[{"innerBlocks":[],"name":"core\/freeform","postId":1317,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":2,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":" $\"\"$ This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer.\n\nAsia-Pacific<\/strong>\n\nChina\u2019s Data Security Law and Personal Information Protection Law<\/strong> \u2013 This summer, the People\u2019s Republic of China passed two new data protection laws. The Data Security Law (DSL)<\/a> passed in June and is in effect<\/a> as of September\u00a01. The DSL applies broadly to data use and data processing activities, including those that take place outside China, when they could harm China\u2019s national security or public interests or the legal rights and interests of Chinese citizens and organizations. The DSL outlines data security requirements that aim to safeguard data through comprehensive data security management, ongoing assessments, regulatory reporting, and effective risk monitoring and remediation. Many of the required protections depend on how data is classified under the DSL. Sanctions for noncompliance include monetary penalties and business license revocation or suspension.\n\n\n\nIn August, China adopted<\/a> a comprehensive data protection law, the Personal Information Protection Law<\/a> (PIPL<\/a>). PIPL will come into effect<\/a> on November\u00a01, 2021. PIPL covers the processing of personal information of individuals located in China, including when that information is processed outside China, such as when providing goods and services in China or analyzing or assessing the behavior of individuals in China. PIPL\u2019s definition of personal information is broad and similar to the EU\u2019s General Data Protection Regulation (GDPR) and many other data protection laws. The definition of sensitive personal information (including biometric identifiers, religion, health, location tracking, etc.) also is familiar but adds financial information and the personal information of individuals under the age of 14. Like the GDPR, PIPL distinguishes between entities that determine the purposes of processing and those that do not, requires a Chinese-based representative for non-Chinese companies subject to PIPL, necessitates a lawful basis for personal information processing, provides individuals with certain rights over their personal information, restricts cross-border personal information transfers, and allows for steep monetary penalties. However, certain PIPL requirements differ from those of the GDPR. For example, PIPL requires discrete consent for specified personal information processing activities including disclosure, cross-border transfer and sensitive personal information processing. Additionally, PIPL provides a private right of action if an individual\u2019s request to exercise rights under the law is rejected.\n\nIndia\u2019s IT Rules <\/strong>\u2013 Earlier this year, India published<\/a> its new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021<\/a> (IT Rules). On May\u00a025, the three-month compliance grace period<\/a> ended for significant social media intermediaries (those with 5 million or more registered users in India). The IT Rules are applicable to news publishers and intermediaries that \u201cenable the transmission of news and current affairs,\u201d such as social media networks, blogs and online discussion forums. The IT Rules apply differently depending on the platform\u2019s scale, and they impose obligations related to, among other things, content due diligence, content moderation, automated content screening and illegal content removal. The validity of many of these requirements is currently being challenged in the Indian High Courts.\n\nThailand\u2019s Personal Data Protection Act<\/strong> \u2013 Thailand\u2019s comprehensive data protection law, the Personal Data Protection Act, was set to come into effect in June 2021. However, the Thai government has pushed back the enforcement date<\/a> for a number of provisions to May\u00a031, 2022.\n\nSouth Korean Adequacy Decision<\/strong> \u2013 In June, the European Commission (EC) started the process<\/a> to adopt an adequacy decision for South Korea, which would allow the transfer of European Union (EU) personal data to South Korea without additional safeguards. The EC\u2019s draft adequacy decision<\/a> deems South Korea to offer a level of data protection essentially equivalent to that provided under the GDPR, emphasizing the recent reform of South Korea\u2019s Personal Information Protection Act, which strengthened the powers of South Korea\u2019s regulator, the Personal Information Protection Committee (PIPC). Several additional safeguards, enforceable by PIPC, were also agreed to during the adequacy talks<\/a> and are aimed at enhancing the protection of EU personal data transferred to South Korea. PIPC\u2019s press release<\/a> regarding the draft adequacy decision indicates that the final adoption of South Korean adequacy is likely by the end of the year.\n\nEurope, the Middle East and Africa (EMEA)<\/strong>\n\nEU Data Transfers<\/strong> \u2013 Cross-border data transfer issues have been top of mind for many U.S. companies doing business with Europe since the Court of Justice of the European Union\u2019s Schrems II<\/em> decision<\/a> in July 2020. This past June, we were given more clarity<\/a>, first in the new European Commission Standard Contractual Clauses<\/a> (SCCs) for international personal data transfers and then in the European Data Protection Board\u2019s (EDPB) final recommendations on supplemental personal data transfer measures<\/a>. Even as companies move forward to implement the new SCCs, which will fully replace the prior versions on September\u00a027, European data protection authorities (DPAs) continue to issue related guidance, are auditing compliance with data transfer requirements and are taking enforcement actions against noncompliant data transfers.\n\nFrance\u2019s Commission nationale de l\u2019informatique et des libert\u00e9s (CNIL), for example, updated its data transfer information<\/a> and FAQs on the invalidation of the Privacy Shield<\/a> and issued a guide to help data controllers assess<\/a> their cross-border data transfers along with a revised map<\/a> broadly showing data protection levels worldwide. Meanwhile, the German DPAs issued statements regarding<\/a> data transfer obligations<\/a>, specifically the need for additional assessments and supplementary measures and actions companies should take<\/a>. Simultaneously, the German DPAs began<\/a> coordinated data transfer compliance audits<\/a>, sending questionnaires<\/a> to various companies.\n\nWith regard to cloud computing specifically, the European Data Protection Supervisor (EDPS) also began an examination of the data transfer contracts<\/a> for cloud services used by EU institutions. Belgium\u2019s Autorit\u00e9 de la protection des donn\u00e9es\/Gegevensbeschermingsautoriteit (APD-GBA) approved a code of conduct for cloud service providers<\/a>, and the French government released information about their national strategy for cloud technologies<\/a>.\n\nElsewhere, enforcement action continued. The Portuguese Comiss\u00e3o Nacional de Prote\u00e7\u00e3o de Dados suspended<\/a> the international transfer of census data to the United States as noncompliant with the Schrems II <\/em>decision. The French CNIL expressed concern<\/a> regarding personal data transfers and the use of collaborative educational technologies at French universities. In Germany, the Hamburg DPA advised the regional Senate Chancellery<\/a> to suspend its use of on-demand videoconferencing, as the use required the transfer of personal data to the United States, and the DPA determined that the strict requirements for the data transfer could not be met. And the Bavarian DPA warned a company<\/a> that its failure to implement additional measures to protect personal data made the data transfers noncompliant with the GDPR following Schrems II<\/em>. The company voluntarily suspended its use of the third-party processor before any additional action was taken.\n\nThese actions, taken together, suggest that there is not yet a single European approach to evaluating data transfers and that some DPAs may interpret the SCCs and EDPB guidance more strictly than others that are willing to take a more practical approach to data transfer requirements. Meanwhile, the EU and the U.S. continue negotiations<\/a> on a more comprehensive mechanism for approved data transfers as a replacement for the defunct Privacy Shield Framework.