What key protections exist for personal data?

Technology (3rd edition)

Armenia Small Flag Armenia

The Law of Armenia on protection of personal (Data protection law) data guarantees the rights of natural persons (data subjects) and imposes mandatory requirements on processors of personal data, authorised persons and third parties. The Law does not use the term "controller", but uses the terms "processor" and "authorised persons" instead.

Data protection law provides a broad definition of "personal data". Personal data includes any information relating to a natural person that allows or may allow for the direct or indirect identification of that person's identity.

The Data Protection Law does not guarantee the protection of publicly available personal data, that is, information that either:

  • Becomes publicly available to certain persons or the general public with the data subject's consent or through conscious actions of the data subject aimed at making his or her personal data publicly available.
  • Constitutes publicly available information by law (such as a person's name, surname, year, month and day of birth, and place of birth).

The Data Protection Law defines "special category personal data" as information relating to a person's race, national identity or ethnic origin, political views, religious or philosophical beliefs, trade union membership, health, and sex life.

The Data Protection Law also defines "biometric personal data" as information relating to the physical, physiological and biological characteristics of a person.

The Data Protection Law covers personal data processing, that is, any operation or set of operations, regardless of the form and mode of implementation (automated, with or without use of technical means), related to the collection, input, systematisation, organisation, storage, use, alteration, restoration, transfer, rectification, blocking, or deletion of personal data, and any other operations involving personal data.

"Use of personal data" is defined as any operation performed on personal data that gives rise or may give rise to legal consequences for the data subject or third parties, or is otherwise related to the rights and freedoms of such persons, and which may be directly or indirectly aimed at issuing decisions or forming opinions, acquiring rights, granting rights or privileges, restricting or depriving of rights, or achieving any other purpose.

To obtain the data subject's written consent before processing personal data, a processor or authorised person must notify the data subject of its intention to process his or her data.

Before processing personal data, the data processor can notify the[Personal Data Protection Agency (PDPA) of its intention to process data. On request of the PDPA, a data processor must also notify the PDPA of any processing of personal data. A processor that intends to process biometric or special category personal data must notify the PDPA before such processing. Any notification to the PDPA must include the following information:

  • Name of the processor or authorised person (if any), as well as their registered office or place of registration (actual residence).
  • Purpose and legal grounds of the processing.
  • type of personal data being processed.
  • Number of data subjects.
  • List of operations performed on personal data and general description of the processing methods used by the processor.
  • Description of measures that the processor must undertake to ensure the security of the processing.
  • Start date of the processing.
  • Time limits and conditions for completing the processing.

The PDPA must enter the above information and date of notification in the register of processors. The PDPA can request additional information if the information submitted is incomplete or inaccurate. When there are changes to registered information, the processor must notify the PDPA within ten working days after the changes occur.

The processor must:

  • Provide the data subject or PDPA with information about the processing of personal data on request.
  • Carry out necessary operations for making personal data complete, keeping up to date, rectifying or deleting incomplete, inaccurate, outdated, or unlawfully obtained personal data or data unnecessary for achieving the purposes of the processing.
  • Delete or block personal data that are not necessary for achieving the legitimate purposes of the processing.
  • Use encryption keys.
  • Prevent access to process technologies by unauthorised persons and ensure that processed data are only accessed by lawful users.
  • Maintain the confidentiality of personal data processed for the performance of official or employment duties, including after completion of the processing.
  • Block personal data until the completion of control activities, if the reliability or lawfulness of the processing are challenged by the data subject or the PDPA.
  • Rectify personal data and unblock them in accordance with information submitted by the data subject or PDPA, if it is confirmed that personal data are inaccurate.
  • Correct violations of data protection rules if unlawful processing operations are revealed, or delete unlawfully processed personal data if it is impossible to correct violations.
  • Terminate the processing of personal data when the purpose of the processing is achieved, unless otherwise required by law.

