Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
Data Protection & Cyber Security
The primary law governing data and privacy issues is the Constitution of the Russian Federation, which grants citizens the right to privacy of correspondence, telephone conversations, mail, telegraph and other communications. The core laws that develop these constitutional principles are:
- Federal Law “On Personal Data” dated 27 July 2006 No. 152-FZ (“Personal Data Law”), which is the principal law in the sphere of data and privacy;
- Federal Law “On Information, Information Technologies and Protection of Information” dated July 27, 2006 No. 149- FZ provides for rights relating to use of information, protection of information, use of information technologies;
- Federal Law “On Security of Critical Information Infrastructure of the Russian Federation” dated July 26, 2017, No. 187-FZ is on ensuring security of so-called critical information infrastructure and obligations of critical information infrastructure subjects;
- Labour Code of the Russian Federation dated December 30, 2001 No. 197-FZ regulates processing employees’ data.
Also important administrative regulations have been issued by the Russian authorities, namely:
- “Requirements to Security of Personal Data Processed in Information Systems of Personal Data” approved by the Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119;
- “Scope and Composition of Organizational and Technical Measures to Ensure Security of Personal Data Processed in Information Systems of Personal Data” approved by the Order of the Federal Service for Export and Technical Control dated February 18, 2013 No. 21;
- “Scope and Composition of Organizational and Technical Measures to Ensure Security of Personal Data Processed in Information Systems of Personal Data with Use of Cryptographic Protection of Information Required to Comply with Personal Data Security Requirements Stated by the Government of the Russian Federation with respect to each Security Level” approved by the Order of the Federal Security Service dated July 10, 2014 No. 378;
- “Regulations on Peculiarities of Personal Data Processing Carried Out without Automated Means” approved by the Decree of the Government of the Russian Federation dated September 15, 2008 No. 687.
The main regulators in the area of data protection are as follows:
- Russian Data Protection Authority – Federal Service for Supervision of Communications, Information Technology, and Mass Media (“Roskomnadzor”) is a supervisory authority in the area of personal data protection. It carries out its functions through its central office and regional offices responsible for supervision over data controllers in their respective regions of Russia.
- Russian Federal Service for Technical and Export Control (“FSTEC”) is an authority responsible for supervision over protection of confidential information with use of technical tools.
- Russian Federal Security Service (“FSB”) is an authority responsible for supervision over protection of confidential information with use of encryption tools.
In Argentina, the most comprehensive statutory regulation regarding the protection of personal data is the Data Protection Law No. 25,326 (the “Data Protection Law”), which is regulated by Decree No. 1558/2001. The legal framework also includes the complementary regulations issued by the Agency of Access to Public Information (the “Data Protection Authority”).
The main purposes of the Data Protection Law are to guarantee (i) the complete protection of personal data; and (ii) the rights to good reputation, privacy and access to information, in accordance with Section 43 of the Argentine National Constitution, which safeguards the right to habeas data.
The Data Protection Law will apply to any processing of personal data, including any disclosure, collection, storage, amendment assignment and destruction of personal data. The provisions of the Data Protection Law apply to personal data belonging to individuals, as well as to legal entities. In addition, they apply to both the public and the private sector, and to all industries and activities.
The Data Protection Law is enforced by the Data Protection Authority, which has the duty of supervising the protection of personal data in order to guarantee the rights of good reputation, privacy and access to personal data. It is also afforded the powers to receive and handle complaints filed by data subjects, request public and private entities to provide information on the processing of personal data, and conduct inspections to verify compliance with the Data Protection Law.
In 2018, the Argentine Executive Brach introduced before Congress a bill intended to replace the Data Protection Law (the “Data Protection Bill”). The Data Protection Bill is generally in line with many approaches proposed by the European General Data Protection Regulation (“GDPR”).
The Brazilian Federal Constitution sets forth the core principles on the protection of privacy and personal information. According to the Constitution, privacy, private life, honor and image of individuals are inviolable, and the right to be compensated for economic and moral damages resulting from violation thereof is ensured.
Moreover, Brazil enacted, in August 2018, a General Data Protection Law (“LGPD”), which should become effective in August 2020, as amended by Provisional Act 869/2018, which is still under the Congress’ analysis. This law provides a wide regulation for personal data protection, including collection, storage, registration, monitoring, processing and disclosure of users' personal data. The law requires that personal data processing activities comply with a number of principles, such as purpose, transparency, security, free access by the data subject, prevention of damages and non-discrimination.
Currently, one of the most important sectoral laws is the Brazilian Civil Rights Framework for the Internet (Law 12.965/2014, the “Internet Law”) which establishes principles, guarantees, rights and obligations for the use of the Internet in Brazil. In addition, Decree 8.771 of May 11, 2016, which regulates the Internet Law, sets forth the rules related to the request of registration data by public administration authorities, as well as the security and confidentiality of records, personal data, and private communications.
Besides that, there are other sectorial laws and regulations concerning rights to privacy and data protection, including, but not limited to:
- Civil Code (Law 10.406/2002) grants general privacy rights to any individual and the right to claim against any attempt to breach such rights by any third party;
- Positive Credit Registry Act (Law 12.414/2011) permits databases of ‘positive’ credit information (i.e., fulfilment of contracted obligations) but prohibits the registry of excessive information (i.e., personal data which is not necessary for analyzing the credit risk) and sensitive data;
- Telecommunications Act (Law 9.472/1997) grants privacy rights to consumers in relation to telecommunications services;
- Wiretap Act (Law 9.296/1996) establishes that interception of communications can only occur by court order upon request by police authorities and the Public Prosecutor’s Office for purposes of criminal investigation or discovery in criminal proceedings;
- Bank Secrecy Act (Complementary Law 105/2001) requires that financial institutions (and similar entities) hold financial data of individuals and entities in secrecy, except under judicial order issued for purposes of investigation of any illegal acts or discovery in criminal proceedings;
- Resolution 3/2009 of the Internet Steering Committee in Brazil (CGI.br), establishes principles for ensuring privacy and data protection on the use of the internet in Brazil, mainly regarding activities developed by internet service providers;
- Resolution 124/2006 of the National Supplementary Health Agency imposes a fine on health insurance companies up to BRL 50,000 for the breach of personal information related to the health conditions of a patient.