\n\nUK Adequacy and Data Transfers <\/strong>\u2013 On June\u00a028, the EC adopted final adequacy decisions<\/a> for the United Kingdom (UK) \u2013 one under the GDPR<\/a> and one under the Law Enforcement Directive<\/a> \u2013 which means that personal data can now \u201cflow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.\u201d Opinions from the EDPB<\/a> and the European Parliament<\/a> pointed to concerns related to onward transfers from and public authority access to personal data transferred to the UK. Separately from the EU adequacy negotiations, the Grand Chamber of the European Court of Human Rights ruled in May<\/a> that the UK\u2019s public authority bulk surveillance powers were incompatible with fundamental human rights, did not have sufficient safeguards, and \u201clacked an extensive independent and continual oversight\u201d mechanism. Ultimately, the final UK adequacy decisions are limited to a four-year (renewable) period, and adequacy will be monitored throughout in case there is a future divergence between EU and UK laws. The UK has already recognized<\/a> the European Economic Area countries as adequate, so the flow of personal data is now allowed in both directions.\n\nOn August\u00a011, the UK Information Commissioner\u2019s Office (ICO) initiated its consultation on transfers of personal data<\/a> out of the UK, publishing, in addition to the consultation paper and questions, a draft UK addendum to the EC\u2019s SCCs, an international data transfer agreement (IDTA) and an international transfer risk assessment. The ICO\u2019s IDTA introduces a new format \u2013 a unified, adaptable agreement that can be signed between controllers, processors and others and includes a table that identifies the agreement\u2019s key details at the beginning. The transfer risk assessment provides an optional framework that takes a holistic approach to these assessments, helpfully moving somewhat away from the law enforcement access focus of late. The document includes guidance and examples and can be freely modified based on an organization\u2019s data processing risks. Most businesses will be happiest to see that the ICO is considering whether to permit data transfers via a UK-specific addendum that can be appended to data transfer agreements approved by other jurisdictions, including the new EU SCCs. The proposed addendum is brief and flexible. The ICO\u2019s consultation period closes on October\u00a07, so we will not have a final UK decision in place prior to the September\u00a027 expiration of the old EU SCCs. Businesses should continue to expect contracting complexities in moving European personal data until we have the ICO\u2019s final guidance.\n\nSwiss Data Transfers <\/strong>\u2013 The Swiss data protection authority has approved the use of the revised EU SCCs<\/a> for cross-border transfers of Swiss personal data as long as specific requirements are met that comply with Swiss law. The necessary modifications will be dependent on whether the transfer involves only Swiss data or a combination of Swiss and EU data. The changes required to use the EU SCCs for Swiss data transfers include giving parallel supervisory authority to the Swiss and EU Member State DPAs and supplementing the SCCs with an annex specifying the inclusion of Switzerland and Swiss laws in the SCCs. Effective September\u00a027, 2021, the Swiss DPA will terminate its approval for all previously approved model clauses, including the Swiss Transborder Data Flow Agreement and older EU SCCs. Prior uses of these agreements may remain in place until January\u00a01, 2023, unless the underlying contract changes significantly.\n\nArtificial Intelligence (AI) \u2013 <\/strong>In April, the EC proposed its expansive new AI Regulation<\/a>, which would ban certain AI practices that create an unacceptable risk. The draft AI Regulation outlines strict safeguards for AI systems that it defines as high risk, creates voluntary codes of conduct for lower-risk AI systems and establishes the potential for large fines for noncompliance. In June, the EDBP and the EDPS issued<\/a> a joint opinion on the AI Regulation<\/a>, highlighting that the processing of any personal data under the AI Regulation would also be subject to existing EU data protection laws and asking for a general prohibition on the use of AI for both remote biometric identification in public spaces and algorithmic uses of AI that can lead to discrimination.\n\nEU\u2019s One-Stop Shop \u2013<\/strong> Bypassing the Lead Supervisory Authority <\/strong>\u2013 Under the EU\u2019s GDPR, cross-border data protection matters that involve multiple EU Member States are typically handled by a lead DPA, which is the DPA in the Member State where the organization under investigation is based. This so-called one-stop shop mechanism<\/a> is intended to simplify enforcement for businesses that operate in multiple Member States. The EDPB explained in a May response<\/a> that the one-stop shop mechanism \u201censures that the lead supervisory authority responsible for investigating cases against a particular controller considers the input of any concerned supervisory authority.\u201d A Court of Justice of the European Union decision on June 15 clarified<\/a> that in some limited situations, such as when the matter is truly urgent, other DPAs can bring cases against organizations for which another DPA is the lead supervisory authority.\n\nCookies and Tracking Technologies<\/strong> \u2013 March 31 was the deadline for adopting the new recommendations for the use of cookies and tracking technologies issued by France\u2019s CNIL. On April\u00a02, the CNIL signaled its intent to audit compliance<\/a> with the new guidelines. The next month, on May\u00a018, the CNIL announced that it had issued formal notices<\/a> to 20 organizations, ordering them to comply with the requirement to allow Internet users to refuse cookies as easily as they can accept them; all companies that received notices have now resolved<\/a> the issues. However, not all companies that received notices in the CNIL\u2019s next round of notices<\/a> complied, leading to sanctions. Additionally, the CNIL issued a \u20ac50,000 fine for cookie noncompliance<\/a> in late July and also cited cookie noncompliance<\/a>, remedied while the matter was under review, in a recent decision and a fine issued primarily for failures to obtain consent and adequately respond to data subject rights.\n\nProving this is not merely a French issue, Spain\u2019s Agencia<\/a> Espa\u00f1ola de Protecci\u00f3n<\/a> de Datos<\/a> and Norway\u2019s Datatilsynet<\/a> both issued fines for noncompliant uses of tracking technologies, focusing on the lack of user consents, inability to reject cookies and failure to post an adequate cookie policy. Italy\u2019s Garante per la protezione dei dati personali (Garante) published its new guidelines<\/a> for the use of cookies and tracking technologies<\/a> in July. Also in July, Finland\u2019s Traficom published revised guidelines<\/a> for \u201cclarity in cookie practices.\u201d\n\nNot to be left out of the push for cookie compliance, the European nonprofit noyb (founded by Max Schrems) is taking on cookie banners<\/a> and has developed its own cookie compliance monitoring tool. In a statement on May\u00a031, noyb accused organizations<\/a> of attempting to frustrate users into cookie consent and said noyb had issued more than 500 draft complaints to companies with noncompliant cookie banners as part of its goal to \u201cend cookie banner terror.\u201d In August, noyb stated that they had followed up on their draft complaints<\/a> by filing 422 complaints with DPAs across the EU.\n\nHealth Data<\/strong> \u2013 As Europe loosens COVID-19-related restrictions, vaccine passports and employer collection of employee COVID-19 vaccination status have been key areas of interest. In June, the EU signed the Regulation on the EU Digital COVID Certificate<\/a>, which will be in effect for 12 months beginning on July\u00a01 and aims to \u201cfacilitate safe and free movement inside the EU during the COVID-19 pandemic.