Data Protection Laws of the World

Data Protection

“Privacy and Publication generally never go together. But this publication is a must for every privacy lover. Meticulous compilation of data privacy laws by the DLA Piper team.”
Raghu Raman Lakshmanan, General Counsel,
HCL America, Inc.
“This compilation does what every brilliant lawyer should do: it makes it easy for clients to understand and apply technical and difficult regulations. Touché to DLA Piper Data Protection Team.”
Dr Katarzyna Lasota Heller, Group Legal Compliance Officer,
Naspers
“DLA Piper has done a great work as the handbook is incredibly well structured and an extremely valuable for anyone handling data protection issues.”
Desislava Avramova, Senior Legal Counsel EMEA,
Newell Rubbermaid Inc.
“DLA’s handbook is a very helpful tool when looking up and comparing privacy requirements across various countries. And by putting it online they made it available to me anytime and anywhere I need it.”
René Keiser, Senior Counsel,
Mondelēz International
“DLA Piper’s Data Protection Laws of the World Handbook is an extremely useful resource. It enables us to find an answer to complex multi-jurisdictional privacy law questions very quickly.”
Lieven van Parys, European Privacy Counsel,
Pfizer
“I’ve never seen anything like it before in terms of law firm guidance/publications. Fantastic job and an excellent tool! I and my team will certainly use it and I know that it is already being circulated to others within the Volvo Group.”
Alexia Henriksen, VP General Counsel
Volvo Financial Services (EMEA)

New Features

  • 2016 promises to be another important year for data protection and to reflect this we have included a new chapter which summarises the European Union's General Data Protection Regulation which was agreed in December 2015.

  • This year we have added a number of key African jurisdictions, including Nigeria, Angola, Cape Verde, Ghana, Lesotho, Madagascar, Mauritius, the Seychelles and Zimbabwe.  Further African jurisdictions will be added during the course of the year.

Abstract

More than ever it is crucial that organisations manage and safeguard personal information and address their risks and legal responsibilities in relation to processing personal data, to address the growing thicket of applicable data protection legislation.

A well‑constructed and comprehensive compliance program can solve these competing interests and is an important risk‑management tool.

This handbook sets out an overview of the key privacy and data protection laws and regulations across nearly 100 different jurisdictions and offers a primer to businesses as they consider this complex and increasingly important area of compliance.

DLA Piper's global data protection and privacy team has the deep experience and international reach to help global businesses develop and implement practical compliance solutions to the myriad data protection laws that apply to global businesses.

Introduction

Welcome to DLA Piper's Data Protection Laws of the World Handbook. We launched the first edition of the handbook in 2012, and following such a positive response have been updating it annually ever since.

We continue to witness a period of unprecedented activity in the development of data protection regulation around the world which will have a profound impact on the way in which global businesses are required to approach the collection and management of personal information.

These changes are being driven largely by cultural and trade considerations and by a struggle to keep pace with emerging technology and online business methods. At an EU level, political agreement has finally been reached on the General Data Protection Regulation, and the final text should be formally adopted early this year. Of equal significance is the toughening of legal requirements and of enforcement in countries such as Korea, Hong Kong and Singapore. Furthermore, the emergence of laws in countries which previously had no data protection law in place, including a large number of countries in Asia, Latin America and the Middle East, continues and could create considerable enforcement risk in the future.

Should you require further guidance, please do not hesitate to contact us at dataprivacy@dlapiper.com.

Data Privacy Scorebox

You may also be interested in our Data Privacy Scorebox, a tool to help you assess your data protection strategy.  It requires completing a survey covering 12 areas of data privacy, such as storage of data, use of data, and customers' rights. Once completed, a report summarising your organisation's alignment with key global principles of data protection is produced.  The report includes a visual summary of the strengths and weaknesses of your data protection strategy, a practical action point check list, as well as peer benchmarking data.