There are also important laws under the Brazilian Congress’ analysis, like the above mentioned Provisional Act 869/2018 and the Proposal for Constitutional Amendment 17/2019, which adds item XII-A to article 5º, and item XXX to article 22 of the Brazilian Federal Constitution to include protection of personal data within the citizens’ fundamental rights and to set the Union’s exclusive jurisdiction to legislate about this subject.
In general, the Federal, State and Local Public attorneys take the lead as regards the enforceability of the aforementioned legislation. Consumer Protection authorities also play a relevant role on the enforceability of the legislation applicable to consumers.
(i) General Laws
The main legislative act that governs the privacy in Bulgaria is the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). In addition, the Personal Data Protection Act (in Bularian: Закон за защита на личните данни) (PDPA) regulates some specific aspects of the processing of personal data with GDPR derocations and transposes Directive (EU) 2016/680. With the latest amendment on 26 February 2019, the PDPA, which originally took effect in 2002, has been synchronised with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). The supervisory authority in charge of performing tasks and exercising powers under the GDPR and the PDPA is the Commission for Personal Data Protection (CPDP).
Finally, it should be noted that the right to privacy is also a constitutional right recognized and protected by the Constitution of the Republic of Bulgaria.
(i) Sectoral Laws
In Bulgaria, there are a few sectoral laws that regulate the collection and use of personal data:
- The E-Commerce Act
- The E-Communications Act
- transposes the E-Privacy Directive, and regulates the regime on how public electronic communication service and network providers process users’ personal data when providing public electronic communication services and networks (e. g. traffic data, location data, etc.);
- Commission fot Regulation of Communications is the main supervisory authority under this law, but the CPDP performs tasks and exercises specific powers under the Electronic Communications Act in addition to those under the GDPR and the PDPA with regard to the processing of personal data of users of public electronic communication service and network such as traffic data.
- The Law on Credit Institutions (LCI)
- regulates bank secrecy
- the Bulgarian National Bank supervises the compliance with the provisions regarding bank secrecy.
- The Ordinance No 22 of 16 July 2009 on the Central Credit Register
- regulates the operation of, provision to and receipt of credit information from the Bulgarian Central Credit Register
- the Bulgarian National Bank supervises the compliance with the provisions regarding the provision and use of information from the Central Credit Register.
- The Health Act (HA)
- regulates the collection, processing, use, storage and provision of medical information and documentation
- the Executive Agency ‘Medical Audit’ at the Ministry of Health supervises the compliance with the provisions collection, processing, use, storage and provision of medical information and documentation.
- The Criminal Code (CC)
- governs cybercrimes such as the disclosure of personal data through unlawful distribution of computer programs, passwords, codes or other similar data for access to information systems.
The following answers are based on the current statutes dealing with data privacy. It must, however, be emphasized that the Federal Act on Data Protection, which is the main legal source for data protection (see next section), will be revised. The parliamentary debate about the revised statute is still ongoing. The main purpose of the revision is to harmonize Swiss law with the EU General Data Protection Regulation (GDPR) so that Swiss data protection laws will still be accepted as adequate by the EU. As a consequence, many of the obligations as set out in the GDPR, such as the information obligation, data breach notification, data protection impact assessment, will be integrated into the new Swiss statute. However, the provisions of the GDPR will not simply be copied. There will remain some differences. The revised statute will most likely not enter into force prior to 2020. There will then be a time period of two years for the implementation of the new duties by the data controllers.
Federal Act on Data Protection
The main regulation governing privacy in Switzerland is the Federal Act on Data Protection (FADP; see a tentative English translation here). As set out in art. 1 FADP, the statute aims to protect the privacy and the fundamental rights of persons when their data is processed. FADP applies to the processing of data pertaining to natural persons and legal persons by
- private persons and
- federal bodies.
The FADP covers any data processing by any private persons, i.e. individuals and legal entities, in any sectors. Data processing is defined in a broad way and includes any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving or destruction of data (see art. 3 lit. e FADP).
Cantonal Data Protection Acts
FADP solely governs data processing by federal bodies. Data processing by cantonal bodies is governed by cantonal data protection statutes. Each canton has implemented its own data protection act. Each canton has also appointed its own Cantonal Data Protection and Information Officer.
Most cantonal data protection laws are quite similar than the section of the FADP regarding the data processing by federal bodies.
Different statues include secrecy obligations, which also aim to protect privacy in a broader sense. The following secrecy obligations are important:
- Banking secrecy (art. 47 of the Federal Banking Statute): The banking secrecy protects any information relating to the relationship between the bank customer and the banking institute, including the fact that there is a customer relationship. Subject to this secrecy obligation are banking institutes as defined in the respective statute and any auxiliary persons, such as service providers. The banking secrecy is, in particular, important regarding outsourcing of bank customer data to cloud solutions.
- Patient secrecy (art. 321 of the Swiss Criminal Code): The patient secrecy protects any information relating to the relationship between a patient and surgeon or any other healthcare practitioner mentioned in art. 321 of the Swiss Criminal Code.
Art. 328b of the Swiss Code of Obligations sets out the following regarding data processing by employers: “The employer may handle data concerning the employee only to the extent that such data concern the employee's suitability for his job or are necessary for the performance of the employment contract. In all other respects, the provisions of the Federal Act of 19 June 19922 on Data Protection apply.”