\u201d The EU Digital COVID Certificate gateway was live as of June 1<\/a> and was at launch being used already in Bulgaria, Croatia, the Czech Republic, Denmark, Germany, Greece and Poland. Several countries have issued guidance with a few key themes on workplace COVID-19 measures. The Italian Garante, for example, highlighted that the imbalance<\/a> in the employer-employee relationship means that consent cannot be the legal basis for processing vaccination-related personal data, and consequences (positive or negative) may not be based on an employee\u2019s vaccination status. Taking this one step further, the Irish Data Protection Commission\u2019s guidance states that processing vaccination data is likely<\/a> to \u201crepresent unnecessary and excessive data collection for which no clear legal basis exists\u201d where a public health authority has not determined that it is necessary for employers to collect the data or provided direction on how they should use the information once they have it.\n\nUK\u2019s Children\u2019s Code<\/strong> \u2013 The Children\u2019s Code (or the Age Appropriate Design Code) in the UK<\/a> is fully in force as of September 2, 2021. This code includes 15 standards that online services \u2013 including apps, games, connected toys and devices, social media platforms, online marketplaces, and content streaming services \u2013 must follow if children are likely to access the service. These standards help ensure compliance with obligations related to protecting children\u2019s data online. The code applies to any companies that process the personal data of UK children, regardless of location.\n\nEuropean Data Protection Board <\/strong>\u2013 The EDPB had a busy summer, issuing guidelines on the concepts of controller and processor<\/a>, virtual voice assistants<\/a> and codes of conduct as tools for data transfers under the GDPR<\/a> as well as finalizing the recommendations for supplemental cross-border data transfer tools<\/a>. The EDPB also called upon Member States<\/a> to assess and \u201creview their international agreements that involve international transfers of personal data,\u201d taking into consideration both the GDPR and the EU\u2019s Law Enforcement Directive.\n\nNew EMEA Laws and Regulations<\/strong>\n
\n \t
Belarus<\/strong> \u2013 Belarus passed<\/a> a new data protection law that creates a data protection regulator, specifies data subject rights and imposes obligations on organizations to ensure data protection. The new law will be in effect beginning November 15, 2021.<\/li>\n<\/ul>\n
\n \t
Saudi Arabia<\/strong> \u2013 Saudi Arabia\u2019s Communications and Information Technology Commission announced in May<\/a> that its cybersecurity regulatory framework<\/a> entered into force. The regulatory framework contains a comprehensive set of cybersecurity requirements and controls that apply to telecommunications, information technology and postal services providers.<\/li>\n<\/ul>\n
\n \t
South Africa<\/strong> \u2013 Full implementation and enforcement of South Africa\u2019s Protection of Personal Information Act, which was already partially in effect, began on July 1<\/a>. Failure to comply with the law may result in fines up to R10 million, imprisonment of up to 10 years or both. The South African Information Regulator issued<\/a> guidance notes, policies and other notices to assist with compliance.<\/li>\n<\/ul>\n
\n \t
Switzerland <\/strong>\u2013 Switzerland\u2019s Federal Council revised<\/a> the Ordinance on the Federal Data Protection Act and launched its public consultation on the ordinance. The revisions bring the ordinance into alignment with the revised Federal Data Protection Act<\/a>. Both the revised act and the ordinance are expected to come into force in the latter half of 2022. The new provisions of both aim to ensure compatibility between Swiss data protection laws and the EU\u2019s GDPR.<\/li>\n<\/ul>\n
\n \t
Uganda <\/strong>\u2013 Uganda\u2019s new Data Protection and Privacy Regulations<\/a> are in effect as of mid-April. The regulations establish a Personal Data Protection Office and require registration with the office. They also clarify data subject rights, impose limitations on personal data processing outside Uganda and add data breach notification obligations.<\/li>\n<\/ul>\n
\n \t
Uzbekistan<\/strong> \u2013 New data localization requirements<\/a> are now in force in Uzbekistan that require the personal data of Uzbek citizens to be processed in Uzbekistan and stored in registered Uzbek databases.<\/li>\n<\/ul>\nThe Americas<\/strong>\n\nBrazil\u2019s LGPD <\/strong>\u2013 The administrative sanctions<\/a> available under Brazil\u2019s Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD) now may be imposed as of August 1, allowing its DPA, the Autoridade Nacional de Prote\u00e7\u00e3o de Dados (ANPD) to enforce compliance with the law more effectively. The ANPD has indicated<\/a> that the regulator plans to take a \u201cresponsive regulation\u201d approach, gathering information and investigating before deciding on appropriate measures. In May, the ANPD issued guidance<\/a> on the roles of data controllers and data processors and the designation of data protection officers to help companies with compliance.\n\nCanada\u2019s Revised Sensitive Personal Information Guidance<\/strong> \u2013 In August, Canada\u2019s Office of the Privacy Commissioner revised several of its guidance documents<\/a> to help businesses subject to Canada\u2019s Personal Information Protection and Electronic Documents Act better understand, evaluate and protect the types of data considered sensitive. Specifically, although any personal information can be contextually sensitive, certain types of information \u2013 including health and financial information, ethnic and racial origins, political and religious beliefs and opinions, genetic and biometric data, and information about an individual\u2019s sex life or sexual orientation \u2013 will generally be considered sensitive and therefore require heightened protection.\n\nEcuador\u2019s Organic Law on Data Protection<\/strong> \u2013 Ecuador\u2019s Organic Law on the","saveContent":" $\"\"$ This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer.\n\nAsia-Pacific<\/strong>\n\nChina\u2019s Data Security Law and Personal Information Protection Law<\/strong> \u2013 This summer, the People\u2019s Republic of China passed two new data protection laws. The Data Security Law (DSL)<\/a> passed in June and is in effect<\/a> as of September\u00a01. The DSL applies broadly to data use and data processing activities, including those that take place outside China, when they could harm China\u2019s national security or public interests or the legal rights and interests of Chinese citizens and organizations. The DSL outlines data security requirements that aim to safeguard data through comprehensive data security management, ongoing assessments, regulatory reporting, and effective risk monitoring and remediation. Many of the required protections depend on how data is classified under the DSL. Sanctions for noncompliance include monetary penalties and business license revocation or suspension.\n\n\n\nIn August, China adopted<\/a> a comprehensive data protection law, the Personal Information Protection Law<\/a> (PIPL<\/a>). PIPL will come into effect<\/a> on November\u00a01, 2021. PIPL covers the processing of personal information of individuals located in China, including when that information is processed outside China, such as when providing goods and services in China or analyzing or assessing the behavior of individuals in China. PIPL\u2019s definition of personal information is broad and similar to the EU\u2019s General Data Protection Regulation (GDPR) and many other data protection laws. The definition of sensitive personal information (including biometric identifiers, religion, health, location tracking, etc.) also is familiar but adds financial information and the personal information of individuals under the age of 14. Like the GDPR, PIPL distinguishes between entities that determine the purposes of processing and those that do not, requires a Chinese-based representative for non-Chinese companies subject to PIPL, necessitates a lawful basis for personal information processing, provides individuals with certain rights over their personal information, restricts cross-border personal information transfers, and allows for steep monetary penalties. However, certain PIPL requirements differ from those of the GDPR. For example, PIPL requires discrete consent for specified personal information processing activities including disclosure, cross-border transfer and sensitive personal information processing. Additionally, PIPL provides a private right of action if an individual\u2019s request to exercise rights under the law is rejected.