What additional protections have been implemented, over and above the GDPR requirements?
Technology (3rd edition)
As of yet, we cannot mention any specific protections; however, article 10 Decree No. 230-18 which creates the National Cybersecurity Center sets as its primary objective the drafting, development, updating and evaluation of a National Cybersecurity Strategy that includes the formulation of politics, programs and projects towards the prevention and detection of incidents generated at information centres with critical national data.
Please note that as Egypt is not part of the EU, the GDPR requirements do not apply to Egypt.
In the Estonian Personal Data Protection Act, which helps to implement the GDPR, there are certain special requirements for some data processing activities, such as the following:
- When processing the personal data of a minor as part of the provision of information society services, the legal basis can be the minor’s consent only if the minor is at least 13 years old;
- Special rules must be followed when processing personal data for the purposes of scientific or historical research or official statistics. As a general rule, only pseudonymised personal data can be used. Depseudonymisation or the use of identifiable personal data is permitted only in case certain conditions are met;
- There are special rules to be followed when processing the personal data of a data subject who is dead.
The adaptation of French law to the new European framework was carried out in several stages. The national texts now consist of an order of 12 December 2018 and of a new implementing decree dated 29 May 2019. These texts complement the RGPD where room is left for implementation at State level: for example, in respect of the processing of health data or data relating to offenses; the setting at 15 years of the age limit for minors' consent to using online services; the provisions relating to digital death; etc. Finally, State law retains full competence for all "repressive" files, whether in the criminal area or in the field of intelligence and State security.
As an initial matter, the data protection regime is in a relatively early phase of development in China. The PRC Cybersecurity Law, promulgated in 2017, is comprised mostly of general or high-level provisions, while implementing regulations have so far not included very specific provisions or are non-mandatory or still in draft form. Nevertheless, some additional protections are already indicated. A major one is the requirement that certain data collected or generated by CIIOs be stored in China (i.e., on servers physically located onshore). More subtly, while the GDPR contains some requirements on proper storage of biometric data, a non-mandatory national standard under PRC law specifies that for personal biometric information, technical measures should be used to process the data before storage, e.g., storing only a digest of the data.
The GDPR is not applicable in Israel. Although not a point of difference, the Israeli Protection of Privacy Regulations (Data Security), 2017 set out a more comprehensive and detailed requirements and obligations with respect to data security applicable to computerized databases (depending on the protection level to which a specific database is subject (high, medium or basic)) than the mere general obligation to take appropriate technical and organisational measures to ensure the level of security that is appropriate to the level of the risk under the GDPR. In addition, as set forth above, under the Privacy Law, data controller who maintains computerized database is required to register such database with the Registrar.
Section 2-decies of the Privacy Code provides that data unlawfully processed cannot be used. In addition, pursuant to Section 167 and following, the Privacy Code identifies a set of data protection crimes. Please refer to our reply under no. 10 for further details.
Since the regulatory framework and basic concepts under the APPI are different from those under the GDPR in many aspects, it is not easy to compare the APPI with the GDPR in terms of the protections implemented thereunder. Generally speaking, however, more protections are implemented under the GDPR than under the APPI with limited exceptions (e.g., while the anonymized data is not subject to the regulations under the GDPR, the anonymously processed data is still subject to the regulations under the APPI which are different from and less strict than those applicable to the personal data). It is notable that the APPI is currently under periodic review with the aim of amending it in 2020, and it is debated whether to implement additional protections and regulations by reference to those under the GDPR (e.g., the right to data portability, the right not to be subject to a decision based solely on automated processing (including profiling), and the obligation to notify a personal data breach to the supervisory authority).
The PDPA has yet to be amended to address the GDPR requirements its implementation. No additional protections have been implemented in Malaysia since the coming into force of the GDPR and the GDPR presently imposes stricter requirements in comparison. For example:
PDPA: Does not define what ‘consent’ entails save that consent collected has to be in a form that can be maintained by the data user and any consent obtained should be presented distinguishable from consent given for other matters. The collection of consent by way of an “opt-out” method is permitted under certain circumstances.