To access the Scorebox, please visit www.dlapiper.com/dataprotection

CyberTrak

We are pleased to introduce CyberTrak, an innovative online cybersecurity tool featuring information on cybersecurity-related mandates in 23 key markets around the world. CyberTrak is the inaugural product of a partnership between Blue Edge LabSM* and the Internet Security Alliance (ISA).

CyberTrak provides multinational companies instant online access to critical information about cybersecurity-related laws, regulations and generally accepted standards in 23 key markets in the Americas, Asia-Pacific, Europe and the Middle East and in four highly regulated sectors in the US. It also provides brief summaries of requirements, as well as an assessment on enforcement risk and the degree of activity triggering the requirement.

Cybersecurity laws and regulations are evolving rapidly around the world. Companies battling ever more sophisticated cyberattacks face mounting compliance costs and higher risks if they do not keep up with new requirements in all markets where they operate.

CyberTrak is designed to help GCs, CIOs, CISOs, risk officers and legal, technology, IT and procurement departments of multinational companies make better, faster risk management decisions and reduce the costs associated with keeping up with these changing regulatory requirements.

CyberTrak content will be regularly updated three times per year by a global group of more than 50 carefully selected contributors in key jurisdictions (many of them contributors to Data Protection Laws of the World), along with interim updates when major changes occur.

Understanding cybersecurity mandates on a global scale is critical to any multinational company that collects and retains customer data, trade secrets, and other confidential data or operates in a critical infrastructure sector, such as energy, financial services, healthcare and defense/government contractors.

Company-wide CyberTrak access is offered on an annual subscription basis. To register for a free trial or to learn more about CyberTrak, please visit www.BlueEdgeLab.com.

*Blue Edge Lab, LLC is a wholly owned subsidiary of DLA Piper LLP (US). Blue Edge Lab is not a law firm and does not provide legal services.

DATA PROTECTION BLOG

If you find this Handbook useful, you may also be interested in DLA Piper's Data Protection, Privacy and Security group's Privacy Matters Blog − a blog featuring regular data protection, privacy and security legal updates to help you remain aware of the most important legal and regulatory developments.

We have over 130 experienced privacy and security lawyers across the globe who are close to the regulations in each of their respective jurisdictions and who regularly post summary articles on their local issues.

To access the blog, please visit http://blogs.dlapiper.com/privacymatters/

To ensure you receive an automatic email when a new article is posted, please enter your details in the 'subscribe' section found on the blog’s right‑hand sidebar.

Disclaimer

This handbook is not a substitute for legal advice. Nor does it cover all aspects of the legal regimes surveyed, such as specific sectorial requirements. Furthermore, enforcement climates and legal requirements in this area continue to evolve. Most fundamentally, knowing high-level principles of law is just one of the components required to shape and to implement a successful global data protection compliance program.

Data Protection and Privacy Group Key Contacts

Americas

Jim Halpert
Jim Halpert
Partner & Chair of US Data Protection and Privacy Group
T +1 202 799 4441
Jennifer Kashatus
Jennifer Kashatus
Partner, Data Protection, Privacy and Security
T +1 202 799 4448

Europe, Middle East and Africa

Andrew Dyson
Andrew Dyson
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +44 (0)113 369 2403
Prof. Patrick Van Eecke
Prof. Patrick Van Eecke
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +32 2 500 1630
Carol Umhoefer
Carol Umhoefer
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +33 1 40 15 24 34
Thomas Jansen
Thomas Jansen
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +49 89 2323 72 110
Diego Ramos
Diego Ramos
Partner
T +349 17901658
Richard van Schaik
Richard van Schaik
Partner & Co-Chair of EMEA Data Protection and Privacy Group
T +31 20 541 9828

Asia Pacific

Peter Jones
Peter Jones
Partner & Co-Chair of Asia-Pac Data Protection and Privacy Group
T +61292868356
Scott Thiel
Scott Thiel
Partner & Co-Chair of Asia-Pac Data Protection and Privacy Group
T +852 2103 0519

EDITORS

Kate Lucente
Kate Lucente
Associate and Co-Editor, Data Protection Laws of World Handbook
T +1 813 222 5927
James Clark
James Clark
Associate and Co-Editor, Data Protection Laws of the World Handbook
T +44 113 369 2461

introduction

EU data protection legislation is facing huge changes. Privacy issues arising from the growing popularity of Internet services have pushed the EU to entirely rethink its data protection legislation.