In Armenia, the processing of personal data is deemed to be lawful if either:

  • The data subject has given his or her consent to the processing (except in cases provided by law).
  • The processed data is obtained from a publicly available source.

The data subject can give his or her consent in person or through a representative if a power of attorney specifically provides for such power.

The data subject can withdraw his or her consent in cases prescribed by the Data Protection Law and other laws.

The data subject must in principle give his or her consent in writing or electronically (validated by an electronic digital signature) or it may be via implicit action.

The data subject's consent is deemed to be given and the processor has the right to process personal data where any of the following applies:

  • Personal data are included in a document addressed to the processor and signed by the data subject, except when the document objects to the processing of such personal data.
  • The processor has obtained personal data under an agreement concluded with the data subject and uses such data for the purposes of implementing that agreement.
  • The data subject voluntarily provides information orally on his or her personal data to the processor for use purposes.

In the case of incapacity or limited capacity of the data subject, or if the data subject is under the age of 16, consent must be given by their legal representative (for example, a parent, custodian, and so on).

In the case of death of the data subject or a court judgment declaring him or her dead, consent to process his or her personal data must be given by all his/her legal heirs or the head of the community of the place of opening of the succession (if there are no legal heirs). If the data subject is declared missing, consent must be given by the trust manager of the data subject's property.

If consent is not given, the processing of personal data is deemed to be lawful in the following cases:

  • The processed data is obtained from a publicly available source.
  • The data subject has died and the data being processed are his or her name, gender, year, month and day of birth and death.
  • The processed data concerns the personal life of a deceased public figure in the fields of culture, arts, science, education, sport, religion or other public field, and 50 years have elapsed since the day of that person's death.
  • Other cases provided by law.

Special category and biometric personal data cannot generally be processed without the consent of the data subject. The processing of special category personal data must be terminated when the purpose of the processing no longer exists.

The Data Protection Law and other laws list the cases in which special category and biometric personal data can be processed without the data subject’s consent.

There are additional technical requirements for the protection of biometric personal data.

Dominican Republic Small Flag Dominican Republic

Law 172-13 regarding the protection of personal data has as a primary objective to protect all individuals’ personal data contained in archives, public registries, databanks and all other banking and/or technical sources of information and data processing for reporting purposes, be them public or private, “data of a personal nature registered in any databank which makes it susceptible to being processed and treated, and to all other modality of subsequent use of this data in either private and public fields” within the Dominican Republic. This law also addresses sanctions for illegal access to confidential security systems of personal data, obligations to secure and protect personal data archives; requests for international transfer of personal data; and specifically regulates the confidential personal data retrieved by credit bureaus -among other important dispositions.

Law 172-13 is further complemented by the guidelines set forth in Article 5 of the Law, which establish that "all data issued through telecommunication services are confidential and inviolable", with the exceptions of (i) legal intervention subject to applicable common law and (ii) stipulations set forth in applicable special laws. It further mandates that public telecommunications service providers are obligated to "protect such inviolability".

Egypt Small Flag Egypt

Please note that Egypt does not currently have a law that regulates protection of personal data, in general. However, a draft law regulating the protection of personal data is now being discussed by the Parliament (“Data Protection Law Draft”). The scope of said law shall apply to any personal data of Egyptian or non-Egyptian natural persons which is electronically processed by any possessor or controller in Egypt.

This said, there are some provisions in connection with data protection governing the collection, use, transferring and processing of personal data in different laws and regulations in Egypt including:

  1. Constitutional principles concerning individuals’ right to privacy under the Egyptian Constitution;
  2. Insurance Law No. 10 of 1981;
  3. the general principles on compensation for unlawful acts under the Egyptian Civil Code;
  4. Some penal provisions under the Egyptian Penal Code No. 58/1937;
  5. Labour Law No. 12 of 2003 (“Labour Law”), which protects the confidentiality of certain employee’s information;
  6. Banking Law No. 88 of 2003, which protects the confidentiality of customer banking information; and
  7. Telecommunications Law, which provides for the privacy of telecommunications and imposes penalties, which account to imprisonment in some cases on the unauthorized violation of such privacy.