\n\nIndia\u2019s IT Rules <\/strong>\u2013 Earlier this year, India published<\/a> its new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021<\/a> (IT Rules). On May\u00a025, the three-month compliance grace period<\/a> ended for significant social media intermediaries (those with 5 million or more registered users in India). The IT Rules are applicable to news publishers and intermediaries that \u201cenable the transmission of news and current affairs,\u201d such as social media networks, blogs and online discussion forums. The IT Rules apply differently depending on the platform\u2019s scale, and they impose obligations related to, among other things, content due diligence, content moderation, automated content screening and illegal content removal. The validity of many of these requirements is currently being challenged in the Indian High Courts.\n\nThailand\u2019s Personal Data Protection Act<\/strong> \u2013 Thailand\u2019s comprehensive data protection law, the Personal Data Protection Act, was set to come into effect in June 2021. However, the Thai government has pushed back the enforcement date<\/a> for a number of provisions to May\u00a031, 2022.\n\nSouth Korean Adequacy Decision<\/strong> \u2013 In June, the European Commission (EC) started the process<\/a> to adopt an adequacy decision for South Korea, which would allow the transfer of European Union (EU) personal data to South Korea without additional safeguards. The EC\u2019s draft adequacy decision<\/a> deems South Korea to offer a level of data protection essentially equivalent to that provided under the GDPR, emphasizing the recent reform of South Korea\u2019s Personal Information Protection Act, which strengthened the powers of South Korea\u2019s regulator, the Personal Information Protection Committee (PIPC). Several additional safeguards, enforceable by PIPC, were also agreed to during the adequacy talks<\/a> and are aimed at enhancing the protection of EU personal data transferred to South Korea. PIPC\u2019s press release<\/a> regarding the draft adequacy decision indicates that the final adoption of South Korean adequacy is likely by the end of the year.\n\nEurope, the Middle East and Africa (EMEA)<\/strong>\n\nEU Data Transfers<\/strong> \u2013 Cross-border data transfer issues have been top of mind for many U.S. companies doing business with Europe since the Court of Justice of the European Union\u2019s Schrems II<\/em> decision<\/a> in July 2020. This past June, we were given more clarity<\/a>, first in the new European Commission Standard Contractual Clauses<\/a> (SCCs) for international personal data transfers and then in the European Data Protection Board\u2019s (EDPB) final recommendations on supplemental personal data transfer measures<\/a>. Even as companies move forward to implement the new SCCs, which will fully replace the prior versions on September\u00a027, European data protection authorities (DPAs) continue to issue related guidance, are auditing compliance with data transfer requirements and are taking enforcement actions against noncompliant data transfers.\n\nFrance\u2019s Commission nationale de l\u2019informatique et des libert\u00e9s (CNIL), for example, updated its data transfer information<\/a> and FAQs on the invalidation of the Privacy Shield<\/a> and issued a guide to help data controllers assess<\/a> their cross-border data transfers along with a revised map<\/a> broadly showing data protection levels worldwide. Meanwhile, the German DPAs issued statements regarding<\/a> data transfer obligations<\/a>, specifically the need for additional assessments and supplementary measures and actions companies should take<\/a>. Simultaneously, the German DPAs began<\/a> coordinated data transfer compliance audits<\/a>, sending questionnaires<\/a> to various companies.\n\nWith regard to cloud computing specifically, the European Data Protection Supervisor (EDPS) also began an examination of the data transfer contracts<\/a> for cloud services used by EU institutions. Belgium\u2019s Autorit\u00e9 de la protection des donn\u00e9es\/Gegevensbeschermingsautoriteit (APD-GBA) approved a code of conduct for cloud service providers<\/a>, and the French government released information about their national strategy for cloud technologies<\/a>.\n\nElsewhere, enforcement action continued. The Portuguese Comiss\u00e3o Nacional de Prote\u00e7\u00e3o de Dados suspended<\/a> the international transfer of census data to the United States as noncompliant with the Schrems II <\/em>decision. The French CNIL expressed concern<\/a> regarding personal data transfers and the use of collaborative educational technologies at French universities. In Germany, the Hamburg DPA advised the regional Senate Chancellery<\/a> to suspend its use of on-demand videoconferencing, as the use required the transfer of personal data to the United States, and the DPA determined that the strict requirements for the data transfer could not be met. And the Bavarian DPA warned a company<\/a> that its failure to implement additional measures to protect personal data made the data transfers noncompliant with the GDPR following Schrems II<\/em>. The company voluntarily suspended its use of the third-party processor before any additional action was taken.\n\nThese actions, taken together, suggest that there is not yet a single European approach to evaluating data transfers and that some DPAs may interpret the SCCs and EDPB guidance more strictly than others that are willing to take a more practical approach to data transfer requirements. Meanwhile, the EU and the U.S. continue negotiations<\/a> on a more comprehensive mechanism for approved data transfers as a replacement for the defunct Privacy Shield Framework.\n\nUK Adequacy and Data Transfers <\/strong>\u2013 On June\u00a028, the EC adopted final adequacy decisions<\/a> for the United Kingdom (UK) \u2013 one under the GDPR<\/a> and one under the Law Enforcement Directive<\/a> \u2013 which means that personal data can now \u201cflow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.\u201d Opinions from the EDPB<\/a> and the European Parliament<\/a> pointed to concerns related to onward transfers from and public authority access to personal data transferred to the UK. Separately from the EU adequacy negotiations, the Grand Chamber of the European Court of Human Rights ruled in May<\/a> that the UK\u2019s public authority bulk surveillance powers were incompatible with fundamental human rights, did not have sufficient safeguards, and \u201clacked an extensive independent and continual oversight\u201d mechanism. Ultimately, the final UK adequacy decisions are limited to a four-year (renewable) period, and adequacy will be monitored throughout in case there is a future divergence between EU and UK laws. The UK has already recognized<\/a> the European Economic Area countries as adequate, so the flow of personal data is now allowed in both directions.\n\nOn August\u00a011, the UK Information Commissioner\u2019s Office (ICO) initiated its consultation on transfers of personal data<\/a> out of the UK, publishing, in addition to the consultation paper and questions, a draft UK addendum to the EC\u2019s SCCs, an international data transfer agreement (IDTA) and an international transfer risk assessment. The ICO\u2019s IDTA introduces a new format \u2013 a unified, adaptable agreement that can be signed between controllers, processors and others and includes a table that identifies the agreement\u2019s key details at the beginning. The transfer risk assessment provides an optional framework that takes a holistic approach to these assessments, helpfully moving somewhat away from the law enforcement access focus of late. The document includes guidance and examples and can be freely modified based on an organization\u2019s data processing risks. Most businesses will be happiest to see that the ICO is considering whether to permit data transfers via a UK-specific addendum that can be appended to data transfer agreements approved by other jurisdictions, including the new EU SCCs. The proposed addendum is brief and flexible. The ICO\u2019s consultation period closes on October\u00a07, so we will not have a final UK decision in place prior to the September\u00a027 expiration of the old EU SCCs. Businesses should continue to expect contracting complexities in moving European personal data until we have the ICO\u2019s final guidance.