In 2012, the European Commission published a draft regulation (the General Data Protection Regulation, 'GDPR'), which will impose new obligations relevant to almost all businesses. Almost four years later, a political agreement on the GDPR was reached in December 2015. The final text will be formally adopted by the European Parliament and Council at the beginning of 2016 and become applicable two years thereafter.

The current EU Data Protection Directive (95/46/EC) was adopted in 1995. It has been implemented differently by EU Member States into their respective national jurisdictions, resulting in the fragmentation of national legislations within the EU. The GDPR will replace the Data Protection Directive and will be directly applicable in every EU Member State, thereby eliminating the current fragmentation of national data protection laws.

 

CURRENT SITUATION

At present, personal data processed in the European Union is governed by the 1995 European Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive"). The Directive establishes a number of key legal principles: 

  • Fair and lawful processing 

  • Purpose limitation and specification 

  • Minimal storage term 

  • Transparency 

  • Data quality 

  • Security 

  • Special categories of data 

  • Data minimisation 

These principles have been implemented in each of the 28 European Union Member States through national data protection law. 

FUTURE LEGAL FRAMEWORK

The first step towards a new legal framework was taken when the European Commission presented its draft proposal for a new Data Protection Regulation on 25 January 2012. The proposal was presented as a comprehensive reform of the current data protection rules and aims to 'strengthen online privacy rights and boost Europe's digital economy'. 

Subsequently, both the European Parliament (in March 2014) and the Council (in June 2015) adopted amended versions of the Commission proposal.

After six months of negotiations among the members of the European Parliament, the Member State delegations assembled in the European Council and the European Commission, a common position by the three institutions on the final text was reached in December 2015. 

After formal approval at the beginning of 2016, followed by the official publication of the Regulation, there will be a two year transition period to allow organisations and governments to adjust to the new requirements and procedures. Following the end of this transitional period, the Regulation will be directly applicable throughout the EU, without requiring implementation by the EU Member States through national law.

The goal of European legislators was to harmonise the current legal framework, which is fragmented across Member States. A 'Regulation' (unlike a Directive) is directly applicable and has consistent effect in all Member States, and should increase legal certainty, reduce the administrative burden and cost of compliance for organisations that are active in multiple EU Member States, and enhance consumer confidence in the single digital marketplace.

We have summarised the key changes that will be introduced by the GDPR in the following sections.

 

Key changes to the current data protection framework include:

HARMONISATION

  • Adoption of a single set of rules on data protection, directly applicable in all EU Member States.

Although each Member State has implemented data protection laws locally which transpose the EU Data Protection Directive, there are material differences in the approach taken by national legislators. This has led to fragmentation in terms of compliance requirements across Member States. 

 The Regulation is intended to adopt a harmonised approach to compliance across all Member States by implementing legislation that will be directly applicable in all 28 Member States. There will be no opportunity for local transposition.

ENFORCEMENT

  • A revised enforcement regime underpinned by power for regulators to levy heavy financial sanctions of up to 4% of the annual worldwide turnover of the organisation. 

  •  

    The Regulation provides for considerably higher sanctions than under the current privacy framework.

  • Regulators will be able to issue administrative fines of up to 4% of the annual turnover of the organisation and its affiliates worldwide, which will create a sea-change in risk for global businesses. 

  • Each national supervisory authority will have the power to impose these sanctions. This is a major change from the current regulatory framework, where enforcement powers are inconsistent across the EU.

These changes will significantly increase the risk associated with privacy non-compliance.

OFF SHORE PROCESSING

 

  • Application of the EU regulatory framework to companies established outside the EU, if they target EU citizens.