GDPR: “consent” has to be freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or a clear affirmative action. The “opt-out” method of obtaining consent may not apply to the GDPR.
(b) Data Protection Officer
PDPA: Requires data users to identify a contact person in a data protection notice, for data subjects to direct any queries they may have regarding the use of their personal data. There is no requirement to specifically appoint a data protection officer under the PDPA.
GDPR: Certain organisations are required to specifically appoint a data protection officer to, inter alia, act as a liaison to data subjects in respect of issues relating to the processing of personal data.
(c) Data Breach & Reporting
PDPA: Does not impose any obligation on data users to report data breaches to the Commissioner.
GDPR: Data controllers are obliged to report data breaches to the appropriate supervising authority within 72 hours, and to the relevant data subjects if the breach is likely to result in a high risk to the rights of the data subject.
(d) Right to be Forgotten / Right to Erasure
PDPA: Does not grant data subjects a right to be forgotten or right to erasure, although they may withdraw their consent for the processing of their personal data. While the effect of such withdrawal is unclear, the exercise of such right may require the data user to delete the personal data of the data subject.
GDPR: If a data controller is requested by a data subject to erase the data subject’s personal data, the data controller must comply with the request without delay unless the situation falls within an exemption.
(e) Data Portability
PDPA: Provides that data subjects may request for their information from a data user, however, it is unclear on the manner/method/medium in which such information is to be given. It does not provide data subjects with a right to request for their personal data to be transferred to different data users.
GDPR: Data subjects have a right to request for their information held by a data controller to be provided to them in a machine-readable form. Data subjects may also request for their personal data to be transferred from one data controller to another in certain circumstances.
However, where the personal data of children is to be processed, the PDPA imposes stricter requirements, in that the personal data of children under the age of 18 may only be processed after consent is given by the child’s parent/guardian, as opposed to children under the age of 16 as required by the GDPR.
As indicated in the reply to question 7 above, the Electronic Communications Networks and Services (General) Regulations (S.L. 399.28) provide specific privacy rules which are relevant to the telecoms sector, which go beyond the general provisions of the GDPR. Any person suffering any loss or damage as a result of an undertaking’s breach of these privacy rules is entitled to refer the matter to the Maltese Courts to seek compensation from that other person for the loss or damage suffered.
Privacy law in New Zealand is currently under review. It is likely to be brought up to a similar standard as the GDPR in some areas, and in other areas a more permissive standard than the GDPR's prescriptive requirements will continue to apply.
As a non-EU country, Indonesia is not a direct subject to GDPR. Accordingly, Indonesia is not legally bound to adjust and/or to apply GDPR to its domestic law.
The Indonesian personal data protection regime is different compared to GDPR. Although some key principles in GDPR are adopted in personal data protection rules in Indonesia, the current laws and regulations on personal data protection in Indonesia is still not as comprehensive as GDPR.
The apparent difference between them is that in Indonesia, the current general personal data protection regime only applies to electronic processing of personal data. Unlike in GDPR, it does not cover manual processing of personal data. In addition, Indonesian personal data protection rules also do not recognize the distinction between controller of personal data and processor of personal data.
However, this likely to change in the near future as Indonesia is preparing its first Personal Data Protection Act (“PDP Act”). The latest draft of PDP Act shows that the content of the future Indonesian PDP Act will be closer to GDPR. The PDP Act is very likely to apply to both manual and electronic processing of personal data. Also, PDP Act will recognize the concept of data processor and data controller as in GDPR.
With reference to our response to item 11 above, there are no specific laws which regulate ‘data protection’ in Pakistan, and while PECA criminalizes unlawful or unauthorized access to information or data, copying or transmission of critical infrastructure data, it too does not regulate ‘data protection’ in Pakistan.
The MOITT has tried to capture and reflect the broad concepts of enhanced protections against unnecessary data collection, and use of data in unanticipated ways, as provided for in the GDPR, however, the draft Pakistan Data Protection Draft Bill is still in the process of being promulgated, and is therefore subject to changes by the legislators.