\n\nSwiss Data Transfers <\/strong>\u2013 The Swiss data protection authority has approved the use of the revised EU SCCs<\/a> for cross-border transfers of Swiss personal data as long as specific requirements are met that comply with Swiss law. The necessary modifications will be dependent on whether the transfer involves only Swiss data or a combination of Swiss and EU data. The changes required to use the EU SCCs for Swiss data transfers include giving parallel supervisory authority to the Swiss and EU Member State DPAs and supplementing the SCCs with an annex specifying the inclusion of Switzerland and Swiss laws in the SCCs. Effective September\u00a027, 2021, the Swiss DPA will terminate its approval for all previously approved model clauses, including the Swiss Transborder Data Flow Agreement and older EU SCCs. Prior uses of these agreements may remain in place until January\u00a01, 2023, unless the underlying contract changes significantly.\n\nArtificial Intelligence (AI) \u2013 <\/strong>In April, the EC proposed its expansive new AI Regulation<\/a>, which would ban certain AI practices that create an unacceptable risk. The draft AI Regulation outlines strict safeguards for AI systems that it defines as high risk, creates voluntary codes of conduct for lower-risk AI systems and establishes the potential for large fines for noncompliance. In June, the EDBP and the EDPS issued<\/a> a joint opinion on the AI Regulation<\/a>, highlighting that the processing of any personal data under the AI Regulation would also be subject to existing EU data protection laws and asking for a general prohibition on the use of AI for both remote biometric identification in public spaces and algorithmic uses of AI that can lead to discrimination.\n\nEU\u2019s One-Stop Shop \u2013<\/strong> Bypassing the Lead Supervisory Authority <\/strong>\u2013 Under the EU\u2019s GDPR, cross-border data protection matters that involve multiple EU Member States are typically handled by a lead DPA, which is the DPA in the Member State where the organization under investigation is based. This so-called one-stop shop mechanism<\/a> is intended to simplify enforcement for businesses that operate in multiple Member States. The EDPB explained in a May response<\/a> that the one-stop shop mechanism \u201censures that the lead supervisory authority responsible for investigating cases against a particular controller considers the input of any concerned supervisory authority.\u201d A Court of Justice of the European Union decision on June 15 clarified<\/a> that in some limited situations, such as when the matter is truly urgent, other DPAs can bring cases against organizations for which another DPA is the lead supervisory authority.\n\nCookies and Tracking Technologies<\/strong> \u2013 March 31 was the deadline for adopting the new recommendations for the use of cookies and tracking technologies issued by France\u2019s CNIL. On April\u00a02, the CNIL signaled its intent to audit compliance<\/a> with the new guidelines. The next month, on May\u00a018, the CNIL announced that it had issued formal notices<\/a> to 20 organizations, ordering them to comply with the requirement to allow Internet users to refuse cookies as easily as they can accept them; all companies that received notices have now resolved<\/a> the issues. However, not all companies that received notices in the CNIL\u2019s next round of notices<\/a> complied, leading to sanctions. Additionally, the CNIL issued a \u20ac50,000 fine for cookie noncompliance<\/a> in late July and also cited cookie noncompliance<\/a>, remedied while the matter was under review, in a recent decision and a fine issued primarily for failures to obtain consent and adequately respond to data subject rights.\n\nProving this is not merely a French issue, Spain\u2019s Agencia<\/a> Espa\u00f1ola de Protecci\u00f3n<\/a> de Datos<\/a> and Norway\u2019s Datatilsynet<\/a> both issued fines for noncompliant uses of tracking technologies, focusing on the lack of user consents, inability to reject cookies and failure to post an adequate cookie policy. Italy\u2019s Garante per la protezione dei dati personali (Garante) published its new guidelines<\/a> for the use of cookies and tracking technologies<\/a> in July. Also in July, Finland\u2019s Traficom published revised guidelines<\/a> for \u201cclarity in cookie practices.\u201d\n\nNot to be left out of the push for cookie compliance, the European nonprofit noyb (founded by Max Schrems) is taking on cookie banners<\/a> and has developed its own cookie compliance monitoring tool. In a statement on May\u00a031, noyb accused organizations<\/a> of attempting to frustrate users into cookie consent and said noyb had issued more than 500 draft complaints to companies with noncompliant cookie banners as part of its goal to \u201cend cookie banner terror.\u201d In August, noyb stated that they had followed up on their draft complaints<\/a> by filing 422 complaints with DPAs across the EU.\n\nHealth Data<\/strong> \u2013 As Europe loosens COVID-19-related restrictions, vaccine passports and employer collection of employee COVID-19 vaccination status have been key areas of interest. In June, the EU signed the Regulation on the EU Digital COVID Certificate<\/a>, which will be in effect for 12 months beginning on July\u00a01 and aims to \u201cfacilitate safe and free movement inside the EU during the COVID-19 pandemic.\u201d The EU Digital COVID Certificate gateway was live as of June 1<\/a> and was at launch being used already in Bulgaria, Croatia, the Czech Republic, Denmark, Germany, Greece and Poland. Several countries have issued guidance with a few key themes on workplace COVID-19 measures. The Italian Garante, for example, highlighted that the imbalance<\/a> in the employer-employee relationship means that consent cannot be the legal basis for processing vaccination-related personal data, and consequences (positive or negative) may not be based on an employee\u2019s vaccination status. Taking this one step further, the Irish Data Protection Commission\u2019s guidance states that processing vaccination data is likely<\/a> to \u201crepresent unnecessary and excessive data collection for which no clear legal basis exists\u201d where a public health authority has not determined that it is necessary for employers to collect the data or provided direction on how they should use the information once they have it.\n\nUK\u2019s Children\u2019s Code<\/strong> \u2013 The Children\u2019s Code (or the Age Appropriate Design Code) in the UK<\/a> is fully in force as of September 2, 2021. This code includes 15 standards that online services \u2013 including apps, games, connected toys and devices, social media platforms, online marketplaces, and content streaming services \u2013 must follow if children are likely to access the service. These standards help ensure compliance with obligations related to protecting children\u2019s data online. The code applies to any companies that process the personal data of UK children, regardless of location.\n\nEuropean Data Protection Board <\/strong>\u2013 The EDPB had a busy summer, issuing guidelines on the concepts of controller and processor<\/a>, virtual voice assistants<\/a> and codes of conduct as tools for data transfers under the GDPR<\/a> as well as finalizing the recommendations for supplemental cross-border data transfer tools<\/a>. The EDPB also called upon Member States<\/a> to assess and \u201creview their international agreements that involve international transfers of personal data,\u201d taking into consideration both the GDPR and the EU\u2019s Law Enforcement Directive.\n\nNew EMEA Laws and Regulations<\/strong>\n
\n \t
Belarus<\/strong> \u2013 Belarus passed<\/a> a new data protection law that creates a data protection regulator, specifies data subject rights and imposes obligations on organizations to ensure data protection. The new law will be in effect beginning November 15, 2021.<\/li>\n<\/ul>\n
\n \t
Saudi Arabia<\/strong> \u2013 Saudi Arabia\u2019s Communications and Information Technology Commission announced in May<\/a> that its cybersecurity regulatory framework<\/a> entered into force. The regulatory framework contains a comprehensive set of cybersecurity requirements and controls that apply to telecommunications, information technology and postal services providers.<\/li>\n<\/ul>\n
\n \t
South Africa<\/strong> \u2013 Full implementation and enforcement of South Africa\u2019s Protection of Personal Information Act, which was already partially in effect, began on July 1<\/a>. Failure to comply with the law may result in fines up to R10 million, imprisonment of up to 10 years or both. The South African Information Regulator issued<\/a> guidance notes, policies and other notices to assist with compliance.<\/li>\n<\/ul>\n
