Editor’s Note: Online privacy issues, for individuals and companies alike, are a growing concern and world-wide mission by officials. It is extremely important that we all keep current on, at the very least, the basics of these new laws as they form around the world. The following is an update by Judith Delaney, U.S. attorney specializing in social media law and online privacy laws and regulations, on the Global Online Privacy and Security Laws for Individuals and Companies article that she has so kindly promised to keep current for all readers and visitors of this blog and website.
Update to Pending and New Online Privacy Regulations Around the World
As promised in my article “Global Online Privacy and Security Law for Individuals and Companies”, I want to update you on the most recent activity regarding the status of Privacy regulation around the world. As you will soon notice, this update goes beyond the four countries featured in the article. Of those four, Canada and Europe are listed in the updates (the United States continues to grapple with trying to enact federal legislation around this concern). What is significant, at least from my perspective, is the “rumblings” of other countries, wanting to address the protection of personal data on a global level and not just within the confines of their borders.
Finally, before you peruse the following information, I want you to know that if you have any information on the matter at hand that I may have missed, please feel free to share with all of us in the comments section below, or by sending myself or Melissa Agnes an email. Thank you.
– Amercas –
Update data protection bill of law (Bill of Law No. 4.06012.12) which aims to protect individuals’ fundamental rights regarding the processing of their personal data to include the Bill of Law on Civil Liabilities on the Internet; a decision is expected on this bill in 2013.
Colombia Law No. 1581 of 2012 came into force on April 18, 2013, following its approval by the Constitutional Court on 17 October 2012:
The Law introduces a comprehensive privacy regime in Colombia for the first time and regulates, among other things, notice and consent requirements, cross-border data transfers, and the processing of children’s data. The Law also contains data subject rights and registration requirements.
Dr. Cynthia Tellez, Head of the Data Protection Division at Iriarte & Asociados stated:
“The principles and provisions of this Law are applicable to the personal data in any database that makes it amenable to treatment by public entities or private entities. The Law will only be fully operational from 18 April 2013. It is expected that before the end of the transition period, authorities will disclose the new legal framework of the Act before making sanctions effective.”
Under the law, the Superintendence of Industry and Commerce will have the power to sanction violations of the provisions with a maximum fine of approximately COL $1,182,000,000 (€500,000 or US $650,000) suspension of activities for a period of up to six months, and the temporary or permanent closure of operations.
Several important cases regarding data protection such as United Food and Commercial Workers, Local 401 v. Alberta (Attorney General) and Citi Cards Canada v. Pleasance are being monitored as to their potential impact on how Canada protects personal data.
– Asia –
The Guidance for Personal Information Protection (GB Guidance) was approved in November, 2012 and became effective February 1, 2013.
A new section, the Personal Information Protection Act, has been added to the Data Protection Act.
– Europe –
EU Data Protection Regulation which will replace the existing EU data protection directives: The EU Parliament on Wednesday, April 17, postponed until later in May, 2013 a final vote on the proposed overhaul of the European Union’s data protective regime, as companies and regulators continue to push lawmakers to loosen restrictions on the collection and use of consumer personal data.
Part of the “push” by lawmakers has to do with The Article 29 Working Party (WP29) adopted – on April 2, 2013 – Opinion 03/2013 (‘the Opinion’) which analyzes the purpose limitation principle and calls for it to be strengthened under the Draft EU Data Protection Regulation (Draft Regulation), particularly with the increasing ubiquity of big data and open data. “The traditional approach to ‘purpose limitation’ is only truly relevant to data provided directly and voluntarily by the data subject”, stated Eduardo Ustaran, Partner and Head of the Privacy and Information Law Group at Field Fisher Waterhouse. “But ‘purpose limitation’ is not that relevant as a mechanism to prevent misuses of big data, which appears to be a key concern for the regulators.”
Note: I will address this in more detail in a separate, upcoming article about the growing trend of the use and storage of big data and the concern with the rights to privacy.
It is not my intention to make a habit of detailing litigation around privacy concerns. However, I do believe it is worthwhile for you, the reader, to be (if not already so) aware of the Google litigation and what it could mean to countries and other social media sites around the world. Following is the summary:
– Latin America –
The Council of Europe (CoE) announced – on April 12, 2013 – that Uruguay has become the first non-European country to accede to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) and its Additional Protocol. The treaty will enter into force in Uruguay on August 1, 2013, making it the 45th country to be party to the Convention.
Convention 108 was the first legally binding instrument governing data protection, adopted by the CoE in 1981, establishing minimum data protection standards and regulating cross border data transfers. The CoE is in the process of discussing proposals to modernize the Convention in light of the upcoming changes proposed by the draft EU Data Protection Regulation.
Dr Ana Brian Nougrères, Director and Principal Consultant at Estudio Jurídico Briann & Associates,stated:”Uruguay is assuming an important position, showing a country with special concerns regarding the principles of data protection and privacy. [Furthermore], the ratification of the Additional Protocol confirms Uruguay’s respect of foreign data protection authorities, and emphasizes the role of international data flows.”
Martín Pesce and Stephania Bresque, Senior Associate and Associate respectively at Ferrere, said: “This is another significant step for Uruguay in the field of data protection, after being granted adequacy status by the European Commission last year.” As previously reported in DataGuidance, this decision – issued on 23 August 2012 – made Latin America the second most ‘adequate’ continent behind Europe itself.
“Both the adequacy declaration and the incorporation of the Convention to the national legal system places Uruguay as the Latin-American country that is most aligned with European [standards] for data protection,” said Pesce and Bresque. “It also definitively puts Uruguay in the spotlight for the setup of data centres at a global level, which is expected to trigger the development of areas of high added value, such as e-health or telemedicine.”
As more countries begin to work together to meet their mutual interest in protecting personal data, it is the hope that ultimately this will result in consistent cross-border standards and regulations across the globe. Stay Tuned!
Disclaimer: The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.
Judith Delaney is an attorney who specializes in global online privacy laws and issues and social media law. Judith helps organizations integrate new media strategies with business strategies to effectively manage risk associated with online compliance such as the HIPPA Omnibus Rule, global social media private and data protections and contract risk management.
Steve MacDonald says
Awesome information! Thank you very much for sharing this! This is the type of information that I'd like to be aware of. Love to learn and read more from your posts.