defined as:
- Breach of personal data containing sensitive data (e.g. loss of a USB memory stick containing patient’s medical data);
- Breach of personal data which may cause financial damage if unlawfully used (e.g. leakage of personal data including credit card data from an EC website);
- Breach of personal data committed with a wrongful purpose (e.g. leakage of personal data caused by unauthorised access to the network, inability of restoration of personal data encrypted by ransomware, unauthorised disclosure of customer’s personal data by an employee); or
- Breach of personal data of more than 1,000 data subjects.
A business must report the Notifiable Data Breach to the Japanese DPA immediately (usually within three to five days, according to the Guidelines on the APPI (“Guidelines“)), followed by a more detailed report within 30 days of becoming aware of the breach (or within 60 days in circumstances set out in (c) above).
In addition, a business must “promptly” notify the Notifiable Data Breach to the data subjects unless it is difficult to notify the data subjects and the business has taken alternative measures necessary to protect the data subjects’ rights and interests. The APPI 2022 does not provide for any specific timeframe for notifying the data subjects.
A bi-annual report issued by the Japanese DPA stated that there were 1,587 data breach notifications during the period 1 April 2022 to 30 September 2022. As the timeline for the first data breach report is tight, companies should create a data breach response plan that includes steps such as how to set up a data breach response team, roles and responsibilities of the team members, what external advisors should be involved and what should be prioritised when the data breach incident occurs, so that they are prepared should a breach occur.
International Data Transfers
Transfers of personal data to third parties located outside Japan require the data subject’s consent unless an exception which was applicable before the amendments to the APPI took effect last year applies. In addition to the existing restriction, the APPI 2022 imposes new requirements for such data transfers to provide a higher level of protection to data subjects.
When international data transfers are made based on consent, a transferor needs to provide the following information to the data subjects when obtaining their consent through, for example, a privacy notice:
- the name of the country to which personal data is transferred;
- the data protection regime of the country where the data recipient is located; and
- security measures that the data recipient takes to protect personal information.
However, due to the difficulty in meeting this new information disclosure requirement under the APPI 2022, many companies tend to rely on justifications other than consent for international data transfers. The justification most companies now rely on is having in place a data transfer/processing agreement or a company rule (this is only for data transfers within group companies) that provides obligations equivalent to those provided under the APPI 2022. Where a business legitimises cross-border data transfers based on this agreement or company rule exception, the business must take the necessary measures to ensure compliance with the data protection framework under the APPI 2022 and must provide information relating to such measures to the data subjects upon their request.
When a company enters into an agreement or adopts a company rule to enable international data transfers, such agreements or company rules should be reviewed to confirm they satisfy the requirements under the APPI 2022. In addition, a company needs to be prepared to respond to a data subject’s request for providing information on the international data transfer mechanisms it adopts.
The Mexican Data Protection Regulator (“INAI”) was active in 2022:
- Publishing guidance and recommendations; and
- Carrying out investigations and imposing fines on individuals or organisations whose processing activities were not in line with The Federal Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (“LFPDPPP”). (See “Enforcement” below).
Guidance and Recommendations
In 2022, the INAI published guidance and recommendations, including:
- Recommendations “Extreme caution with online games and devices connected to the internet used by minors”. These recommendations provide some measures to prevent the misuse or dangerous exposure for minors while using online games;
- Guidance “Access to information, protection of privacy and of data and use of technologies”. This guide, developed by the Human Rights Commission, Gender Equity and Social Inclusion (CDHEGIS), of the National Transparency System (SNT), is an instrument to educate and connect older adults on the use of information technologies;
- Recommendations “To prevent data theft in public spaces”. These recommendations provide measures to prevent the practice known as “shoulder surfing” (the attacker seeks to obtain information of one or more persons while they are on their mobile devices);
- Recommendations “To protect personal information in the event of a cracking or cyberattack”. These are a series of recommendations that people should follow in the event of a cracking or cyber-attack, whether on public or private entities, with the aim of protecting personal information; and
- Recommendations “To exercise extreme caution when making purchases online”. These recommendations focus on the precautions individuals can take to avoid becoming a victim of cybercrime when carrying out an online transaction.
In 2022, the INAI imposed fines on individuals and/or legal entities that infringed the LFPDPPP, for a total of USD 3,179,96.37. According to the INAI’s records, the sectors that were most sanctioned in 2022 were those providing “general services”, with a total amount of USD 1,226,333.31; “mass media”, with USD 81,780.92; “financial services” and “insurance”, with USD 756, 835.55; “business support services”, “management, waste, and remediation services”, with USD 121, 962.21.
The most frequent activities that were grounds for sanctions included:
- the processing of personal information against the principles of the LFPDPPP;
- the collecting or transferring of personal information without express consent; and
- failure to provide any of the minimum mandatory information required in the privacy notice.
The INAI began 119 proceedings for the Imposition of Sanctions in 2022 and 78 were concluded. In addition, the INAI received 249 Rights Protection Proceedings of which 144 were related to the right of access, five for rectification, 102 for cancellation and 35 more for opposition to data processing.
The sectors with the majority of failures to comply with such rights were: a) mass media, with 19.6 %; b) financial services, with 16.8 %, and c) health and social services, with 13.2%.
The INAI’s statistics reveal that, from January to December 2022, there have been:
- 68,000 complaints for the improper use of personal data in the private sector and 101,000 in the public sector;
- of the total number of complaints in the private sector, 167 are in process and 901 have already been concluded; and
- 14 cases are still being investigated and 87 have already been attended.