Illegal data processing by employers can either be enforced in the same way as ordinary infringements of the employment relationship, i.e. by filing a claim to the civil courts, or by using the remedies set out in the FADP.
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR): This regulation applies, in general, to all entities and organisations, wherever their location is, processing personal data of natural persons (data subjects) residing in the European Union and to those companies in the EU, regardless the location of the processing. Regarding companies located outside the EU, the activities must be related to the cases listed by the GDPR for being within the scope of the regulation. This regulation is mandatory and directly applicable in all EU Member States, which means that a national law introducing them is not required in order for them to take full effect. Nonetheless, almost all Member States have passed a law developing the aspects in which the GDPR leaves room for regulation applicable in their jurisdiction.
Article 18 and 20.4 of the Spanish Constitution: The supreme law of the Spanish legal system dedicates these articles to provide a general scope for the right of honour, personal and family privacy and self-image and acknowledge them as fundamental rights within the Spanish legal system. Also, it ensures the existence of limits to these rights on respect for the rights of freedom of expression and information.
Organic Law 1/1982, of 5 May, on the civil protection of the right to honour, to personal and family privacy and to one's own image: It develops the civil protection of the fundamental rights of honour, personal and family privacy and one's own image against any kind of interference or illegitimate intrusions and establishes limits to the right of one’s own image in cases when a relevant historical, scientific or cultural interest predominates.
Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (LOPD): The development of the GDPR in Spain has been carried out through this organic law, which introduces some nuances to its provisions and develops the content of the GDPR when possible, establishing, for instance, specific rules for the appointment of the Data Protection Officers (DPO), the sanctioning process and its duration and the processing of employee data by their employers. The Spanish legislator has also included, among the rules on data protection, the recognition of a new catalogue of digital rights.
(Labour relations field) Royal Legislative Decree 2/2015 of 23 October 2015 approving the consolidated text of the Workers' Statute Act (Workers' Statute Act), which establishes the basic framework of the labour relationships and limits the employer's power of control and supervision over employees in respect of their privacy, setting the standards for practising inspections and monitoring the activity of the employees (articles 18 and 20).
(Health sector) Law 41/2002, of 14 November, which regulates patient autonomy and rights and obligations regarding clinical information and documentation: This law regulates the common period of retention of all clinical information about the patients and lays down certain requirement for the exercise of the right of access by patients to their clinical records. It should be taken into account that each region in Spain may have their own regulations in respect of the retention period of the patient’s information, which will prevail over this law.
(Telecommunications Sector) Law 9/2014, of 9 May, General Telecommunications: This Law provides several measures to guarantee the protection of personal data and privacy in relation to unsolicited communications, traffic and location data and subscriber directories.
(information society services and electronic commerce) Law 34/2002, of 11 July, on information society services and electronic commerce (LSSI), which sets out the requirements for the sending of commercial communications by electronic means. Consequently to the principle of normative speciality, these rules apply in preference to the GDPR and LOPD.
There are some regulations and directives that will have a direct effect in the privacy regulatory scope when they are passed and, if necessary, transposed into national legislation:
- Organic Law (draft) on the use of the data from the Passenger Name Registration for prevention, detection, investigation and prosecution of terrorist offences and serious crimes which is transposed from the Directive (EU) 2016/681, of 27 April 2016, with the same name.
- The legal framework governing privacy can be found in article 19 No. 4 of the Political Constitution of the Republic of Chile, which guarantees the respect and protection of privacy and honor of the person and his/ her family. Article 19 No. 4 of the Chilean Constitution, was amended by Law No. 21,096, establishing the Right to Protection of Personal Data; and precisely recognizes the protection of personal data within the scope of the constitutional guarantee of the protection of private life and honour, stating that the treatment and protection of this data will be subject to the forms and conditions established by law.
- Furthermore, Chile has a data protection law, Law No. 19,628 on Privacy Protection (“Data Privacy Act”); regulates the treatment of personal information in public and private databases or bank register. Though, regarding the public segment, there are some special rules about the public data base or bank by public agencies, restricted rights for holders of personal data stored or processed by public entities, and under the scope of its functions.
- Law No. 19,496, which comprehends provisions regarding credit information along with the Data Privacy Act (Article 9 amended by Law No. 20,521), which contains provisions about personal data related to obligations of an economic, financial, banking or commercial character; to ensure that the information delivered through risk predictors is accurate, updated and truthful.
- Law No. 20,584, which regulates privacy on healthcare, encompasses provisions concerning the privacy of medical records together with the Data Privacy Act, which contains the confidentiality of the doctor’s prescriptions and laboratory analyses, and exams and services related to health services.
- Article 154bis of the Chilean Labour Code states that the employer shall maintain reserve of all private information and data of the employee to which it has access due to the labour relationship. Article 5 of the Labour Code expressly states that employers can exercise their rights within the limits imposed by the Constitution, especially regarding respect of privacy. Employers must abide by and comply with the privacy statements.
Coming into effect on 1 June 2017, the Cyber Security Law of the People’s Republic of China (《中华人民共和国网络安全法》) (the “CSL”) forms the backbone of cybersecurity and data privacy protection. Since the CSL does not stipulate comprehensive rules, China’s data and privacy framework appears to be a patchwork with textures of various laws, measures, and sector-specific regulations, as well as national standards. The CSL imposes different the data privacy obligations on network operators (NOs) and critical information infrastructure operators (CIIOs). Network operators encompass virtually all companies involved in any kind of Internet-based services.1 Among them, CIIOs are the network operator of the critical information infrastructure in important industries that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests.2
The non-binding national standard of GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (GB/T 35273-2017 《信息安全技术——个人信息安全规范》) (the “PI Specification”) illustrates the obligations of privacy protection in detail. Drafted with reference to the European General Data Protection Regulations (GDPR), the PI Specification adopts some definitions in the GDPR, e.g., the definitions of personal information controller and personal information processor mirror the definitions of data controller and data processor under the GDPR. The PI Specification plays a key role in personal information protection and has been cited by courts and enforcement authority. An increasing number of companies in the market also tend to refer to the PI Specification as the standard when conducting self-auditing of their personal information protection.