Further, the Cyber Crimes Law provides for a number of protections to the personal data (breach of such protections may be considered as criminal offences); including:

  1. Any Service Provider (as defined above) is under an obligation to maintain the confidentiality of the stored information unless the prior approval of the relevant customer is granted or by virtue of a court order; and
  2. Any Service Provider is prohibited from providing any personal information to any other website or company in order for the same to use this information to market products or services.

In addition to the above, please note that the new Consumer Protection Law No. 181 of 2018 prohibits any person from disclosing any information relating to the customer without the customer's prior explicit approval. Breach of such obligation shall be punishable by a fine of no less than EGP 30,000 and no more than EGP 1,000,000.

In addition to the criminal liability, please note that data that is considered pertinent to the person's private life may not be transferred without that person's prior approval. In this regard, please note that (i) definition of data pertinent to the person’s private life is not clear and there is no concrete criteria that can be examined; and (ii) the concept of data pertinent to the person’s life is a constantly evolving concept. Accordingly, this would be subject to the discretion of the court to interpret in the event of a dispute.

Estonia Small Flag Estonia

There are two main legal acts which provide for the protection of personal data: the Regulation (EU) 2016/679 of the European Parliament and of the Council (the GDPR) and the Estonian Personal Data Protection Act. However, the key obligations for entities processing personal data are stipulated in the GDPR. The Estonian Personal Data Protection Act mostly specifies certain provisions.

In addition to the two main legal acts, there are more than 100 special laws in Estonia which contain specific data protection clauses.

France Small Flag France

The General Data Protection Regulation 2016/679 issued by the EU Parliament and Council on 27 April 2016 (RGPD) replaced the existing legislation on 25 May 2018, leaving only a residual room for implementing legislation at the national level.

Under the GDPR, personal data may be collected and further processed only under certain conditions, such as when the concerned person (‘data subject’) has consented; when it is necessary for the performance of a contract to which the data subject is a party, or to comply with a legal obligation imposed on the data controller; where it is necessary to safeguard an individual’s vital interests or for the performance by the data controller of its public interest mission or official authority; or where there is a ‘legitimate reason’ for the processing, provided this does not harm the data subject's fundamental rights and freedoms.

The ‘data controller’ (i.e. the person who determines the purposes and means of the data processing) must comply with other key protections such that the personal data is processed lawfully, fairly and in a transparent manner; it is collected for specified, explicit and legitimate purposes and is subsequently processed in accordance with these purposes; it is collected only in as far as it is adequate, relevant, and non-excessive in view of the purposes for which it is collected (‘data minimisation’); it is accurate and, when necessary, kept up to date; it is not retained for longer than necessary in light of the purposes for which it is processed. Most importantly, the data controller must implement appropriate organizational and technical measures to ensure the security and confidentiality of the personal data, both against unauthorized or unlawful processing and against accidental loss, destruction or damage.

More stringent rules are provided for in respect of sensitive data, defined as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, and data concerning health, sex life or sexual orientation.

Data subjects are granted certain specific rights that include the right to access their personal data and to request correction, deletion and/or portability of such data.

Individuals residing in France may file claims with the national regulatory authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). Due to the notoriety of the RGPD, the number of such claims rose by 32% in 2018.

China Small Flag China

Personal information, defined as information that may alone or in combination with other data identify a person, is protected primarily by the PRC Cybersecurity Law (supplemented by a number of national standards, including the Information Security Technology - Personal Information Security Specification and the Information Security Technology - Guideline for Personal Information Protection within Information Systems for Public and Commercial Services). Key protections include the requirement to obtain consent from data subjects for the collection as well as further uses of the personal information, the requirement on some operators to undergo security assessment procedures prior to an overseas transfer (see below, Question 16) and such further general principles as ‘legitimacy, rightfulness and necessity’ in the collection and use of personal information. The PRC Consumer Protection Law sets similar requirements on the collection of consumer information by business operators. Other high-level laws, e.g., the PRC Tort Law, the PRC Civil Code and the PRC Criminal Law, provide general privacy protections.