A lookback on 2022: enforcement action and civil claims
In 2022, the Dutch DPA published a total of four penalty decisions for GDPR violations. Though not all enforcement decisions may be public (yet), it seems that the Dutch DPA issued a lower number of fines in 2022 as compared to the year before. The total number of enforcement decisions will become known once the Dutch DPA publishes its annual report for 2022.
Although the number of penalty decisions may have slightly decreased, the Dutch DPA has broken its previous record for the highest penalty by imposing a fine of EUR 3.7 million on the Dutch Tax Authority (DTA). This record-breaking fine is a cumulation of six fines for six GDPR violations associated with an unlawful fraud blacklisting tool the DTA maintained. The fines were imposed in line with the Dutch DPA’s penalty guidelines.
Also, amongst the published penalty decisions is a fine imposed against a Dutch media company for requesting copies of data subject IDs for handling data subject rights requests. According to the Dutch DPA, this constitutes excessive data processing. In the DPA’s view, companies dealing with data subject rights requests should use less privacy-intrusive means to verify data subjects’ identities, such as multi-factor authentication tools. This violation led to a fine of EUR 525,000.
Besides enforcement action, GDPR violations increasingly lead to civil claims, including class actions. Currently, a number of class actions with mass damage claims are pending against (tech) companies and the Dutch government. Although in individual cases damages awarded for privacy law violations typically are in the region of EUR 500 to EUR 2,500, in collective action this results in mass claims going up to billions of Euros. The cases initiated to date have not yet been decided upon on the merits yet, and it remains to be seen how these claims will be handled by Dutch courts.
Looking ahead to 2023: legitimate interest and AI & algorithms
In 2022, the European Commission expressed criticism on the DPA’s strict interpretation of the legitimate interest legal basis. The Dutch DPA has been taking the position that a pure commercial interest cannot serve as a legitimate interest under the GDPR and has taken enforcement action against companies relying on ‘legitimate commercial interests’. This led to a Dutch court referring to the Court of Justice of the European Union, and while preliminary questions are currently pending, to date the Dutch DPA maintains its position. We look forward to the Court of Justice providing clarity on this issue.
Another hot topic is the use of algorithms and AI. Since 2020 the Dutch DPA’s supervisory focus has been on ‘data protection in a digital society’, with AI and algorithms being key topics. In January 2023, the responsible Ministries and the Dutch DPA officially announced the kick-off of a new task force designated to coordinate and intensify supervision on the use of algorithms and AI across sectors. The task force will give a boost to this focus area by gathering and exchanging of knowledge, strengthening cooperation between supervisory authorities and by developing legal frameworks and guidance.
The Peruvian Data Protection Authority (‘PDPA’) has been fairly active in 2022, and has conducted important actions aimed at ensuring the protection of personal data, including:
- Issuing 173 resolutions aimed at safeguarding data subjects’ rights of access, rectification, cancellation and/or opposition;
- Supervising 317 public and private entities, most of them acting in the financial and telecommunications sectors; and
- Imposed more than USD 2 million in fines.
In 2023, the PDPA plans to work on potential modifications to the Regulations of the Personal Data Protection Law, and to develop guidelines for data controllers on appropriate use of personal information.
Guidance and Advisory Opinions
In 2022, the PDPA issued over 20 publications establishing criteria and recommendations on the interpretation and application of the Personal Data Protection Law and its Regulations, the most relevant being:
Guide for International Transfer of Personal Data
Under the Personal Data Protection Law, international transfers of personal data can only be carried out when a sufficient level of protection of personal data is guaranteed in the recipient country. The Guide provides approved model contractual clauses so that local entities interested in sending personal data, whose processing is its responsibility, to an entity domiciled abroad can comply with the data transfer rules under the Personal Data Protection Law.
Opinion on satisfaction surveys and processing of personal data (Opinion N° 040-2022)
The PDPA concluded there is no need to obtain consent for sending invitations to participate in satisfaction surveys provided the purpose is limited to the evaluation of the quality of services provided.
Opinion on the collection of data from employees of a legal entity that provides goods or services (Opinion No. 046-2022)
The PDPA concluded that the personal data of employees who perform customer service activities, whether they are directly hired or outsourced, should be considered as contact data of the legal entity, and therefore out of the scope of the Personal Data Protection Law. However, data that does not serve for contacting the legal entity would be protected under the Personal Data Protection Law.
In 2022, the PDPA concluded more than 130 administrative sanctioning procedures, the most relevant being the following:
- ESSALUD, Social Health Insurance (a governmental entity), was fined for: (i) publishing on its website and in its offices, images of people without having validly obtained their consent, (ii) not having informed citizens about the capture of images by security cameras, and (iii) not having registered a personal data bank in the National Registry of Personal Data Banks. Also, in relation to security measures, ESSALUD was also sanctioned for not having properly protected environments for the physical storage of personal data.
A cab company was fined for processing – through its mobile application – personal data owned by drivers and passengers for marketing purposes without having obtained their free and informed consent.
The Philippines’ National Privacy Commission (NPC) remained active in 2022. Some of its notable actions the past year include:
- Launching the Data Breach Notification Management System (DBNMS), a standardised, automated system which is mandated to be used by personal information controllers (PIC or Data Controllers) in their breach notifications and annual security incident reports (ASIRs);
- Releasing a Circular on Administrative Fines for data privacy infractions;
- Releasing and amending circulars, bulletins and guidelines on various subjects, such as lawful processing of personal and/or sensitive personal information (SPI) based on consent, contract and/or legitimate interests, processing of personal data for loan-related transactions, processing of household vaccination information, the registration of DPOs, and updates as to the requirement for registration of data processing systems (DPS);
- Conducting on-site visits and privacy sweeps, starting March 2022; and
- Commenting on various issues involving data privacy, such as social media and TV, responsibilities of public officers in their statements of assets, liabilities and net worth (SALN), unsolicited text messages and smishing messages, the SIM Card Registration Bill (now a law), and inquiring about various data breaches that occurred throughout the year.