\n \t
Switzerland <\/strong>\u2013 Switzerland\u2019s Federal Council revised<\/a> the Ordinance on the Federal Data Protection Act and launched its public consultation on the ordinance. The revisions bring the ordinance into alignment with the revised Federal Data Protection Act<\/a>. Both the revised act and the ordinance are expected to come into force in the latter half of 2022. The new provisions of both aim to ensure compatibility between Swiss data protection laws and the EU\u2019s GDPR.<\/li>\n<\/ul>\n
\n \t
Uganda <\/strong>\u2013 Uganda\u2019s new Data Protection and Privacy Regulations<\/a> are in effect as of mid-April. The regulations establish a Personal Data Protection Office and require registration with the office. They also clarify data subject rights, impose limitations on personal data processing outside Uganda and add data breach notification obligations.<\/li>\n<\/ul>\n
\n \t
Uzbekistan<\/strong> \u2013 New data localization requirements<\/a> are now in force in Uzbekistan that require the personal data of Uzbek citizens to be processed in Uzbekistan and stored in registered Uzbek databases.<\/li>\n<\/ul>\nThe Americas<\/strong>\n\nBrazil\u2019s LGPD <\/strong>\u2013 The administrative sanctions<\/a> available under Brazil\u2019s Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD) now may be imposed as of August 1, allowing its DPA, the Autoridade Nacional de Prote\u00e7\u00e3o de Dados (ANPD) to enforce compliance with the law more effectively. The ANPD has indicated<\/a> that the regulator plans to take a \u201cresponsive regulation\u201d approach, gathering information and investigating before deciding on appropriate measures. In May, the ANPD issued guidance<\/a> on the roles of data controllers and data processors and the designation of data protection officers to help companies with compliance.\n\nCanada\u2019s Revised Sensitive Personal Information Guidance<\/strong> \u2013 In August, Canada\u2019s Office of the Privacy Commissioner revised several of its guidance documents<\/a> to help businesses subject to Canada\u2019s Personal Information Protection and Electronic Documents Act better understand, evaluate and protect the types of data considered sensitive. Specifically, although any personal information can be contextually sensitive, certain types of information \u2013 including health and financial information, ethnic and racial origins, political and religious beliefs and opinions, genetic and biometric data, and information about an individual\u2019s sex life or sexual orientation \u2013 will generally be considered sensitive and therefore require heightened protection.\n\nEcuador\u2019s Organic Law on Data Protection<\/strong> \u2013 Ecuador\u2019s Organic Law on the","order":0,"get_parent":{},"attributes":{"content":" $\"\"$ This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer.\n\nAsia-Pacific<\/strong>\n\nChina\u2019s Data Security Law and Personal Information Protection Law<\/strong> \u2013 This summer, the People\u2019s Republic of China passed two new data protection laws. The Data Security Law (DSL)<\/a> passed in June and is in effect<\/a> as of September\u00a01. The DSL applies broadly to data use and data processing activities, including those that take place outside China, when they could harm China\u2019s national security or public interests or the legal rights and interests of Chinese citizens and organizations. The DSL outlines data security requirements that aim to safeguard data through comprehensive data security management, ongoing assessments, regulatory reporting, and effective risk monitoring and remediation. Many of the required protections depend on how data is classified under the DSL. Sanctions for noncompliance include monetary penalties and business license revocation or suspension.\n\n\n\nIn August, China adopted<\/a> a comprehensive data protection law, the Personal Information Protection Law<\/a> (PIPL<\/a>). PIPL will come into effect<\/a> on November\u00a01, 2021. PIPL covers the processing of personal information of individuals located in China, including when that information is processed outside China, such as when providing goods and services in China or analyzing or assessing the behavior of individuals in China. PIPL\u2019s definition of personal information is broad and similar to the EU\u2019s General Data Protection Regulation (GDPR) and many other data protection laws. The definition of sensitive personal information (including biometric identifiers, religion, health, location tracking, etc.) also is familiar but adds financial information and the personal information of individuals under the age of 14. Like the GDPR, PIPL distinguishes between entities that determine the purposes of processing and those that do not, requires a Chinese-based representative for non-Chinese companies subject to PIPL, necessitates a lawful basis for personal information processing, provides individuals with certain rights over their personal information, restricts cross-border personal information transfers, and allows for steep monetary penalties. However, certain PIPL requirements differ from those of the GDPR. For example, PIPL requires discrete consent for specified personal information processing activities including disclosure, cross-border transfer and sensitive personal information processing. Additionally, PIPL provides a private right of action if an individual\u2019s request to exercise rights under the law is rejected.\n\nIndia\u2019s IT Rules <\/strong>\u2013 Earlier this year, India published<\/a> its new Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021<\/a> (IT Rules). On May\u00a025, the three-month compliance grace period<\/a> ended for significant social media intermediaries (those with 5 million or more registered users in India). The IT Rules are applicable to news publishers and intermediaries that \u201cenable the transmission of news and current affairs,\u201d such as social media networks, blogs and online discussion forums. The IT Rules apply differently depending on the platform\u2019s scale, and they impose obligations related to, among other things, content due diligence, content moderation, automated content screening and illegal content removal. The validity of many of these requirements is currently being challenged in the Indian High Courts.\n\nThailand\u2019s Personal Data Protection Act<\/strong> \u2013 Thailand\u2019s comprehensive data protection law, the Personal Data Protection Act, was set to come into effect in June 2021. However, the Thai government has pushed back the enforcement date<\/a> for a number of provisions to May\u00a031, 2022.\n\nSouth Korean Adequacy Decision<\/strong> \u2013 In June, the European Commission (EC) started the process<\/a> to adopt an adequacy decision for South Korea, which would allow the transfer of European Union (EU) personal data to South Korea without additional safeguards. The EC\u2019s draft adequacy decision<\/a> deems South Korea to offer a level of data protection essentially equivalent to that provided under the GDPR, emphasizing the recent reform of South Korea\u2019s Personal Information Protection Act, which strengthened the powers of South Korea\u2019s regulator, the Personal Information Protection Committee (PIPC). Several additional safeguards, enforceable by PIPC, were also agreed to during the adequacy talks<\/a> and are aimed at enhancing the protection of EU personal data transferred to South Korea. PIPC\u2019s press release<\/a> regarding the draft adequacy decision indicates that the final adoption of South Korean adequacy is likely by the end of the year.\n\nEurope, the Middle East and Africa (EMEA)<\/strong>\n\nEU Data Transfers<\/strong> \u2013 Cross-border data transfer issues have been top of mind for many U.S. companies doing business with Europe since the Court of Justice of the European Union\u2019s Schrems II<\/em> decision<\/a> in July 2020. This past June, we were given more clarity<\/a>, first in the new European Commission Standard Contractual Clauses<\/a> (SCCs) for international personal data transfers and then in the European Data Protection Board\u2019s (EDPB) final recommendations on supplemental personal data transfer measures<\/a>. Even as companies move forward to implement the new SCCs, which will fully replace the prior versions on September\u00a027, European data protection authorities (DPAs) continue to issue related guidance, are auditing compliance with data transfer requirements and are taking enforcement actions against noncompliant data transfers.