For certain types of information, the authorities have enacted special regulations or standards. Take the financial sector as an example, the People’s bank of China (中国人民银行), the central bank of China responsible for regulation of financial institutions in mainland China, has issued rules to protect personal financial information even prior to the legislation of the CSL, such as the Notice from the People's Bank of China on Further Proper Protection of Personal Financial Information of Customers by Financial Institutions (《中国人民银行关于金融机构进一步做好客户个人金融信息保护工作的通知》) in 2011.
The enforcement authorities in this field at least include the Cyberspace Administration of China (国家互联网信息办公室), the Ministry of Industry and Information Technology (工业和信息化部), the Ministry of Public Security (公安部) and industry regulators.
1 - CSL. § 76.1 & 76.3. A Network Operator (NO) refers to the owner or manager of a network or the provider of a network service.
2 - CSL. § 31. CIIO refers to the network operator of the critical information infrastructure in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other critical information infrastructure that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests.
In Germany, it is mainly the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA) which form the legal framework. The GDPR shall regulate the handling of personal data in the European Union and the EEA for the purpose of defining a uniform guideline. In addition, next to the FDPA, there are several federal state laws and federal laws that regulate data protection topics in certain constellations (e.g. Telecommunications Act (TKG), money-laundering act (GwG) and social security Act (SGB)).
The GDPR contains about 70 opening clauses to enable the purposes of the GDPR by national legislation and therefore creates the European legal framework. It covers all areas regarding processing personal data wholly or partly by automatic means. The GDPR does not differentiate between public or private institutions. Hence, it applies to all public authorities, companies and other entities who process personal data of EU citizens.
The main purpose is the strengthening of the rights of the individuals affected by infringements of privacy. Therefore, considering the lawfulness of data processing, Art. 6 GDPR is the center of the legal review since it establishes whether the data processing is covered by permission or otherwise like a contract or due to a consideration of interests.
The reinforcement of the rights of the individuals affected can also be found in the third chapter. Possibly the most important right of data subjects is the right to information.
The GDPR is enforced by independent data protection authorities. It regulates in Art. 51(1) GDPR that each member state must establish one or more independent supervisory authorities. Furthermore, supervisory authorities may impose sanctions. For certain legal infringements, fines up to 4% of a company's annual turnover, or 20 million EUR may be imposed, depending on which amount is higher.
The FDPA is supplementary and applies to all sectors providing there are mandatory or optional opening clauses within the EU regulations (GDPR). The FDPA contains special rules about employee data protection, scoring and credit reports, data profiling and internal data protection officers (DPO).
Whereas the FDPA differentiates between public and non-public sectors in § 1, most of substantive rules within the FDPA actually do apply to both, public sector and enterprises (e.g. in case of video surveillance). The distinction is mainly important for the differentiation of data protection authorities and self-regulation.
Federal state law only applies if a regional body or other public organization of a county processes personal data and only applies in addition to the regulations of the GDPR.
Current Legal Framework
As on date, the primary legislation governing privacy in India is the Information Technology Act, 2000 ("IT Act") read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("Privacy Rules").
Section 43A of the IT Act requires a body corporate1 possessing, dealing or handling 'sensitive personal data or information' ("sensitive PII")2 in a computer resource, to implement and maintain 'reasonable security practices and procedures' to prevent such sensitive PII from unauthorized access, use, alteration, disclosure or damage; failing which the body corporate is required to compensate the Data Subject (defined below) for loss caused on account of unauthorized access or disclosure.
It is pertinent to note that: -
(a) Section 43A only deals with sensitive PII, not with personal information ("PII").3 Having said so, the Privacy Rules (formulated under this Section) regulate both, PII as well as sensitive PII;4
(b) The Privacy Rules only apply to data of natural persons ("Data Subjects");
(c) The Privacy Rules are agnostic to the sector or activities that the concerned body corporate engages in. Any body corporate possessing, dealing or handling data of Data Subjects in a computer resource is required to comply with these requirements; and
(d) There is no dedicated regulatory authority that enforces the Privacy Rules. These Rules can however be enforced by the nodal ministry viz. the Ministry of Electronics and Information Technology, Government of India ("MeitY").
The 'reasonable security practices and procedures' prescribed under the Privacy Rules include, amongst others: -
(b) requirement to obtain informed consent before collecting sensitive PII;
(c) stipulations regarding purpose6 and storage limitations;7
(d) providing the Data Subjects an opportunity to not provide or withdraw consent;
(e) conditions governing transfer of PII and sensitive PII; and
(f) other reasonable security practices and procedures to be implemented.8
Privacy as a Fundamental Right
In addition to the IT Act and the Privacy Rules, the right to privacy has now also been recognized as a fundamental right by the highest court, i.e. the Supreme Court ("SC"), in India. In Justice K S Puttaswamy (Retd.) and Another v. Union of India and Others,9 the SC held that: -
(a) the 'right to privacy' is a fundamental right guaranteed under the Constitution of India ("Constitution");
(b) privacy is intrinsic to life and personal liberty guaranteed under Article 2110 of the Constitution; and
(c) right to life and personal liberty are inalienable rights inseparable from human existence and hence, similar constitutional safeguards should be applicable to an individual's right to privacy.