However, the NPC continued to postpone the launch date of the eRehistro site, the NPC’s online platform for DPS registration. As such, the registration obligation remains suspended.
Another notable development that occurred in January 2022 was the Court of Appeal’s decision in the Pieceland Case, upholding the NPC’s ruling and recommendation to prosecute violators for the unauthorised processing of SPI. The Pieceland Case involved the complaint of a religious organisation against a building lessor that required church members to produce personal data which was disproportionate to the aim the building lessor sought to achieve. The data subjects were required to submit passports, government issued IDs and colored pictures under the guise of building security. The decision serves as a warning to all data controllers in the Philippines to take their obligations and responsibilities under data protection legislation seriously.
The NPC was very busy and proactive last year. It is expected that the NPC will continue this trend in 2023.
Changes in the law
The biggest recent development in Polish data protection relates to employment law, namely, the Polish Labour Code, which provides new, separate rules that enable employers to run sobriety tests or tests for use of illegal substances by employees. There are a set of rules enabling employers to legally process data gathered without the consent of the data subject but by virtue of the law, including the right to process health data that might link with such inspections, e.g. employees’ explanations regarding their behaviour or test results.
In addition, the amendment to the Labour Code (dealing with remote work regulations) requires employers to separately regulate personal data processing inspections for such work.
These rules are at the final stage of the parliamentary procedure.
Activity of the DPA
The Polish DPA (Prezes Urzędu Ochrony Danych Osobowych – “PUODO”) was very busy in 2022, making up for lost time from the pandemic. The PUODO’s focus continues to be on data breach reporting.
On 3 November 2022, the PUODO imposed a fine of approximately EUR 55,000 (PLN 250,000) on a telecom provider (ECS) for the late identification of a data breach. The case is an example of the very strict approach of PUODO on this issue. The telecom provider sent documents to the email address given by the data subject when signing the service agreement, which is more or less an automatic process when signing the documents. The data subject subsequently informed the telecom provider that the provided email address was incorrect and it should be removed as a way of contact. The email address originally provided was being used by another person, who informed PUODO of the matter. The telecom provider (explaining the matter to the authority) claimed that no data breach had occurred, since the email address was given by the data subject and the company had no means to verify it. Despite that explanation, PUODO fined the company, on the basis that from the moment the company was informed about the incorrect email address, it should have been aware that a data breach had occurred and it was the company’s responsibility to report it.
While the duties on the telecom provider were derived from the specific Polish Telecommunications Law (which slightly modifies the GDPR), the rationale regarding identification of a data breach is likely to be applied generally to all GDPR cases. This means that a mistake by the data subject when providing their email address (or other contact details) which results in a message being sent to the wrong recipient can in practice lead to liability on the part of the data controller.
Unlike previous years, the PUODO has not yet issued its inspection plans for 2023.
The Qatar Financial Centre (“QFC”) issued new data protection regulations and rules, which came into effect on 21 May 2022. The regulations, known as the 2021 Regulations, and the rules, known as the 2021 Rules, were introduced following a revision of the 2005 Data Protection Regulations and the 2005 Data Protection Rules and a public consultation that ended in September 2021. The new regulations and rules aim to clarify and update the existing regime, including by establishing a new Data Protection Office led by a Data Protection Commissioner, introducing data processing principles such as purpose specification and data minimisation, and introducing new rights for data subjects. The rules also introduce additional transparency obligations for controllers, that they will owe to data subjects.
Saudi Arabia and UAE
In 2021, the legislature in the UAE and Saudi Arabia passed their first omnibus personal data protection laws. These were landmark developments that signposted the growing maturity of both jurisdictions. However, the implementation of the laws has been delayed while we await the publication of the associated implementing regulations. In the UAE, the implementing regulations were intended to be issued within six months of the date of issuance of the UAE Federal Decree-Law No. 45 of 2021 regarding Personal Data Protection, but at the date of writing, we are still awaiting their publication. We expect major developments in the UAE over the course of 2023, including potentially the introduction of further legal bases for the processing of personal data, guidance on the notification requirements for personal data breaches, as well as confirmation of the sanctions for breaches.
In Saudi Arabia, the Personal Data Protection Law promulgated by Royal Decree No. M/19, dated 09/02/1443H (“Saudi PDPL“) was originally intended to come into effect on 23 March 2022, but its entry into force has been postponed until 17 March 2023. An initial draft of the implementing regulations were published for consultation in March 2022 but was promptly cancelled by the National Data Management Office in light of the early feedback and their assured and welcome acceptance that the proposed requirements required a more involved and thorough review. The Saudi Data and Artificial Intelligence Authority (“SDAIA“) launched a public consultation on proposed amendments to the Saudi PDPL, which closed on 20 December 2022. These proposed amendments seek to address various critical issues, including the regulation of cross-border personal data transfers, the appropriate legal bases for processing personal data, the right of data subjects to port their data and clarification of the statutory thresholds that will trigger key obligations, such as notification of personal data breaches.
DIFC and ADGM
On 8 March 2022, the Dubai International Financial Centre (“DIFC“) Authority enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 2022, which includes amendments to several DIFC laws, including the DIFC Data Protection Law No. 5 of 2020 (the “DIFC Data Protection Law“). The amendments aim to align the DIFC’s regulatory framework with international best practices and reflect the DIFC’s commitment to leading the way regarding privacy legislation in the region. The changes include clarifying the process for individuals to seek judicial redress, increasing accountability for controllers and processors when handling requests for data access, granting more authority to the Commissioner of Data Protection (the competent data regulator in the DIFC), clarifying the rules of interpretation for the DIFC Data Protection Law, and introducing a USD 75,000 penalty that can be levied where an entity fails to comply with the Commissioner’s direction.