Israel Small Flag Israel

Israeli law has a high regard for the protection of privacy. Section 7 of the Basic Law: Human Dignity and Freedom, 1992, entitled “Privacy and Secrecy of the Individual”, expressly protects privacy as a basic right of human dignity, elevating it to the status of a fundamental, constitutional right. At the same time, the right to privacy and the protection of personal data is regulated by the Protection of Privacy Law, 1981 (the 'Privacy Law').

The Privacy Law is viewed as providing for a broad scope of protection, enumerating several activities, each of which constitutes an unauthorized invasion of the privacy of another if done without consent. Consent under the Privacy Law refers to a "knowledgeable consent", such that the individual should receive sufficient information regarding the specific matter in order to be able to assess whether or not to provide his/her consent, and in general the Privacy Law recognizes both explicit and implicit consent.

Some of the activities that are prohibited under the Privacy Law if done without consent include, inter alia: (a) Eavesdropping prohibited under law; (b) Copying or using without permission of the addressee or writer, the content of a letter or any other writing (including electronic communications) not intended for publication; (c) Infringing a duty of secrecy laid down by a statute in respect of a person’s private affairs; and (d) Using, or passing onto another, information on a person’s private affairs otherwise than for the purpose for which it was given.

In addition, the Privacy Law also regulates the matter of computerized databases[4] containing personal data and the responsibilities of owners (data controllers), holders (data processors) and managers of such databases. Such responsibilities include, inter alia, registration of databases with the Databases Registrar (the 'Registrar') within the Israeli Protection of Privacy Authority in the Ministry of Justice (the 'PPA') when one or more of the conditions for registration under the Privacy Law are met; to provide a privacy notice to data subjects outlining the data practices relating to the personal data collected; access and correction rights to data subjects; security of the databases; direct marketing; engagement with third parties processing personal data, etc.

[4] A "database" is defined under the Privacy Law as "a collection of data, maintained by magnetic or optical means and intended for computer processing".

Italy Small Flag Italy

The key protections for personal data are set in Regulation (EU) no. 2016/679 (“GDPR”), in Legislative Decree no. 101/2018 (“Decree”) and in Legislative Decree no. 196/2003 (“Privacy Code”), as amended. Important rules are contained, in addition, within the decisions and measures issued by the Italian Data Protection Authority (“IDPA”).

Unlawful data processing may lead to an obligation to compensate damages caused to the data subject(s) affected and, even more importantly, data unlawfully processed cannot be used in Court or otherwise.

Under very specific circumstances, the infringement of data protection rules can lead to the application of criminal sanctions.
It should be noted that the Privacy Code contains a specific section on electronic communications services (Section X, Section 121 and following) that governs, among others, traffic data, data on the location of the subscriber or user, line identification, unsolicited communications sent via automated means, data retention and security requirements.

One of the crimes under the Privacy Code specifically refers to the unlawful processing of personal data in the telecommunications sector. The conduct referred to under Section 167, para. 1, of the Privacy Code - punished with imprisonment from six months to one year and six months - concerns the violation of the provisions protecting the data subject in the electronic communication services: in particular, the provision sanctions the conduct of those who illegally process traffic data (Section 123), location data (Section 126), as well as the subject who sends unsolicited communications (c.d. spam) referred to in Section 130, or carries out processing activities in violation of the IDPA’s measures relating to the use of personal data relating to printed or electronic directories available to the public.