New Privacy Regime
India is in the process of overhauling its data privacy framework and seems to be taking guidance in this regard from principles outlined under the EU General Data Protection Regulation (EU GDPR). As part of this exercise, a draft bill titled 'Personal Data Protection Bill, 2018' ("Privacy Bill") has been submitted to the Government of India.11 The Privacy Bill is presently in the process of finalization and is likely to be introduced in the Parliament after the new Government takes over.12 Wherever relevant, we have identified provisions of the Privacy Bill, as they are presently proposed.13 However, it is likely that the Privacy Bill will undergo further modifications, before being finally notified.
Several other regulators / authorities including the Telecom Regulatory Authority of India, Department for Promotion of Industry and Internal Trade, Central Drugs Standard Control Organization, Reserve Bank of India etc. either presently regulate or are seeking to regulate the data which may fall within their respective domains (such as subscriber data, payments data, e-commerce user data). It is possible that these regulators / authorities may provide inputs for the finalization of the Privacy Bill or for such regulators / authorities to supplement the Privacy Bill with their own respective data protection requirements.
1 - "Body corporate" is defined in IT Act to mean "any company and includes a firm, proprietorship or other association of individuals engaged in commercial or professional activities".
2 - "Sensitive personal data or information" means personal information which consists of password, financial information (such as bank account or credit card or debit card details), physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information etc.
3 - "Personal information" is defined in the Privacy Rules to mean any information relating to an individual which (either by itself or in combination with other information available with a body corporate) is capable of identifying such individual. This is the Indian equivalent of PI or PII, commonly referred in other jurisdictions.
4 - Under Indian laws, PII and sensitive PII are popularly referred to as PI and SPDI respectively.
6 - In relation to purpose limitation, PII & sensitive PII collected can only be used for the purpose for which they are collected. Any new purpose not initially informed to the Data Subject hence will require a new consent.
7 - In relation to storage limitation, sensitive PII cannot be retained for longer than is required for the purpose for which is was collected.
8 - Details in relation to some of these aspects have been provided in our responses below.
9 - (2017) 10 SCC 1, delivered on August 24, 2017.
10 - Article 21 of the Constitution states that no person shall be deprived of his life or personal liberty except according to procedure established by law.
11 - The Privacy Bill was submitted by a committee of experts under the chairmanship of former Justice B. N. Srikrishna appointed by the Government of India for this purpose.
12 - The Privacy Bill introduces a unique concept of a fiduciary relationship between Data Subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of processing of personal data). It classifies Data Subjects as ‘data principals’ and data controllers as ‘data fiduciaries’.
13 - The Privacy Bill provides for formulation of codes, rules and regulations. These codes, rules and regulations (once enacted or released in draft form) will provide further clarity in relation to various provisions of the Privacy Bill (such as how consent and explicit consent may be procured for processing of information protected under the Privacy Bill).
The “data privacy” concept is firstly introduced through two main legislations, namely: (i) Law No 11 of 2008 on Electronic Information and Transaction, lastly amended by Law No. 19 of 2016 (“ EIT Law ”); and (ii) Government Regulation No. 82 of 2012 on the Implementation of the Electronic System and Transaction (“GR 82/2012”). However, these two aforesaid laws only cover data privacy in general manner.
In 2016, as the implementing regulation of EIT Law and GR 82/2012, Ministry of Communication and Informatics (“MCI”) issued its Regulation No. 20 of 2016 regarding Personal Data Protection in the Electronic System (“MCI Regulation 20/2016”) to further regulate personal data protection issue in Indonesian regulatory framework. In general, MCI Regulation 20/2016 covers the protection of personal data, including protection on collection, processing, analyzing, storage, display, announcement, delivery, dissemination and erasure of Personal Data conducted by Electronic System Operator (“ESO”). As the regulator, MCI is the relevant authority to enforce MCI Regulation 20/2016.
Under MCI regulation 20/2016, Personal Data is defined as certain individual information that are kept and maintained, and its accuracy and confidentiality is protected. Based on the given definition, all individual information collected and processed by ESO are protected under MCI Regulation 20/2016.
Meanwhile, MCI Regulation 20/2016 defines ESO as any person, state administrator, business entity and community which provide, manage, and/or operate Electronic System, either individually or jointly, on towards Personal Data Subject for their own needs and/or the need of other parties. Based on the above definition, Indonesia regulation does not define or differentiate between Personal Data Controller and Personal Data Processor. Accordingly, any party that controls (“Data Controller”) and processes (“Data Processor”) any kind of electronic information, including Personal Data, in the form of electronic media, will be categorized as ESO.
Aside from MCI Regulation 20/2016, there are other sector specific legislations that govern data protection issue, among others, banking, financial services, and health provider services. Under these sectoral regulations, the relevant sectoral agency may become the supervisory body for data protection in the respective sectors.
The key laws governing privacy in Portugal are the following:
a) Portuguese Constitution (article 35.º) – on the use of computerised data.
b) Regulation (EU) 2016/679 of the European Parliament and the Council, of April 27th – the General Data Protection Regulation applicable since 25 May of 2018 (hereinafter, the “GDPR”).
c) Law 67/98, of 26 October – the Data Protection Law that implemented Directive 95/46/EC that remains in force in everything that does not contradict the GDPR and until it is revoked by the new Law (currently under discussion in Parliament) that will approve any derogations to the GDPR.
d) Law 46/2012, of 29 August - on the processing of personal data and protection of privacy in electronic communications that implemented the ePrivacy Directive.
e) Law 32/2008, of 17 July - concerning the data retention obligations applicable to publicly available electronic communications services providers (that implemented Directive 2006/24/EC which was invalidated by the CJEU in its decision of April 2014).
f) Law 34/2013, of 16 May - on the use of video surveillance by private security companies.
Furthermore, there are other data protection provisions in several other sectors, such as scientific research, employment, genetic information, anti-money laundering, call centers, national citizen card, and cybercrime.