  •  

    The new rules will have a broader territorial scope since they will even apply to non-EU established companies targeting the EU market by either offering their goods or services to EU citizens or by monitoring their behaviour.

 

  • Currently, European data protection legislation only applies to non-EU established controllers if they make use of equipment on EU territory for the purposes of processing personal data, and to processing taking place in the EU.

GOVERNANCE

The requirement in current data protection laws to notify the national data protection authority about data processing operations is abolished and replaced by a more general obligation on the controller to keep extensive internal records of their data protection activities.

Controllers must ensure all personal data is processed in compliance with the Regulation and be able to demonstrate compliance to a supervisory authority if requested. 

The minimum measures to be taken include:

  • Increased responsibility and accountability on organisations to manage how they control and process personal data.

  • Performing data protection impact assessment for high risk projects. A data protection impact assessment will become a mandatory pre-requisite before processing personal data for operations that are likely to present specific (higher) privacy risks to individuals due to the nature or scope of the processing operation. We expect this to become a routine governance tool in managing privacy risk across the organisation.

     

  • Designating a data protection officer Organisations – both controllers and processors – whose core activities require regular and systematic monitoring of data subjects on a large scale or consist of processing on a large scale of special categories of data or data relating to criminal convictions will have to appoint a data protection officer (DPO). The DPO, who may be either a staff member or a service contractor, will report to the highest management level. His or her tasks will include informing and advising the controller / processor (and employees) of their obligations, monitoring compliance with the GDPR, advising on data protection impact assessments and cooperating with the supervisory authority (including acting as point of contact).

     

  • Notifying the regulator of data breaches Controllers will be required to notify the local supervisory authority and (in some cases) the data subjects involved of significant data breaches. Mandatory breach notification is not currently a requirement in most EU Member States and so this represents a significant departure from current practice. 

     

  • Implementing privacy by design & privacy by default.  The Regulation introduces the concepts of "privacy by design" and "privacy by default". Privacy by design means taking privacy risk into account throughout the process of designing a new product or service, rather than treating it as an afterthought. This means assessing carefully and implementing appropriate technical and organisational measures and procedures from the outset to ensure that processing complies with the Regulation and protects the rights of the data subjects. Privacy by default means ensuring mechanisms are in place within the organisation to ensure that, by default, only as much personal data is collected, used and retained for each task, both in terms of the amount of data collated and time for which it is kept. 

ONE-STOP-SHOP

  • Ability to nominate a single national data protection authority as the lead regulator for all compliance issues in the EU, where the organisation has multiple points of presence across the EU ("one stop shop");

The Regulation introduces the principle of a "one-stop-shop", which allows the supervisory authority in the country of the controller's (or processor’s) main point of establishment in the EU to be responsible for decisions relating to the controller (or processor) across its EU operations. Although there are some significant exceptions to the one-stop-shop principle, this principle is expected to reduce the administrative burden of compliance for organisations that have an international footprint which may currently need to interact with supervisory authorities in each Member State where they are present.

 

 CONSENT

  • Adoption of a more active consent based model to support lawful processing of personal data; 

It is an established legal principle that personal data can only be processed by a controller for purposes that are fair and lawful. 

 

The current regulatory regime (under the Directive) allows a controller to lawfully process data with the "consent" of the data subject - which might be either express or implied consent - or where the processing is necessary for the "legitimate interests" of the controller in circumstances that do not cause undue prejudice to the individual.

These gateways to fair and lawful processing have come under scrutiny by EU legislators as part of the regulatory reform process. There is a strong view that the current regime provides controllers with too much flexibility to determine how data are used and that rights need to be re-balanced in favour of the individual, particularly in the context of social media networking and consumer profiling where individuals often have limited ability to control how their data are shared if consent is based on implied consent, or a wide interpretation of "legitimate interests".