The rules established by the GDPR should be read in conjunction with the rules set by Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (”e-privacy Directive”). The latter have been transposed in Romania by Law no. 506/2004 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
Moreover, authorities who act in the field of the prevention, detection, investigation, prosecution and combating criminal offences are subject to Law no. 363/2018 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, detection, investigation, prosecution and combating of criminal offenses or the execution of sanctions, educational and safety measures and the free movement of such data. Law 363/2018 transposes Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
Both the PIPA and Network Act provide for criminal sanctions in the event of a breach of any of their data protection provisions (including cases where personal information is leaked as a result of a hacking incident).
Resident registration numbers cannot be processed unless specifically required or permitted under an applicable law.
The LOPDGDD has recognized a new catalogue of digital rights to protect people using different digital tools in order to avoid discrimination; it includes net neutrality, universal internet access, digital security, digital literacy, the online protection of minors, the amendment or updating on information online, the right to be forgotten on search engines and social networks, and the regulation of the right to a digital will. Additionally, it strengthens the privacy of employees and their right to digital disconnection, and privacy during the use of digital services, video surveillance and geolocation in the workplace. Articles 80 to 96 of the LOPDGDD set out 16 Digital Rights:
- Right to Internet neutrality: internet service providers shall provide a transparent offer of services without discrimination on technical or economic grounds.
- Right of universal access to Internet: everyone has the right to access the Internet regardless of personal, social, economic or geographical status. Under this right, universal, affordable, quality and non-discriminatory access for the entire population is guaranteed.
- Right to digital security: users have the right to the security of the communications they transmit and receive over the Internet. In addition, Internet service providers shall inform users of their rights.
- Right to digital education: all educational plans must now include modules for learning to use new digital technologies. The use must be safe and respectful of human dignity, constitutional values, fundamental rights and, in particular, respect for and guarantee of personal and family privacy and the protection of personal data. The law refers to the fact that university studies should also train students in the use of digital media. In addition, it stresses that public administrations must include in the competitions specific tests to evaluate their use, as well as on data protection when employees perform functions that involve access to personal data.
- Online protection of minors: families and guardians shall ensure that minors make balanced and responsible use of digital devices in order to ensure the proper development of their personality and preserve their dignity and fundamental rights.
- Right of rectification on the Internet: those responsible for social networks and equivalent services will adopt appropriate protocols to enable the exercise of the right of rectification for users who disseminate content that undermines the right to honour, personal and family privacy on the Internet and the right to freely communicate or receive truthful information, in accordance with the requirements and procedures set out in the law.
- Right to update information in digital media: data subjects have the right of requesting the digital media to include a sufficiently visible update notice next to the news that concerns them. This amendment should be made when, as a result of events occurring after the publication of the news item, it no longer reflects the current situation causing harm to the subject. In this regard, the law makes particular reference to judicial decisions that alter previous ones.
- Right to privacy and use of digital devices in the workplace: it recognizes the privacy of employees during the use of electronic devices provided by their employer.
- Right to digital disconnection in the workplace: the purpose of this right is to ensure that employees, outside legally or conventionally established working time, respect their time for rest, leave and holidays, as well as their personal and family privacy.
- Right to privacy from the use of video-surveillance and sound recording devices in the workplace: microphones may be installed only when the risks to the safety of installations, goods and persons arising from the activity taking place in the workplace are relevant. In addition, under no circumstance it is allowed the installation of video-surveillance systems in changing rooms, toilets, dining rooms or places intended for the entertainment of employees.
- Right to privacy when using geolocation systems in the workplace: employers may use geolocation systems to check the location of their employees, provided that employees and their representatives are informed about the existence and characteristics of these devices.
- Digital rights in collective bargaining: it is recognised the right for collective agreements to establish additional guarantees of the rights and freedoms related to the processing of employees personal data and the safeguarding of digital rights in the workplace.
- Data protection of minors on the Internet: educational establishments and any person who publishes minors' personal data through social networks or similar services, it is necessary to obtain the consent of the minor or his or her legal representatives.
- The right to be forgotten on search engines and social networks: everyone has the right to obtain the deletion of personal information when it has become inadequate, inaccurate, irrelevant, out of date or excessive.
- Portability rights in social network and equivalent services: the right to transfer content and personal data from one social network to another automatically.