Comissão Nacional de Proteção de Dados (CNPD) is the Portuguese Data Protection Authority/Regulator who enforces the Data Protection Laws.
The collection and use of personal data is primarily governed by the Data Protection Act 2018 (DPA 2018) which implements the General Data Protection Regulation (GDPR). It is not sector specific and applies to anyone collecting and using personal data. Personal data is any information relating to an identifiable person who can be directly identified (such as by their name and contact details) or indirectly identified in particular by reference to an identifier (such as an IP address, cookie data or location data). If a person collects information about individuals for any reason other than its own personal, family or household purposes, it will need to comply with the DPA 2018. The law will catch most businesses and organisations, whatever their size. It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
The Information Commissioner's Office (ICO) regulates data protection, provides advice and promotes good practice. It also conducts audits, considers complaints and breach reports, monitors compliance and takes enforcement action where appropriate.
One key law governing privacy in Sweden is the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), which is directly applicable in Sweden.
It regulates the processing of personal data wholly or partly by automated means and the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. The GDPR applies to all Swedish establishments which process personal data in their capacity as controller (i.e. the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) or processor (i.e. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller), regardless of in which country the processing takes place. Exemption from the GDPR’s material scope includes for example processing of personal data by a natural person in the course of a purely personal or household activity.
Two key laws in Sweden which complement the GDPR are the Act containing supplementary provisions to the EU General Data Protection Regulation (sw. Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) (the “Data Protection Act”) and the Ordinance containing supplementary provisions to the EU General Data Protection Regulation (sw. Förordning (2018:219) med kompletterande bestämmelser till EU:s dataskyddsförordning) (the ”Data Protection Ordinance”).
The Data Protection Act essentially applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in Sweden. The Data Protection Act and the Data Protection Ordinance inter alia regulate Sweden’s implementation of the areas where the GDPR allows flexibility for the individual EU member states to further specify and supplement the GDPR’s provisions, such as age of consent in relation to information society services as well as the lawfulness of processing special categories of personal data and personal data relating to criminal convictions and offences. They also contain provisions regarding enforcement of sanction decisions and the role of the supervisory authority.
The supervisory authority for the GDPR, the Data Protection Act and the Data Protection Ordinance is the Swedish Data Protection Authority (sw. Datainspektionen).
It is also worth mentioning that Sweden in general has a long tradition of sector specific legislation governing privacy, such as for example the Patient Data Act (sw. Patientdatalag (2008:355)) which govern processing of personal data within health and medical care. Such sector specific legislation has been adapted with regard to the GDPR. Generally, such sector specific legislation complement the GDPR but the GDPR has priority.
Finally, there are certain central laws which do not specifically govern privacy but which are closely related and sometimes complement and/or overlap with Swedish privacy laws such as for example:
- the Electronic Communications Act (sw. Lag (2003:389) om elektronisk kommunikation) (the “Cookie Act”);
- the Act on Information Security regarding providers of critical infrastructure and digital services (sw. Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster) (the ”NIS Act”); and
- the Ordinance Information Security regarding providers of critical infrastructure and digital services (sw. Förordning (2018:1175) om informationssäkerhet för samhällsviktiga och digitala tjänster) (the ”NIS Ordinance”),
which will be described in more detail below.
The legal framework governing privacy in Greece is as follows:
- Article 9A of the Constitution which is the first constitutional text recognizing explicitly the right of individuals to the protection of their personal data and providing explicitly for the function of an independent authority entrusted with an audit role,
- The General Data Protection Regulation 2016/679 (hereinafter, ‘’GDPR’’),
- Law No 2472/1997 on the protection of individuals with regard to the processing of personal data, which implemented into the Greek legal order the Directive 95/46 /EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, “Directive 95/46/EC”). The Hellenic Data Protection Authority (hereinafter, “HDPA”) is appointed as enforcer of the relevant provisions and supervisor of their implementation.
- Law No 3471/2006 on the protection of personal data and privacy in electronic communications amending Law No 2472/1997, implementing Directive 2002/58/EC on privacy and electronic communications, (hereinafter, “Directive 2002/58/EC”), whereas certain provisions stipulate the competence of Hellenic Authority for Communication Security and Privacy (ADAE).
Given the fact that to date there is no national law implementing the provisions of the GDPR requiring so -only a relevant Draft Law- the GDPR constitutes, both at European and national level, the fundamental and most modern piece of legislation for data protection in Greece. However, the provisions of Law No 2472/1997 remain valid at a national level, as long as they are not contrary to the GDPR. Law 3471/2006 also remains valid and applies as lex specialis in relation to the GDPR on certain matters.
The main legislative instrument governing data privacy practices in Turkey is the Law on Protection of Personal Data numbered 6698 (“Law No. 6698”), which was published in the Official Gazette on 7 April 2016 and is in effect as of this date. The principles and procedures specified thereunder, as well as the related secondary regulation which shall be elaborated in detail below, shall be applicable for all natural persons whose personal data are processed; as well as all natural and legal persons processing personal data, construed as data controllers or processors, irrespective of the sector within which they operate.
Within the purview of the Law No. 6698, the processing of personal data is construed as any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means. It could thus be concluded that all activities performed upon personal data, including the mere act of displaying, shall be deemed as processing personal data within the scope of the Law No. 6698.
Alongside with the specifying principles and procedures applicable to the processing of personal data, a local data protection authority is established under the Law No. 6698. The Personal Data Protection Board (hereinafter referred to as the “Board”) is active as of the date and has regularly been publishing secondary regulations, as well as principle decisions and guidance documents concerning the application of the Law No. 6698. The Board has also been performing activities in order to forge public opinion at a national level and to raise awareness of personal data protection.