\n\nFrance\u2019s Commission nationale de l\u2019informatique et des libert\u00e9s (CNIL), for example, updated its data transfer information<\/a> and FAQs on the invalidation of the Privacy Shield<\/a> and issued a guide to help data controllers assess<\/a> their cross-border data transfers along with a revised map<\/a> broadly showing data protection levels worldwide. Meanwhile, the German DPAs issued statements regarding<\/a> data transfer obligations<\/a>, specifically the need for additional assessments and supplementary measures and actions companies should take<\/a>. Simultaneously, the German DPAs began<\/a> coordinated data transfer compliance audits<\/a>, sending questionnaires<\/a> to various companies.\n\nWith regard to cloud computing specifically, the European Data Protection Supervisor (EDPS) also began an examination of the data transfer contracts<\/a> for cloud services used by EU institutions. Belgium\u2019s Autorit\u00e9 de la protection des donn\u00e9es\/Gegevensbeschermingsautoriteit (APD-GBA) approved a code of conduct for cloud service providers<\/a>, and the French government released information about their national strategy for cloud technologies<\/a>.\n\nElsewhere, enforcement action continued. The Portuguese Comiss\u00e3o Nacional de Prote\u00e7\u00e3o de Dados suspended<\/a> the international transfer of census data to the United States as noncompliant with the Schrems II <\/em>decision. The French CNIL expressed concern<\/a> regarding personal data transfers and the use of collaborative educational technologies at French universities. In Germany, the Hamburg DPA advised the regional Senate Chancellery<\/a> to suspend its use of on-demand videoconferencing, as the use required the transfer of personal data to the United States, and the DPA determined that the strict requirements for the data transfer could not be met. And the Bavarian DPA warned a company<\/a> that its failure to implement additional measures to protect personal data made the data transfers noncompliant with the GDPR following Schrems II<\/em>. The company voluntarily suspended its use of the third-party processor before any additional action was taken.\n\nThese actions, taken together, suggest that there is not yet a single European approach to evaluating data transfers and that some DPAs may interpret the SCCs and EDPB guidance more strictly than others that are willing to take a more practical approach to data transfer requirements. Meanwhile, the EU and the U.S. continue negotiations<\/a> on a more comprehensive mechanism for approved data transfers as a replacement for the defunct Privacy Shield Framework.\n\nUK Adequacy and Data Transfers <\/strong>\u2013 On June\u00a028, the EC adopted final adequacy decisions<\/a> for the United Kingdom (UK) \u2013 one under the GDPR<\/a> and one under the Law Enforcement Directive<\/a> \u2013 which means that personal data can now \u201cflow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.\u201d Opinions from the EDPB<\/a> and the European Parliament<\/a> pointed to concerns related to onward transfers from and public authority access to personal data transferred to the UK. Separately from the EU adequacy negotiations, the Grand Chamber of the European Court of Human Rights ruled in May<\/a> that the UK\u2019s public authority bulk surveillance powers were incompatible with fundamental human rights, did not have sufficient safeguards, and \u201clacked an extensive independent and continual oversight\u201d mechanism. Ultimately, the final UK adequacy decisions are limited to a four-year (renewable) period, and adequacy will be monitored throughout in case there is a future divergence between EU and UK laws. The UK has already recognized<\/a> the European Economic Area countries as adequate, so the flow of personal data is now allowed in both directions.\n\nOn August\u00a011, the UK Information Commissioner\u2019s Office (ICO) initiated its consultation on transfers of personal data<\/a> out of the UK, publishing, in addition to the consultation paper and questions, a draft UK addendum to the EC\u2019s SCCs, an international data transfer agreement (IDTA) and an international transfer risk assessment. The ICO\u2019s IDTA introduces a new format \u2013 a unified, adaptable agreement that can be signed between controllers, processors and others and includes a table that identifies the agreement\u2019s key details at the beginning. The transfer risk assessment provides an optional framework that takes a holistic approach to these assessments, helpfully moving somewhat away from the law enforcement access focus of late. The document includes guidance and examples and can be freely modified based on an organization\u2019s data processing risks. Most businesses will be happiest to see that the ICO is considering whether to permit data transfers via a UK-specific addendum that can be appended to data transfer agreements approved by other jurisdictions, including the new EU SCCs. The proposed addendum is brief and flexible. The ICO\u2019s consultation period closes on October\u00a07, so we will not have a final UK decision in place prior to the September\u00a027 expiration of the old EU SCCs. Businesses should continue to expect contracting complexities in moving European personal data until we have the ICO\u2019s final guidance.\n\nSwiss Data Transfers <\/strong>\u2013 The Swiss data protection authority has approved the use of the revised EU SCCs<\/a> for cross-border transfers of Swiss personal data as long as specific requirements are met that comply with Swiss law. The necessary modifications will be dependent on whether the transfer involves only Swiss data or a combination of Swiss and EU data. The changes required to use the EU SCCs for Swiss data transfers include giving parallel supervisory authority to the Swiss and EU Member State DPAs and supplementing the SCCs with an annex specifying the inclusion of Switzerland and Swiss laws in the SCCs. Effective September\u00a027, 2021, the Swiss DPA will terminate its approval for all previously approved model clauses, including the Swiss Transborder Data Flow Agreement and older EU SCCs. Prior uses of these agreements may remain in place until January\u00a01, 2023, unless the underlying contract changes significantly.\n\nArtificial Intelligence (AI) \u2013 <\/strong>In April, the EC proposed its expansive new AI Regulation<\/a>, which would ban certain AI practices that create an unacceptable risk. The draft AI Regulation outlines strict safeguards for AI systems that it defines as high risk, creates voluntary codes of conduct for lower-risk AI systems and establishes the potential for large fines for noncompliance. In June, the EDBP and the EDPS issued<\/a> a joint opinion on the AI Regulation<\/a>, highlighting that the processing of any personal data under the AI Regulation would also be subject to existing EU data protection laws and asking for a general prohibition on the use of AI for both remote biometric identification in public spaces and algorithmic uses of AI that can lead to discrimination.\n\nEU\u2019s One-Stop Shop \u2013<\/strong> Bypassing the Lead Supervisory Authority <\/strong>\u2013 Under the EU\u2019s GDPR, cross-border data protection matters that involve multiple EU Member States are typically handled by a lead DPA, which is the DPA in the Member State where the organization under investigation is based. This so-called one-stop shop mechanism<\/a> is intended to simplify enforcement for businesses that operate in multiple Member States. The EDPB explained in a May response<\/a> that the one-stop shop mechanism \u201censures that the lead supervisory authority responsible for investigating cases against a particular controller considers the input of any concerned supervisory authority.\u201d A Court of Justice of the European Union decision on June 15 clarified<\/a> that in some limited situations, such as when the matter is truly urgent, other DPAs can bring cases against organizations for which another DPA is the lead supervisory authority.