The DIFC’s Commissioner of Data Protection also released two guidance documents on 8 July 2022: one on controller/ processor obligations and agreements (the “Controller/ Processor Guidance“) and one on retention and storage of personal data (the “Retention Guidance“). The Controller/ Processor Guidance is intended to help controllers and processors comply with their obligations and contractual requirements under the DIFC Data Protection Law and its regulations. It covers topics such as contractual requirements between controllers and processors, controllers’ liability when working with processors and processors’ autonomy and responsibilities. The Retention Guidance aims to assist organisations in properly managing data as well as how to comply with data minimisation and security requirements under the Data Protection Law and its regulations and covers topics such as documentation of data, data security, quality assurance, data retention and destruction and mobile devices, remote working and removable media.
The Abu Dhabi Global Market’s (“ADGM“) Data Protection Regulations 2021, which were enacted on 14 February 2021 and replaced the Data Protection Regulations 2015, has now taken effect for establishments after a 12-month transition period, which expired on 14 February 2022. We expect to see the ADGM Commissioner of Data Protection make an increased number of enquiries regarding the data protection compliance status of ADGM businesses. These enquiries are most likely to be prompted by anomalies in the mandatory data processing filings, a statement that the entity is not processing personal data (which the ADGM Commissioner of Data Protection views as highly unlikely), or indeed, the failure to file a notification in the first place.
Both of the UAE’s financial free zones had a successful year in 2022 in terms of their international cooperation in furtherance of their strategic aims in the field of data protection. On 4 February 2022, the DIFC Authority adopted adequacy decisions to recognise Singapore, the Republic of Korea, and parties who have signed up to the Asia Pacific Economic Cooperation Cross-Border Privacy Rules (“CBPR“) as adequate for the purpose of cross-border personal data transfers. These decisions established a closer working relationship between the DIFC Authority and the equivalent regulatory authorities in Singapore and South Korea and established the CBPR as an ethical and compliant data-sharing framework for transfers between Asia and the DIFC.
On 16 December 2022, the ADGM Registration Authority announced that it had hosted a delegation from the UK Government’s Department for Digital, Culture, Media, and Sport (“DCMS“). The announcement came following a series of collaborations between the DCMS and other regulators and privacy associations in the Middle East region. The ADGM Registration Authority Chairman and the UK Minister of State for Media, Data and Digital Infrastructure expressed an eagerness to strengthen their partnership and to collaborate on promoting trusted, and secure data flows between the two jurisdictions in the future.
We expect this to be a year of refinement following major amendments to the Personal Data Protection Act (“PDPA”) a couple years back. We have seen a marked increase in data breach incidents in the past year. This trend is likely to continue. In response, we expect the Personal Data Protection Commission will utilise more tools in its case management arsenal including voluntary undertakings and warnings where warranted. We are also waiting to see the impact of the increase in maximum financial penalties (i.e. up to 10% of an organisation’s annual gross turnover in Singapore) on the quantum of fines issued by the PDPC this year. This may have an impact on how organisations think about and handle data breaches and investigations with the PDPC.
Last year the PDPC released guidelines on biometrics in security applications and guidelines on data protection in relation to blockchain technologies, and put Privacy Enhancing Technologies (PETs) in focus during IAPP Asia 2022. We anticipate that the PDPC will continue tackle emerging technology topics in privacy this year. We may see more Data Economy Agreements signed in the near future. Such agreements are expected to address alignment of digital rules and standards to facilitate interoperability between jurisdictions and to support cross border data flows. Existing arrangements have been concluded between Singapore and Chile, New Zealand, Australia, the United Kingdom and Korea.
Throughout 2022, the Spanish DPA (AEPD) has continued to be one of the most active authorities in the European Union. In addition to imposing sanctions for breaches of the regulations, some of which culminated in investigation processes that lasted several months, the AEPD has published legal reports that have clarified, among other issues, requirements associated with data protection officers, their preparation and appointment, the limits of information sharing in the context of health surveillance or video surveillance and the requirements for prior information to data subjects. In addition to these publications, the AEPD has published guides, including the “Guide for healthcare professionals”, tools to help data controllers (e.g. for the assessment of the impact of personal data breaches) and has approved the first sectoral code of conduct since the entry into force of the GDPR.
Some of the sectors or matters which the AEPD frequently focuses on due to their impact on data subjects are advertising, telecommunications, financial institutions, debtors’ files, fraudulent contracting and labour matters. We anticipate that this trend will continue along with the focus on international data transfers.
The primary data privacy and security regulating authorities are the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) and the Swedish Post and Telecom Authority (Sw. Post- och telestyrelsen), the former being the national DPA responsible for national regulation of the GDPR, while the latter is the national authority responsible for regulating the Electronic Communications sector.
Enforcement Action: Transparency
During 2022, the Swedish Authority for Privacy Protection issued a decision including an administrative fine of approximately EUR 720,000 on a fintech company for its failure to adequately provide information to its customers for one of its financial services. In its decision, the Swedish Authority for Privacy Protection stated that the company had not sufficiently informed users of the particular financial service in relation to the purposes and legal bases for its processing of personal data in providing the service. Therefore, the Authority concluded that the Company had processed the relevant personal data in breach of Articles 5(1)(a), 5(2), 12(1) and 13(1) of the GDPR.