As in all member states of the European Union, the General Data Protection Regulation ("GDPR") applies in Austria, which is supplemented by the Austrian Data Protection Act ("DSG"). These laws regulate the protection of personal data, which means any information that also relates to an identified or identifiable natural person. In addition, data protection provisions can be found in numerous further laws regulating specific matters (e.g. Telecommunications Act, Banking Act, Act on Medical Practitioners).
The competent authority for the enforcement of the data protection provisions is the Data Protection Authority. In certain cases, regular courts can also be called upon in the event of violations of data protection provisions.
The collection and use of personal data is primarily governed by the Law No 78-17 of 6 January 1978 relating to information technology, files and freedoms (the 'French Data Protection Act of 1978' or 'French DPA 1978'). The French DPA 1978 has a very wide scope of application and applies to anyone collecting and processing personal data. This is a general piece of legislation which applies irrespective of the sector of activity.
Personal data is any information relating to an identifiable person who can be directly identified (such as by their name and contact details) or indirectly identified in particular by reference to an identifier (such as an IP address, cookie data or location data). If a person collects information about individuals for any reason other than its own personal, family or household purposes, it would need to comply with the French DPA 1978. The law will also catch most businesses and organisations, whatever their size. It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
The Law No 2018-493 of 20 June 2018 on the protection of personal data significantly modifies the French DPA 1978 to comply with the General Data Protection Regulation ('GDPR') and introduces certain provisions specifically applicable in France as per the GDPR. The French data protection legislation will be recodified for the sake of clarity in the French DPA 1978 by the Ordonnance No 2018-1125 of the 12 December 2018 on the protection of personal data which will shortly come into force and no later than June 1st 2019.
Unless otherwise stated, references to articles to the French DPA 1978 will be made to the text applicable as of 1st June 2019.
However in the majority of instances the processing of personal data will be subject to the GDPR and the French DPA 1978.
The Commission Nationale de l'Informatique et des Libertés ('CNIL') is the supervisory authority for France. The roles of the CNIL are to raise awareness about data protection, inform and educate the public on data protection law, inspect and sanction non-compliance with data protection laws. Regarding its sanctions toolkit, the CNIL is empowered to render various types of sanctions which include but are not restricted to public or private warnings, monetary sanctions, cease-and-desist injunctions on data processing, and withdrawals of the prior authorization given by the CNIL. The most important pecuniary sanction given to date by the CNIL is the 50 million EUR fine against Google LLC for lack of transparency, failing to inform properly the users and collecting valid consent for targeted advertising services (Decision of the CNIL No SAN 2019-001 of 21 January 2019).
There is no single, omnibus U.S. federal law addressing data privacy rights and obligations. Federal laws, which apply to residents in all states, are generally sector-specific and primarily regulate the financial and healthcare sectors, the telecom industry, government contractors and children. State laws, where they exist, more frequently look to protect consumers residing in that state, which is permitted under the U.S. system that allows states to regulate absent federal pre-emption or an undue burden on interstate commerce.
At the federal level, key laws include the Gramm-Leach-Bliley Act (GLBA), which protects personal information held by financial institutions and related companies collected as part of the provision of financial services; the Fair Credit Reporting Act (FCRA), which regulates use of information to make employment, credit, insurance or certain other determinations; the Privacy Act of 1974 and the Federal Information Security Management Act of 2002, which regulate use of personal information by the government and government contractors; the Health Information Portability and Accountability Act (HIPAA), which regulates information related to health status that can be linked to an individual under the control of certain covered entities and their contractors and regulates the collection, disclosure and security of such information; the Cable TV Privacy Act of 1984, Video Privacy Protection Act (VPPA), Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), which protect the privacy of certain types of communications and content; the Children’s Online Privacy Protection Act (COPPA), which regulates personal information collected online from children under age 13 and requires related privacy notices and in many instances verified parental consent; and the Family Educational Rights and Privacy Act (FERPA), which regulates privacy of student records.
Federal laws also regulate use of email addresses and phone numbers for both marketing and nonmarketing purposes. Depending on the law, federal privacy laws are primarily enforced by the Federal Trade Commission (FTC), the Department of Health & Human Services or the Office of the Comptroller of the Currency (OCC). The FTC is the principal regulator of consumer privacy under its authority to regulate deceptive and unfair practices in or affecting commerce, including to require companies to disclose unexpected data practices prior to collection, to enforce failures to comply with published privacy policies and to require companies to reasonably protect personal information in their custody or under their control.
Many states also have laws that protect the personally identifiable information of residents, but the level of protection and the types of information considered to be personally identifiable differ from state to state. To varying extents, state laws commonly restrict the information that may be collected during retail or credit card transactions, limit the recording of communications without consent, and protect minors.
Some states are more protective of privacy than others. Massachusetts, for example, has data protection laws requiring comprehensive data security planning for any entity obtaining or storing personal information. New York has similar regulations requiring comprehensive cybersecurity planning for financial institutions doing business in New York. California, Connecticut, Delaware, Pennsylvania, Nebraska, Nevada, Oregon and Utah have laws regarding privacy policies. Many states restrict collection of any, or certain, personal information in connection with credit card or other commercial transactions, except as necessary to complete the transaction. States have also passed laws protecting employee privacy, including the privacy of their social media accounts and activities, and providing greater levels of student privacy than are accorded under FERPA. Around a dozen states have their own, often more restrictive version, of the VPPA. States also regulate the use and protection of personal information by insurers.
Among the states, California has been especially protective of consumer privacy. Currently, there are limited protections under California’s Shine the Light law and the California Online Privacy Protection Act (CalOPPA), which Nevada and Delaware have copied in large part; but broader, more European-style data subject rights will take effect on January 1, 2020, under the California Consumer Privacy Act (CCPA), which mandates that California residents have data access and portability rights, data deletion rights, and the right to request that personal information not be sold, with “sale” broadly defined to cover most disclosures or access other than to vendors that meet very restrictive purpose and contractual restriction requirements. The CCPA will also require very granular privacy notices and the right of data subjects to obtain very specific information on a business’s practices regarding their own personal information upon request. In addition, companies may not discriminate against California consumers who exercise their CCPA rights. At least 14 other states are considering CCPA-inspired legislation as of the date of publication, and federal consumer privacy legislation is also under consideration.