- Right to a digital will: persons linked to the deceased will be able to access social networks, e-mail or instant messaging services such as WhatsApp, as well as to modify or delete the information they contain. They may also decide to delete the profile.
In addition to these digital rights, the LOPDGDD gave political parties, coalitions and electoral groups the power to use data obtained through technological means to send electoral propaganda electronically or messaging systems such as WhatsApp. This possibility was appealed before the Constitutional Court by the Ombudsman. As a consequence, the Spanish Data Protection Supervisory Authority issued a circular which states that, before they begin to process data, parties should submit to the AEPD, 14 weeks before the start of the election campaign, documentation specifying what measures they will take to assess the impact of data collection and mitigate risks.
Finally, regarding personal data related to minors, the GDPR confers to the Member States the option of establishing a lower age than 16 to obtain valid consent and no less than 13 years. The LOPDGDD foresees in its Article 7 that the processing of personal data of a minor may only be based on his or her consent if he or she is over 14 years of age.
The Data Protection Act (2018:218) and the Data Protection Ordinance (2018:19) (the “DPA”) contain further regulations regarding data protection on aspects allowed by the GDPR. The DPA contains regulations regarding the processing of data concerning criminal offences and processing of social security number. The DPA also contains regulations that the GDPR is applicable outside its actual scope. However, the DPA is subsidiary in relation to other law or regulation, which allows for deviating provisions. Apart from the DPA there are a number of sector specific acts such as the Swedish Patient Data Act (2008:355), the Swedish Eletronic Communications Act (2003:389), the Swedish Marketing Act (2008:486), the Swedish Criminal Data Act (2018:1177) etc.
In some perspective, the PDPA may be deemed as more rigid than the GDPR:
- The PDPA imposes liability on the Taiwan government agencies for any damages caused to the data subjects if a Taiwan government agency breaches the PDPA. That is, the Taiwan government agency would be held liable to Taiwan citizens for breach of the PDPA, even if the Taiwan government agency was not negligent.
- The PDPA still adopts formality requirements with regard to "consent" to be sought from the data subjects while GDPR does not. For example, to obtain consent from the data subjects with regard to collection and use of personal data, "written" consent must be obtained. To obtain a valid consent from data subjects, pursuant to the PDPA, the data controller will need to comply with its notification requirements by notifying the data subject the required matters as set forth under the PDPA, while pursuant to the GDPR, a data controller only needs to advise the data subject of the "purpose" of the collection in order to obtain a valid consent.
Unlike the GDPR, appearance and clothing and criminal conviction and security measures regarding a person are also considered special categories of data under the DPL. Accordingly, a higher level of protection is provided for a wider range of personal data.
In addition to some of the rights provided for data subjects under the GDPR, under the DPL, data subjects are expressly provided with the rights to (i) request the notification to third parties to whom the personal data have been transferred of operations carried out such as rectification, erasure or destruction, (ii) object to any conclusion to the detriment of himself/herself, which results from analysis of the processed data exclusively by means of automated systems and (iii) request compensation for the damages incurred as a result of an unlawful personal data processing. The foregoing rights should also be included in the privacy notices provided for data subjects by the data controllers.
The Data Protection Act 2018 is a complete data protection system. As well as governing general data covered by the GDPR, it covers all other general data, law enforcement data and national security data. The Act also exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in areas such as academic research, financial services and child protection.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR. They give people specific privacy rights in relation to electronic communications. They implement European Directive 2002/58/EC and set out specific rules on marketing calls, emails, texts and faxes; cookies; keeping communications services secure; and customer privacy regarding traffic and location data. PECR was amended in 2019 to ban cold-calling of pensions schemes in certain circumstances.
The U.S. as not implemented GDPR, and does not otherwise have omnibus protection for personal data; rather, it has taken a sectoral approach. General data privacy statutes have been enacted at the state level (e.g., California Consumer Privacy Act). The Federal Trade Commission (FTC), the federal consumer protection regulator, enforces compliance with a company's published privacy policies, as part of its general enforcement powers to enjoin deceptive business practice. States are starting to implement general protections over personal data, such as in California’s CCPA.