\n\nCookies and Tracking Technologies<\/strong> \u2013 March 31 was the deadline for adopting the new recommendations for the use of cookies and tracking technologies issued by France\u2019s CNIL. On April\u00a02, the CNIL signaled its intent to audit compliance<\/a> with the new guidelines. The next month, on May\u00a018, the CNIL announced that it had issued formal notices<\/a> to 20 organizations, ordering them to comply with the requirement to allow Internet users to refuse cookies as easily as they can accept them; all companies that received notices have now resolved<\/a> the issues. However, not all companies that received notices in the CNIL\u2019s next round of notices<\/a> complied, leading to sanctions. Additionally, the CNIL issued a \u20ac50,000 fine for cookie noncompliance<\/a> in late July and also cited cookie noncompliance<\/a>, remedied while the matter was under review, in a recent decision and a fine issued primarily for failures to obtain consent and adequately respond to data subject rights.\n\nProving this is not merely a French issue, Spain\u2019s Agencia<\/a> Espa\u00f1ola de Protecci\u00f3n<\/a> de Datos<\/a> and Norway\u2019s Datatilsynet<\/a> both issued fines for noncompliant uses of tracking technologies, focusing on the lack of user consents, inability to reject cookies and failure to post an adequate cookie policy. Italy\u2019s Garante per la protezione dei dati personali (Garante) published its new guidelines<\/a> for the use of cookies and tracking technologies<\/a> in July. Also in July, Finland\u2019s Traficom published revised guidelines<\/a> for \u201cclarity in cookie practices.\u201d\n\nNot to be left out of the push for cookie compliance, the European nonprofit noyb (founded by Max Schrems) is taking on cookie banners<\/a> and has developed its own cookie compliance monitoring tool. In a statement on May\u00a031, noyb accused organizations<\/a> of attempting to frustrate users into cookie consent and said noyb had issued more than 500 draft complaints to companies with noncompliant cookie banners as part of its goal to \u201cend cookie banner terror.\u201d In August, noyb stated that they had followed up on their draft complaints<\/a> by filing 422 complaints with DPAs across the EU.\n\nHealth Data<\/strong> \u2013 As Europe loosens COVID-19-related restrictions, vaccine passports and employer collection of employee COVID-19 vaccination status have been key areas of interest. In June, the EU signed the Regulation on the EU Digital COVID Certificate<\/a>, which will be in effect for 12 months beginning on July\u00a01 and aims to \u201cfacilitate safe and free movement inside the EU during the COVID-19 pandemic.\u201d The EU Digital COVID Certificate gateway was live as of June 1<\/a> and was at launch being used already in Bulgaria, Croatia, the Czech Republic, Denmark, Germany, Greece and Poland. Several countries have issued guidance with a few key themes on workplace COVID-19 measures. The Italian Garante, for example, highlighted that the imbalance<\/a> in the employer-employee relationship means that consent cannot be the legal basis for processing vaccination-related personal data, and consequences (positive or negative) may not be based on an employee\u2019s vaccination status. Taking this one step further, the Irish Data Protection Commission\u2019s guidance states that processing vaccination data is likely<\/a> to \u201crepresent unnecessary and excessive data collection for which no clear legal basis exists\u201d where a public health authority has not determined that it is necessary for employers to collect the data or provided direction on how they should use the information once they have it.\n\nUK\u2019s Children\u2019s Code<\/strong> \u2013 The Children\u2019s Code (or the Age Appropriate Design Code) in the UK<\/a> is fully in force as of September 2, 2021. This code includes 15 standards that online services \u2013 including apps, games, connected toys and devices, social media platforms, online marketplaces, and content streaming services \u2013 must follow if children are likely to access the service. These standards help ensure compliance with obligations related to protecting children\u2019s data online. The code applies to any companies that process the personal data of UK children, regardless of location.\n\nEuropean Data Protection Board <\/strong>\u2013 The EDPB had a busy summer, issuing guidelines on the concepts of controller and processor<\/a>, virtual voice assistants<\/a> and codes of conduct as tools for data transfers under the GDPR<\/a> as well as finalizing the recommendations for supplemental cross-border data transfer tools<\/a>. The EDPB also called upon Member States<\/a> to assess and \u201creview their international agreements that involve international transfers of personal data,\u201d taking into consideration both the GDPR and the EU\u2019s Law Enforcement Directive.\n\nNew EMEA Laws and Regulations<\/strong>\n
\n \t
\nBelarus<\/strong> \u2013 Belarus passed<\/a> a new data protection law that creates a data protection regulator, specifies data subject rights and imposes obligations on organizations to ensure data protection. The new law will be in effect beginning November 15, 2021.<\/li>\n<\/ul>\n
\n \t
\nSaudi Arabia<\/strong> \u2013 Saudi Arabia\u2019s Communications and Information Technology Commission announced in May<\/a> that its cybersecurity regulatory framework<\/a> entered into force. The regulatory framework contains a comprehensive set of cybersecurity requirements and controls that apply to telecommunications, information technology and postal services providers.<\/li>\n<\/ul>\n
\n \t
\nSouth Africa<\/strong> \u2013 Full implementation and enforcement of South Africa\u2019s Protection of Personal Information Act, which was already partially in effect, began on July 1<\/a>. Failure to comply with the law may result in fines up to R10 million, imprisonment of up to 10 years or both. The South African Information Regulator issued<\/a> guidance notes, policies and other notices to assist with compliance.<\/li>\n<\/ul>\n
\n \t
\nSwitzerland <\/strong>\u2013 Switzerland\u2019s Federal Council revised<\/a> the Ordinance on the Federal Data Protection Act and launched its public consultation on the ordinance. The revisions bring the ordinance into alignment with the revised Federal Data Protection Act<\/a>. Both the revised act and the ordinance are expected to come into force in the latter half of 2022. The new provisions of both aim to ensure compatibility between Swiss data protection laws and the EU\u2019s GDPR.<\/li>\n<\/ul>\n
\n \t
\nUganda <\/strong>\u2013 Uganda\u2019s new Data Protection and Privacy Regulations<\/a> are in effect as of mid-April. The regulations establish a Personal Data Protection Office and require registration with the office. They also clarify data subject rights, impose limitations on personal data processing outside Uganda and add data breach notification obligations.<\/li>\n<\/ul>\n
\n \t
\nUzbekistan<\/strong> \u2013 New data localization requirements<\/a> are now in force in Uzbekistan that require the personal data of Uzbek citizens to be processed in Uzbekistan and stored in registered Uzbek databases.<\/li>\n<\/ul>\nThe Americas<\/strong>\n\nBrazil\u2019s LGPD <\/strong>\u2013 The administrative sanctions<\/a> available under Brazil\u2019s Lei Geral de Prote\u00e7\u00e3o de Dados (LGPD) now may be imposed as of August 1, allowing its DPA, the Autoridade Nacional de Prote\u00e7\u00e3o de Dados (ANPD) to enforce compliance with the law more effectively. The ANPD has indicated<\/a> that the regulator plans to take a \u201cresponsive regulation\u201d approach, gathering information and investigating before deciding on appropriate measures. In May, the ANPD issued guidance<\/a> on the roles of data controllers and data processors and the designation of data protection officers to help companies with compliance.\n\nCanada\u2019s Revised Sensitive Personal Information Guidance<\/strong> \u2013 In August, Canada\u2019s Office of the Privacy Commissioner revised several of its guidance documents<\/a> to help businesses subject to Canada\u2019s Personal Information Protection and Electronic Documents Act better understand, evaluate and protect the types of data considered sensitive. Specifically, although any personal information can be contextually sensitive, certain types of information \u2013 including health and financial information, ethnic and racial origins, political and religious beliefs and opinions, genetic and biometric data, and information about an individual\u2019s sex life or sexual orientation \u2013 will generally be considered sensitive and therefore require heightened protection.\n\nEcuador\u2019s Organic Law on Data Protection<\/strong> \u2013 Ecuador\u2019s Organic Law on the<\/a>"},"attributesType":{"content":{"type":"string","source":"html"},"lock":{"type":"object"}},"dynamicContent":null}]

International Data Protection Update – Summer 2021