Data Protection

“Privacy and Publication generally never go together. But this publication is a must for every privacy lover. Meticulous compilation of data privacy laws by the DLA Piper team.”

Raghu Raman Lakshmanan, General Counsel,

HCL America, Inc.

“This compilation does what every brilliant lawyer should do: it makes it easy for clients to understand and apply technical and difficult regulations. Touché to DLA Piper Data Protection Team.”

Dr Katarzyna Lasota Heller, Group Legal Compliance Officer,

Naspers

“DLA Piper has done a great work as the handbook is incredibly well structured and an extremely valuable for anyone handling data protection issues.”

Desislava Avramova, Senior Legal Counsel EMEA,

Newell Rubbermaid Inc.

“DLA’s handbook is a very helpful tool when looking up and comparing privacy requirements across various countries. And by putting it online they made it available to me anytime and anywhere I need it.”

René Keiser, Senior Counsel,

Mondelēz International

“DLA Piper’s Data Protection Laws of the World Handbook is an extremely useful resource. It enables us to find an answer to complex multi-jurisdictional privacy law questions very quickly.”

Lieven van Parys, European Privacy Counsel,

Pfizer

“I’ve never seen anything like it before in terms of law firm guidance/publications. Fantastic job and an excellent tool! I and my team will certainly use it and I know that it is already being circulated to others within the Volvo Group.”

Alexia Henriksen, VP General Counsel

Volvo Financial Services (EMEA)

Welcome

Welcome to DLA Piper's Data Protection Laws of the World Handbook. We launched our first edition in 2012 and have been updating the content each year since. This will be our eleventh addition and now provides an overview of key privacy and data protection laws across more than 100 different jurisdictions. This year we have added several new jurisdictions across Asia-Pacific and Africa.

Looking back on 2021, the privacy and data protection landscape continued to evolve significantly, as we moved through the second year of the global health crisis brought on by the COVID-19 pandemic. When we launched our prior edition of the Handbook a year ago, we reflected on the unique and largely unprecedented challenges faced in 2020. At that time, it seems most of us did not quite anticipate the lasting nature of the COVID-19 public health crisis and were looking hopefully towards a post-pandemic return to a bit more ‘normalcy.’ In contrast, heading into 2022, the outlook has shifted to anticipating what will be the ‘new normal’, as we continue to grapple with the impacts of the ongoing COVID-19 pandemic and reflect on some likely lasting changes wrought.

One significant trend in 2021 has been towards more lasting virtual and remote work arrangements, in response to the demands of providing a safe and effective work environment and remaining competitive from a retention and recruiting perspective. At the same time, this shift raises significant privacy and cyber security implications, as organizations grapple real-time with how to protect confidentiality, security and privacy, maintain productivity, and adopt and implement new technology to support a virtual and remote workplace.

While the virtual work trend seems likely to continue, few organizations have a fully remote employee population and many organizations (eg, those in retail, manufacturing, healthcare, education, or childcare space) have significant employee populations that are necessarily in-person. This has prompted many organizations to consider things like vaccine mandates, proof of vaccination, and mandatory COVID testing, which raise significant and formidable compliance challenges, in particular for organizations with global workforces. In addition, private and public entities continue to use innovative data and technology solutions for tracking and responding to the pandemic, which can have significant scientific and public benefits. This in turn raises concerns about privacy and surveillance risks, while at the same highlighting how overly burdensome or bureaucratic privacy and compliance requirements can have unintended consequences on matters of significant public concern.

While the pandemic has undeniably been a significant source of impact, it was far from the only major factor in privacy and data protection developments last year. In 2021, there were a number of significant privacy and data protection law developments. From an EU and GDPR perspective, the European Commission adopted new EU standard contractual clauses for data transfers between EU and non-EU countries, and the European Data Protection Board issued key guidance on the compliance requirements for conducting risk assessment and implementing supplementary measures for transfers of EU personal data to inadequate jurisdictions.

In the United States, a number of new state-level privacy laws were passed (including in California, Colorado and Virginia), and a Presidential Executive Order was issued encouraging the FTC to focus on the increasingly relevant intersection between privacy and competition law, in the context of an economy where most of the world’s largest accumulators of personal data are based.

In Asia Pacific, China’s Personal Information Protection Law (PIPL) came into force, consolidating and clarifying obligations on processing of personal information at a national law level, whilst also leaving much still to be determined through the issuance of subsequent regulations and guidelines. New data protection laws, regulations, or significant compliance requirements also took effect or were enacted in a number of jurisdictions including Canada, UAE-Dubai (Federal), Saudi Arabia and South Africa (where POPIA finally came into full effect following a 12-month grace period). However, another consequence of the pandemic was that data protection laws in a number of countries – including Thailand, India and Egypt - were delayed as governments tackled the public health crisis.