The Swedish Authority for Privacy Protection therefore concluded the company had not processed the relevant personal data in accordance with the principles of lawfulness, fairness and transparency, nor the principle of purpose limitation. In addition, the company had not provided the relevant information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Furthermore, the Swedish Authority for Privacy Protection considered the information provided by the company was incomplete and misleading in relation to the recipients of the collected personal data, the third country destinations to which the personal data was transferred to and how data subjects could obtain further information on the safeguards that were applied for third country transfers. The Swedish Authority for Privacy Protection’s decision clearly illustrates the importance of providing granular, transparent, and sufficiently detailed information in a privacy notice, as well as how the transparency requirements under the GDPR should be construed when drafting a privacy notice.
The Swedish Post and Telecom Authority investigates cookie transparency
The Swedish Post and Telecom Authority, whose remit includes supervision of the Swedish Electronic Communications Act, is, as of the time of writing, undertaking a larger investigation on cookie transparency. The investigation will initially focus on a number of organisations in the financial and telecom industry, as well two governmental agencies whose websites are visited by large numbers of members of the public. The Swedish Post and Telecom Authority has stated that the selection comes as a result of the number of users for whom it is necessary to visit the websites. In addition, it may be difficult to opt out of, as many individuals have to visit a bank, their telecom providers or come into contact with a government agency.
However, the Swedish Post and Telecom Authority’s has highlighted that the relevant set of rules apply to every relevant website regardless of the number of users. The Swedish Post and Telecom Authority is planning to carry out additional supervisory investigations in relation to other website providers.
Trends The key takeaway is that transparency is increasingly important and key in order to demonstrate compliance with data privacy laws, e.g. the GDPR and the Swedish Electronic Communications Act. Looking forward, the Swedish Authority for Privacy Protection has, in its strategic plan for 2022-2025, stated that it will embark on an educational voyage, focusing on data subjects’ awareness of their rights under the GDPR. However, this will entail increased supervisory activities primarily based on individual complaints. In addition, regulatory activity is certainly increasing, with the Swedish Authority for Privacy Protection having received a substantial budgetary increase for 2023-2025.
Entering into force of the revised Federal Act on Data Protection and the revised Data Protection Ordinance
On 31 August 2022, the Swiss Federal Council adopted the revised Data Protection Ordinance (“revDPO“) and informed that the revised Federal Act on Data Protection (“revFADP“) and the revDPO will enter into force on 1 September 2023.
The revFADP introduces significant changes compared to the current FADP and is a “GDPR-like” legislation. The changes mainly concern governance obligations and new, higher fines. However, certain “Swiss finishes” remain. An overview of the most important changes triggered by the revFADP are summarised below.
New governance obligations
Like the GDPR, the revFADP and the revDPO now include further governance obligations:
- Larger companies that act as controllers or processors (i.e. they have more than 250 employees) must keep a register of processing activities (comparable to the register of processing activities under the GDPR);
- The controller has a duty to report data security breaches to the Federal Data Protection and Information Commissioner, while processors have a duty to inform the controller;
- The controller has, under certain circumstances, an obligation to carry out data protection impact assessments;
- According to the revDPO (Article 4), the controller and processor have an obligation to keep specific records under certain circumstances;
- According to the revDPO (Article 5), the controller and processor have an obligation to provide a processing policy (Bearbeitungsreglement) under certain circumstances.
New provisions similar to the GDPR
- The revFADP now also explicitly provides for an extraterritorial scope;
- Foreign companies that process the personal data of data subjects in Switzerland on a large scale must provide a representative in Switzerland (Article 14 of the revFADP);
- Under the revFADP, a processor may only transfer personal data to a third party (subcontractor) with the prior consent of the controller. The revFADP clarifies that it is sufficient if the controller has a right to object;
- In addition, unlike under the current FADP, the data subjects must be informed of any data processing (general notification obligation), not only if sensitive data is being processed; and
- The revFADP no longer protects the data of legal persons but only the data of natural persons; in this respect, there is further alignment with the GDPR, which also only protects the data of natural persons.
Changes compared to the current FADP
- The safeguards to ensure an appropriate level of data protection where personal data is transferred to countries with a lower data protection level than Switzerland have been slightly amended;
- The rights of the data subjects are broader;
- The Federal Data Protection and Information Commissioner has extended powers under the revFADP; it can issue processing bans and other rulings and may also conduct investigations; and
- The professional duty of confidentiality contained in the FADP, which punishes anyone who intentionally discloses secret personal data that they became aware of in the course of their professional duties, has been extended.
“Swiss Finishes” — Differences to the GDPR:
- The basic principles of Swiss data protection will not change; even under the revFADP, the processing of personal data is generally permissible and does not require specific justification. Consent for the processing of personal data is still not required in most cases; and
- Penalty provisions have been adapted under the revFADP and the fines have been increased from CHF 10,000 under the current FADP to CHF 250,000. Under the GDPR, the maximum fine is EUR 20 million or in the case of a company, it is up to 4% of its total annual worldwide turnover in the preceding business year or EUR 20 million, whichever is higher. Unlike under the GDPR, fines under the revFADP still target responsible employees and not companies.
The revFADP does not set out any meaningful transitional provisions which means that any controller or processor subject to the revFADP applies must, by 1 September 2023, be compliant with the revFADP and the revDPO.
Controllers and processors that are compliant with the GDPR are in a good position and will likely only need to make a few adjustments in order to meet the requirements of the revFADP. However, controllers or processors that previously only met the requirements of the current FADP are advised, in particular due to the new governance obligations and the new, higher fines, to promptly undertake a compliance exercise to ensure that they are able to comply with the new obligations.