The definition of "consent" has been significantly refined in the Regulation. Consent should be freely given, specific, informed and unambiguous. Implied consent, (e.g., by just staying on a website or not responding to a request) will not be sufficient as the Regulation states that the consent should be given "by a statement or clear affirmative action".

Requiring consent from an end user in order to give that person access to a service, where these personal data are not necessary to perform the contract, will no longer be allowed. 

Under the Regulation, controllers will be expected to provide much more consideration in their working practices as to what the data subject would like and expect their data to be used for, and allow individual the right to change preferences from time to time, if they wish to withdraw consent previously given, or object to continued processing on grounds that are based on "legitimate interests".

This flexibility is enshrined in new rights to data erasure in the Regulation (see below) and will require organisations to adopt a more dynamic consent model / preference centres type approach to consumer interactions.

TRANSPARENCY

  • Increased transparency obligations; and
  • Privacy notices will need to include much more detailed information. 

 The Regulation introduces a new obligation on the controller to develop "transparent and easily accessible" policies explaining to data subjects both how their personal data will be processed and what their individual rights are and how they may be exercised. This must be provided in an intelligible form, using clear and plain language that will be understood by the target audience - ensuring for example that any information collected from children is addressed specifically in manner that children will understand.

DATA PORTABILITY

  • The ability for individuals to easily transfer their data files from one service provider to another (right to data portability); 

The Regulation introduces a new right to data portability, which grants data subjects the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine-readable format. The data subject is also entitled to have the data transmitted directly from one controller to another, where this is technically feasible.

RIGHT TO BE FORGOTTEN

  • A statutory "right to be forgotten" which will allow individuals the right to require a controller to delete data files relating to them if there are no legitimate grounds for retaining it;

The current Directive includes a right for data subjects to seek a court order to cease data processing in circumstances which may be causing them damage, as recently recognised by the European Court of Justice’s landmark Google Spain ruling.

The Regulation builds upon this principle with a new statutory right to raise objections directly with the controller and force erasure of data files and prevent further disclosures in specified circumstances: 

a. where the data are no longer necessary for the purposes for which they were originally collected or processed;

b. where the data were originally collected from the data subject based on consent, but where the individual has indicated that he or she wishes to withdraw that consent;

c. where the data were originally collected from the data subject based on the legitimate interests of the controller, but where the individual has indicated that he or she objects to personal data being processed for those purposes;

d. where the data have been unlawfully processed;

e. where the data have to be erased for compliance with a legal obligation to which the controller is subject; or

f. where the data have been collected in relation to the offering of information society services to children.

Exceptions apply to the erasure requirement where the controller may be able to demonstrate an overriding justification to maintain processing of the data - for example the need to retain records to comply with a legal obligation. 

In each case where an objection is raised, the relevant controller is required to take all reasonable steps to inform any third parties to whom the data have been disclosed of the erasure request. This means that the controller must take reasonable measures to manage the way in which any third party publishers make use of personal data passed on to them.

DATA PROCESSORS

  • Direct regulation of data processors;

The Regulation directly regulates data processors for the first time. The current Directive generally regulates controllers (ie those responsible for determining the manner and purposes for which any personal data are processed) rather than "data processors" - organisations who may be engaged by a controller to process personal data on their behalf (eg as an agent or service provider).

Under the Regulation, processors will be required to comply with a number of specific obligations, including to maintain adequate documentation, implement appropriate security standards, carry out routine data protection impact assessments, appoint a data protection officer, comply with rules on international data transfers and cooperate with national supervisory authorities. These are in addition to the requirement that processors are engaged by the controller under a data processing agreement which includes terms mandated by the Regulation.

Processors will be liable to sanctions at the same level as controllers if they fail to meet these criteria.

 

Key Contacts

Prof. Patrick Van Eecke
Partner
T +32 2 500 1630
patrick.van.eecke@dlapiper.com

To start reading, please select a country below or topic on the right.

Regulation
&
Enforcement
Limited
Moderate
Robust
Heavy
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.
Please select country above.
Please select an optional comparison country from the top.