All states have data security and breach notification laws, though the scope of what data is covered as well as the notice and reporting obligations vary from state to state.
Due to the patchwork nature of U.S. federal and state privacy laws, the best course of action is to consult with skilled legal counsel to advise on a particular situation.
Personal Data Protection Act 2010
In Malaysia, the protection of an individual’s personal data is governed under the Personal Data Protection Act 2010 (PDPA). The PDPA is the main legislation governing privacy. It came into force on 15 November 2013, together with the introduction of the following legislations:-
(a) Personal Data Protection (Fees) Regulations 2013;
(b) Personal Data Protection (Registration of Data User) Regulations 2013;
(c) Personal Data Protection (Class of Data Users) Order 2013; and
(d) Personal Data Protection Regulations 2013.
The PDPA 2010 regulates the processing of personal data in commercial transactions and applies to:-
(i) Any person who processes; and
(ii) any person who has control over or authorizes the processing of,
any personal data in respect of commercial transactions.
Pursuant to the Personal Data Protection (Class of Data Users) Order 2013, such regulatory framework covers sectors such as communications, banking and financial institution, insurance, health, tourism and hospitalities, transportation, education, direct selling, services, real estate, utilities, pawnbroker and moneylender. Further, compliance with PDPA is necessary only if data users are “processing” personal data. Examples of activities considered as “processing” includes:-
(a) Collecting data through forms, by phone or via the web
(b) Publishing data
(c) Selling data
(d) Using administrative data
(e) Using data for marketing purposes
(f) Recording data
(g) Disclosing or providing data to other organizations
(h) Destroying data
The governing body that enforces such legal framework is the Department of Personal Data Protection under the Ministry of Communications and Multimedia Malaysia.
Financial Services Act 2013
A banker's duty of secrecy in Malaysia is statutory as it is provided under the Financial Services Act 2013 (“FSA”). Section 133 of the Financial Institutions Act 2013 stipulates that “No person who has access to any document or information relating to the affairs or account of any customer of a financial institution, including— (a) the financial institution; or (b) any person who is or has been a director, officer or agent of the financial institution, shall disclose to another person any document or information relating to the affairs or account of any customer of the financial institution”.
Official Secrets Act 1972
Official Secrets Act contains provisions which seek to prohibit any person from taking or making any document, measurement, sounding or survey of or within a prohibited place, he shall, unless he proves that the thing so taken or made is not prejudicial to the safety or interests of Malaysia and is not intended to be directly or indirectly useful to a foreign country.
Competition Act 2010
Additionally, section 21 of the Competition Act 2010 provides that it is an offence to disclose or make use of any confidential information with respect to a particular enterprise or the affairs of an individual obtained by virtue of any provision in the Act. This, therefore, implies that business secrets procured by way of non-competitive and unlawful acquisition may fall under the said provision.
Computer Crimes Act 1997
Malaysia also has the Computer Crimes Act 1997, which prohibits a person from (a) causing a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorized; and (c) he knows at the time when he causes the computer to perform the function that is the case.
The EU General Data Protection Regulation (2016/679) (GDPR), came into force on 25 May 2018 and is directly applicable in all EU member states, including Gibraltar. It is a wide ranging regulation designed to protect the privacy of individuals in the European Union (EU) and give them control over how their personal data is processed, including how it’s collected, stored and used.
The Gibraltar Data Protection Act 2004 (DPA) aligns with, and supplements, the GDPR in Gibraltar.
The Communications (Personal Data and Privacy) Regulations 2006 (the Privacy Regulations), which transposes the Privacy and Electronic Communications Directive (2002/58) aims to protect privacy in the electronic communications sector.
These laws are enforced by the Gibraltar Regulatory Authority (GRA) as the supervisory authority in Gibraltar.
The collection and use of personal data is primarily governed by the General Data Protection Regulation (GDPR) and the Data Protection Act, 2018 (DPA 2018). The latter gives further effect to the GDPR (the GDPR and DPA 2018 together being the 'Legislation'). The Legislation is not sector specific and applies to anyone collecting and using personal data. Personal data is any information relating to an identifiable person who can be directly identified (such as by their name and contact details) or indirectly identified in particular by reference to an identifier (such as an IP address, cookie data or location data). If a person collects information about individuals for any reason other than its own personal, family or household purposes, they will need to comply with the Legislation. The law will catch most businesses and organisations, whatever their size. It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
The Data Protection Commission (DPC) regulates data protection, provides advice and promotes good practice. It also conducts audits, considers complaints and breach reports, monitors compliance and takes enforcement action where appropriate.
The followings are the relevant rules concerning personal information protection in Japan:
- Act on the Protection of Personal Information (“APPI”);
- Act on the Protection of Personal Information Held by Administrative Organs;
- Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.;
- Ordinance on the Personal Information Protection of Rules for Local Governments; and
- Various guidelines.
An overview of each law is as follows:
The law (1) above (i.e. APPI) stipulates the basic policies for the protection of personal information in the public and private sectors, and general rules such as obligations and penalties for the private sector.
The law (2) above stipulates personal information protection policies for the national government agencies, law (3) above stipulates comparable policies for the independent administrative corporations, and the ordinance (4) above stipulates general rules of local governments.
The guidelines in (5) above are administrative guidelines on the interpretation of APPI.
The entity in charge of enforcing laws (1) to (3) above is the national government, while local governments enforce ordinance (4) above and the guidelines in (5) are open to interpretations and they are not subject to enforcement.