The Taiwan Personal Data Protection Act remains unchanged, and has not been significantly amended since 2012. However, active discussions regarding amendments to the Taiwan Personal Data Protection Act will continue this year and the draft, which is expected to use the GDPR as reference, is likely to be released for public consultation in the next year or two.
While the rules are not considered up-to-date, the Taiwanese government is actively using various regulations to impose obligations on industries. The Taiwanese government has also been showing stronger interest in the audit of industries when data is suspected to be leaked. In addition, the sharing and transfer of personal data to China is a particular area of focus and the rules on data collected by Chinese companies or data transferred to China are expected to be tightened.
Following postponements by the Thai Government due to the COVID-19 pandemic, Thailand’s Personal Data Protection Act B.E 2562 (2019) (“PDPA”) finally came into effect on 1 June 2022. The PDPA provides a set of comprehensive obligations regarding the collection, use, disclosure, and cross border transfer of personal data, as well as the rights for data subjects.
After the effective date of the PDPA, certain sub-regulations were issued by Thailand’s competent authority, the Personal Data Protection Committee (“PDPC”), which was established on 18 January 2022, and announced in the Royal Gazette. There are a number of sub-regulations that are still under consideration. Once all sub-regulations are issued, this should give more clarity on compliance with the PDPA and will aid organisations in effectively protecting the personal data they hold.
Throughout 2022, the PDPC officially published sub-regulations and recommendations, including but not limited to:
- Notification of the PDPC re: Exemption from Maintenance of Records Obligation of the Data Controller Which Is a Small Organization B.E. 2565 (2022);
- Notification of the PDPC re: Rules and Methods for Preparation and Maintenance of Records of Personal Data Processing Activities for the Data Processor B.E. 2565 (2022);
- Notification of the PDPC re: Security Measures of the Data Controller B.E. 2565 (2022);
- Notification of the PDPC re: Rules on Consideration for Issuance of Orders Imposing Administrative Fines by the Expert Committee B.E. 2565 (2022);
- Rules of the PDPC re: the Filing, Refusal of Acceptance, Dismissal, Consideration, and Timeframe for the Consideration of the Complaints B.E. 2565 (2022);
- Notification of the PDPC re: Rules and Methods of Personal Data Breach Notification B.E. 2565 (2022);
- Operational Guideline re: Obtaining Consent from Data Subjects under the PDPA; and
- Operational Guideline re: the Notification of the Purposes and Details of Collection of Personal Data from the Data Subjects under the PDPA
In addition, public hearings continue to be held for the general public and any interested persons for the issuance of sub-regulations under the PDPA. The comments from the public hearing will be scrutinised before the new sub-regulations are officially published by the PDPC. There are several draft sub-regulations currently in the pipeline, most notably, draft sub-regulations on cross border transfers, data protection officer (DPO), data processing agreements, and exemptions for compliance with the PDPA.
In relation to enforcement, the PDPC has recently stated that the PDPC does not plan to exert actual punishment in the first year of implementation and will instead focus more on educating and providing clarification to the public in practice. The key focus will be issuing sub-regulations and setting up the Office of the PDPC first. However, after one year of implementation, the key focus will shift to balancing data protection of the data subjects and practices of organisations for compliance with the PDPA and its sub-regulations. Punishment may not warrant the maximum fines prescribed under the PDPA, but it will depend on intent and be reviewed on a case-by-case basis by considering the level of damages and number of offenses that occurred.
To date, various infographics to educate the public and create awareness regarding specific topics under the PDPA continue to be published by the PDPC via its official resources. In addition, the PDPC is open to the public for discussion and consultation on compliance with the PDPA and its sub-regulations. Since the effective date of the PDPA, there have been several data breach incidents in a number of industries and such breach notifications have been issued to the PDPC and data subjects. For any organisations operating in Thailand and overseas-based organisations targeting Thai data subjects regulated under the PDPA that have yet to implement the measures set out in the PDPA and its sub-regulations, it is imperative that they promptly do so and raise awareness among their personnel to allow them to competently deal with any data protection issues that may arise in future, as the Thai PDPA has finally come into effect and a lot of sub-regulations have been issued.
GDPR Compliance – Cross Border Data Transfers and Sensitive Data Processing
In 2021, the Turkish Ministry of Treasury and Finance published the Economy Reform Package, which contained action items relating to the amendments to the Turkish Data Protection Law No. 6698, in particular, provisions on cross-border data transfers, as part of legislative efforts to comply with the EU’s GDPR.
In 2022, the scientific committee working with the Ministry of Justice on the matter provided an update regarding the draft amendments. It is anticipated that amendments will be aimed at harmonisation of the Turkish Data Protection Law with the GDPR. The legislative process will consist of two phases: (i) cross-border data transfer and sensitive data processing rules and (ii) the remaining provisions. While there is still no official draft available to the public, the final draft of the amendments is expected to submitted to the Turkish Parliament in early 2023, and the first phase of the amendment could enter into force in the first half of 2023.
Cross-border data transfer rules and sensitive data processing activities have been hot topics since the Turkish Data Protection Law entered into force in 2016. The debates regarding this topic have mainly been due to the lack of effective legal mechanisms to allow related data processing and data transfers.
Guidelines on Data Protection in the Banking Sector
On 5 August 2022, the DPA published the Guidelines on Protection of Personal Data in the Banking Sector (“Banking Guidelines”). The Banking Guidelines include detailed explanations and examples of good practice in the evaluation of the status of banks as data processors and data controllers, the content of data processing agreements, legal grounds for data processing, processing of sensitive personal data and the obligations of banks as data controllers.
The Banking Guidelines also clarify the relationship between banking-specific confidentiality rules and the Turkish Data Protection Law, stating that banking regulations take precedence in relation to cross-border data transfers.