While many of the new or newly amended privacy laws are similar to the benchmark standard set by the EU with the GDPR, others take a notably different approach and contain their own unique challenges. As ever, this is driven as much through regional cultural and trade considerations, as the struggle to keep pace with emerging technologies.

In addition to privacy law developments, there were a number of significant privacy and data protection enforcement actions globally. We saw some significant GDPR fines announced in 2021, including two record-breaking fines from the Luxembourg and Irish data protection authorities, respectively. In July 2021, the Luxembourg data protection supervisory authority issued a fine against a major US-based online retailer and e-commerce platform for EUR746 million. This was followed by a fine issued in September 2021 by the Irish Data Protection Commissioner against WhatsApp Ireland Limited for EUR225 million. Both fines are subject to ongoing appeals. Enforcement shows no signs of slowing down this year—in the first week of January 2022, the French data protection authority, the CNIL, announced fines of 150 million euros against Google and 90 million euros against Facebook, relating to their cookie consent practices, which according to the CNIL did not make it as easy to reject cookies as to accept them. The CNIL gave the companies 3 months to bring their practices into compliance or face further fines of EUR100,000 per day of delay.

In the United States

Beyond the pandemic and the significant privacy law and enforcement developments last year, cybersecurity continued to be a significant risk area for organizations. A number of significant cyber security incidents and vulnerabilities were reported in 2021, several of which had sweeping implications, including vulnerability, first reported in December 2021 (you can read the DLA client alert here) related to Apache Log4j, a ubiquitous, open-source Java logging utility—this vulnerability has been described by numerous experts and public and private agencies as one of the most significant security vulnerabilities in decades, given Log4j’s widespread use across devices, web servers and systems worldwide. In addition, 2021 continued to see an increasing number of ransomware attacks, with supply chain-focused attacks, double-extortion demands, and ransomware-as-a-service continuing to be on the upswing.

With the ongoing privacy, data protection and cybersecurity developments, effective governance and sustainable compliance programs are more important now than ever to effectively managing compliance and risks. Without effective governance, responding to evolving compliance requirements—as well as privacy and cybersecurity incidents—can prove costly, challenging and ineffective, and leave organizations more exposed to unnecessary risks. On the other hand, effective governance and a sustainable compliance program enables an organization to make informed decisions on compliance and risk, and respond accordingly to legal, operational and enforcement developments.

DLA Piper's global data protection, privacy and security team brings deep experience and international reach, bringing practical compliance solutions to the myriad data protection laws.

We hope you continue to enjoy this popular resource, drawing on DLA Piper's global network of offices and trusted local counsel across an unparalleled number of jurisdictions.

If you require further guidance, please do not hesitate to contact us at [email protected].

Data Privacy Scorebox

You may also be interested in our Data Privacy Scorebox, a tool to help you assess your data protection strategy. It requires completing a survey covering 12 areas of data privacy, such as storage of data, use of data, and customers' rights. Once completed, a report summarizing your organization's alignment with key global principles of data protection is produced. The report includes a visual summary of the strengths and weaknesses of your data protection strategy, a practical action point checklist, as well as peer benchmarking data.

To access the Scorebox, please visit www.dlapiper.com/dataprotection.

GDPR Site

We are proud to present a dedicated site offering DLA Piper's insight into the General Data Protection Regulation, the once-in-a-generation change in EU data protection laws.

CCPA Site

We are proud to also present a dedicated site offering our insight into the ground-breaking new California privacy law.

Data Protection Blog

If you find this Handbook useful, you may also be interested in DLA Piper's Data Protection, Privacy and Security group's Privacy Matters Blog − a blog featuring regular data protection, privacy and security legal updates to help you remain aware of the most important legal and regulatory developments.

We have over 130 experienced privacy and security lawyers across the globe who are close to the regulations in each of their respective jurisdictions and who regularly post summary articles on their local issues.

To access the blog, please visit http://blogs.dlapiper.com/privacymatters/.

To ensure you receive an automatic email when a new article is posted, please enter your details in the 'subscribe' section found on the blog’s right hand sidebar.

Disclaimer

This handbook is not a substitute for legal advice. Nor does it cover all aspects of the legal regimes surveyed, such as specific sectorial requirements. Enforcement climates and legal requirements in this area continue to evolve. Most fundamentally, knowing high-level principles of law is just one of the components required to shape and to implement a successful global data protection compliance program.