Draft Guidelines for Loyalty Programs
On 16 June 2022, the DPA opened the Draft Guidelines on the Processing of Personal Data in Loyalty Programs (“Draft Guidelines on Loyalty Programs”) for public consultation. The Draft Guidelines on Loyalty Programs defines loyalty programs and provides detailed explanations and examples regarding the processing of personal data under loyalty programs.
The DPA gives explanations, especially, on the legal grounds on which personal data can be processed within the scope of loyalty programs and makes important evaluations regarding data processing activities based on explicit consent.
The DPA celebrated its fifth year in 2022 and published a document explaining its compliance efforts throughout that time. The DPA announced that it issued a total of TRY 74.1 million (approximately USD 4 million) administrative fines, evaluated nearly 20,000 complaints/applications, and rendered 3,347 decisions as of November 2022.
Significant changes to the US privacy law landscape are expected to continue in 2023, with the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) both effective from 1 January 2023. On 1 July 2023, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) become effective, and the Utah Consumer Privacy Act (UCPA) becomes effective on 31 December 2023. The CPRA, which amends and strengthens the California Consumer Privacy Act (CCPA) is the most far-reaching of the new laws, as it includes business-to-business (B2B) and human resources (HR) data. We are also seeing interest at the state level in biometrics laws, similar to the Illinois’ Biometric Information Privacy Act, and renewed interest at the federal level in a comprehensive federal privacy law, after the American Data Privacy and Protection Act, gained traction in 2022.
There is also focus on US-Europe data transfers. As mentioned in our update here, on 13 December 2022, the European Commission (EC) announced a draft decision on the adequacy of the US data protection regime to protect the personal data of European Union (EU) residents, the EU-US Data Privacy Framework (DPF). We expect that the DPF will be finalised in 2023 and that US companies will quickly move toward certifying compliance with the DPF. Although we expect that certification to the DPF will be similar to its predecessor, the Privacy Shield, the specifics have not been finalised.
Federal regulators, including the Federal Trade Commission (FTC) and the Office of Civil Rights (OCR), have also increased scrutiny over the collection and storage of certain sensitive data. For example, the FTC continued its focus on the collection and sharing (or sale) of sensitive data, including geolocation data, by mobile applications in its enforcement action against Kochava in August 2022. OCR, the agency charged with enforcing the Health Insurance Portability and Accountability Act (HIPAA), has issued guidance regarding the use of tracking technologies on websites or mobile applications that are covered by HIPAA and collect protected health information (PHI). OCR has clarified that entities covered by HIPAA are not permitted to use tracking technologies in a manner that would result in an impermissible disclosure of PHI to other entities, including tracking technology vendors.
The US Securities and Exchange Commission (SEC) will likely also finalise rules in 2023 that compel corporate boards to disclose material cyber incidents to the SEC and investors within four business days. The SEC’s rules will also require public boards to disclose significant information on their security governance.
Overall, given the continuous development of US state privacy laws, and enforcement and scrutiny at the federal level, we expect 2023 to be an eventful year, with more companies focused on building and strengthening their privacy compliance programs.
Supreme Court of Venezuela establishes the main principles that regulate data privacy in Venezuela.
On 4 August 2011, the Constitutional Chamber of the Supreme Court issued Decision N° 1318 (“Decision 1318”), which is the first court decision that discusses the principles contained in Article 28 of the Venezuelan Constitution. Pursuant to Decision 1318, the main principles that regulate data privacy in Venezuela are the following:
- The Autonomy of the Will Principle – Any person whose data is included in a database is entitled to be informed about: (i) the collection of his or her data; (ii) the entity responsible for his or her data; (iii) the purposes for which the data is gathered; and (iv) the manner by which he or she may exercise the right of self-determination. These are subject to the “prior, free, informed, unequivocal and revocable consent” by the party affected, in the event the organisation that is responsible for the data needs to disclose them.
- Legality Principle – The right to “information self-determination” can only be limited by means of rules having the force of law, provided this is justified by the public interest, and such rules must be interpreted restrictively. The Chamber makes it clear that the information gathered cannot be: (i) used for purposes that are contrary to the principles set out in the decision under analysis or to constitutional guarantees; or (ii) processed by illegal or unfair methods.
- Purpose and Quality Principle – Organisations that wish to compile Personal Data of individuals must do so in strict compliance with the constitutional and sectorial laws and regulations, and this must be done with a clear purpose, reason or cause. This principle is deemed to be essential in order for the individual’s consent to be valid. According to this principle, the gathering and use of Personal Data of individuals must follow the principle of good faith and proportionality, and only data that is adequate, pertinent and not excessive for the purpose sought can be gathered.
- Temporality and Preservation Principle – Based on the right to protection of data, and to update the information contained in databases and in files of public and private persons, the Chamber held that the information contained in such systems must be updated regularly in order to avoid damage to the individuals as a result of obsolete data. In addition, the Chamber adopted the decisions of Colombian case law regarding the “right to oblivion” which is the right of all individuals to have their Personal Data updated once a default or delay has been remedied, and to forget the prior condition.
- Accuracy and Self-Determination Principle – The Personal Data must reflect the true condition of the individual. The data must be up to date, accurate and complete. In order to achieve this principle, clear and expeditious procedures must be in place in order to ensure that the individuals have access to and knowledge about their Personal Data kept by public and private institutions. This also implies the right of individuals to demand the correction or deletion of incomplete, inaccurate, inadequate and excessive data, and to be advised of their correction.
- Foresight and Integrity Principle – Technological advances call for an analysis of the storage, compilation and use of personalised data jointly with other databases or records in which the individual’s Personal Data is stored, since if shown as a whole, they may be prejudicial to the individual or his or her interests or rights.
- Safety and Confidentiality Principle – All entities that handle the compilation, storage and use of databases are required to ensure the security of such data, and to prevent the modification of such data by unrelated third parties. This obligation remains even after the termination of the relationship between the entity and the relevant person. In addition, the Chamber stated that this principle includes a prohibition on the transfer of the contents of databases to other states that do not ensure the adequate protection of Personal Data.
- Protection Principle – Judicial protection is not sufficient and it is necessary to have public entities with jurisdiction to prepare and implement models based on technical standards where the information in these databases is protected.
- Responsibility Principle – Any infringement of the right to protection of data will give rise to civil, administrative and criminal penalties. The liability for breach of this right will fall not only on officers in the banking sector, but also extends to any other sectors responsible for information systems.
Supreme Court of Venezuela holds that the address, local telephone number, mobile phone number and name of the relations of an individual constitute Sensitive Data
On 8 May 2012, the Constitutional Chamber of the Supreme Court issued Decision N° 568 (“Decision 568”), where the Chamber held that information regarding the address, local telephone number, mobile phone number, and name of the relations of an individual constitutes “Sensitive Data”.
In this decision the Chamber decided to delete the data from the electronic version of a judicial decision published on the website of the Supreme Court and stated that the disclosure of such data in the website was (i) considered to be excessive for the purposes of identifying the affected party and (ii) constituted an unnecessary “privacy inherency” in the private life of the affected party.
Supreme Court of Venezuela decides that the “habeas data” action is not an ideal means of establishing the liability of individuals who obtain and use Personal Data to the detriment of individuals’ rights
On 5 June 2012, the Constitutional Chamber of the Supreme Court issued Decision N° 779 (“Decision 779”), which held that the “habeas data” action is not an ideal means of establishing the liability of individuals who, despite not being responsible for the collection of certain data, obtain such data and use it to the detriment of individuals’ rights to honour, reputation and “public image”. This decision expressly provides that affected parties may submit their claims in connection with this issue before the competent criminal and/or civil courts in order to demand the liabilities, sanctions and indemnifications which may be applicable.
In addition, governmental agencies and entities must protect the information that they: (i) obtain by means of information technologies or (ii) store in files and electronic registries.
Emerging Privacy Issues and Trends
Autonomy of the Will Principle – The InfoLaw constitutes the first law that includes a specific provision reflecting the Autonomy of the Will Principle provided for under Decision 1318. This expressly states that any person whose data is included in a governmental agency or entity’s database is entitled to be informed about: (i) the automatic collection of their data; (ii) the purpose and use of their data and the individuals with whom such data will be shared; (iii) the options available for accessing, ratifying, deleting and opposing the use of their data; (iv) the safety measures applied to protect their data; and (v) the registration and storage of their data in the databases of governmental agencies and entities. Until the publication of the InfoLaw in the Official Gazette, the Autonomy of the Will Principle had only been developed in the jurisprudence of the Constitutional Chamber of the Supreme Court.
Data privacy regulations in Vietnam are currently scattered in various legal documents (e.g. the 2006 Law on Information Technology, the 2015 Law on Cyber Information Security, the 2018 Law on Cybersecurity, etc.). Following the global trend of strengthening data privacy legislation, Vietnam is finalising its first-ever comprehensive regulation on personal data – the Personal Data Protection Decree (PDPD). A draft version of the PDPD demonstrates a great similarity between it and the EU’s GDPR in several aspects: a broad definition of personal data and data processing, a special protection regime for sensitive personal data, recognition of the roles and responsibilities of different stakeholders involved in the processing of personal data (i.e. data controller and processor), establishment and safeguarding of the data subject’s rights regarding their personal data, etc.
The PDPD is expected to be issued in early 2023. Given the extra-territorial regulatory scope of the PDPD and how it will substantially alter Vietnam’s privacy law landscape, both onshore and offshore companies are advised to closely monitor the PDPD’s legislative process and promptly work out a compliance plan once the PDPD is officially issued. After the PDPD is issued, Vietnam plans to draw up a Personal Data Protection Law (PDPL) in 2024 – this piece of legislation ranking higher in the normative hierarchy than the PDPD. The significance of the PDPL, and also its distinction as compared to the PDPD, points to the fact that in the case of a contradiction between the PDPL and any of the existing data privacy laws, the PDPL’s provisions will prevail.
Data localisation is another critical requirement first introduced in 2018 under the Cybersecurity Law, followed by the recent enactment of the guiding Decree No. 53/2022/ND-CP (Decree 53), which entered into effect on 1 October 2022. In short, onshore and offshore providers of certain cyberspace services are required to store certain types of local service users’ data in Vietnam (personal data, data generated by users in Vietnam, data about users’ relationships). There is a multilayered test with different triggering conditions tailored exclusively for offshore service providers, only the fulfillment of all of which will subject these offshore entities to the data localisation requirement (e.g. the service provider fails to cooperate with a competent local authority in handling a cybersecurity violation). Onshore enterprises, which encompass FDI companies, are granted a one-year grace period to complete localising data in Vietnam.
To aid the enforcement of various new substantive regulations under Decree 53 and the PDPD, the drafting of another Governmental decree on administrative sanctions for cyberspace violations – the Cyberspace Administrative Sanctions Decree (CASD) – is also underway. Under the initial draft version of the CASD, a monetary fine calculated based on the organisation’s annual turnover, instead of the traditional fixed amount, was proposed as a more severe punishment. It is expected that the CASD will soon be passed following the prescription of the PDPD.