Japan Small Flag Japan

The Act on the Protection of Personal Information (the APPI) is a comprehensive, cross-sectorial framework for the protection of personal information. While the APPI regulates private businesses using personal information, use of personal information by the public sector is separately regulated by certain laws and local ordinances. The APPI is implemented by cross-sectoral administrative guidelines prepared by the Personal Information Protection Committee (the Committee). With respect to certain sectors, such as medical, financial and telecommunications, sector-specific guidance and guidelines are published by the Committee or the relevant governmental ministries given the highly sensitive nature of personal information handled in those sectors. Self-regulatory organisations and industry associations have also adopted their own policies or guidelines. In addition, the Act on Utilisation of Numbers to Identify a Specific Individual in Administrative Procedures provides special rules concerning the handling of “individual numbers”, which are granted to each resident of Japan under the Individual Social Security and Tax Numbering System (known in Japan as the “My Number System”), and other specific personal information (i.e., personal information containing any “individual number”).

The obligations of all business operators handling “personal information” include: (i) specifying and notifying the purposes for which the personal information is used and processing the personal information only to the extent necessary for achieving such specified purposes; and (ii) not using deceptive or wrongful means in collecting personal information.

In addition, business operators handling “personal data” (i.e., personal information constituting a personal information database) are subject to certain obligations, such as: (i) endeavouring to keep the personal data accurate and up to date to the extent necessary for the purposes of use; (ii) undertaking necessary and appropriate measures to safeguard personal data; (iii) conducting necessary and appropriate supervision over its employees and its service providers who process its personal data; (iv) not providing personal data to any third party without the prior consent of the relevant individual (subject to certain exemptions); (v) preparing and keeping records of third-party transfers of personal data; and (vi) when acquiring personal data from a third party other than data subjects (subject to certain exceptions), verifying the name of the third party and how the third party acquired such personal data.

Business operators handling “retained personal data” (i.e., personal data that a business operator has the authority to disclose, correct, add content to or delete content from, discontinue the use of, erase, and discontinue its provision to a third party) are required, among other things, to: (i) make accessible to the relevant individual certain information regarding the retained personal data; and (ii) respond to a request of the relevant individual to, e.g., provide a copy of retained personal data to such individual, correcting, adding or deleting the retained personal data, or discontinuing the use of or erasing such retained personal data.

The APPI imposes stringent rules for “sensitive personal information”, which includes race, beliefs, social status, medical history, criminal records and the fact of having been a victim of a crime, and disabilities.

The APPI provides for special rules for “anonymized personal data”, which must meet certain requirements under the APPI. Business operators that created or retain such anonymized personal data are subject to certain obligations (e.g., disclosure of the creation of such anonymized personal data and prohibition of re-identification) but no consent of the data subject is required for the use or provision of such anonymized personal data.

Malaysia Small Flag Malaysia

The Personal Data Protection Act 2010 (“PDPA”) and its subsidiary legislation regulates the processing of personal data in commercial transactions and applies to anyone who processes and has control over or authorises the processing of any personal data in respect of commercial transactions.

The PDPA establishes 7 key principles which must be complied with by data users when processing personal data: (i) consent; (ii) notice and choice; (iii) disclosure; (iv) security; (v) retention (vi) data integrity; and (vii) access. The PDPA also requires data users to have adequate security and indemnity measures to inhibit the theft, misuse, unauthorized access, accidental disclosure, alteration or destruction of personal data under their care.

Codes of practice may be implemented by various data user forums or the Personal Data Protection Commission for various classes of users in differing sectors. These codes of practice would have a binding effect on the various classes of users registered with the Personal Data Protection Commission.

Following the implementation of the European Union’s General Data Protection Regulation (“GDPR”), the Malaysian government is reviewing the PDPA to comply with international requirements on personal data protection, including the GDPR. However, there is no definite timeframe for the implementation of updates to the PDPA.

Malta Small Flag Malta

In addition to the protections provided in the Data Protection Act, Chapter 586 of the Laws of Malta and the General Data Protection Regulations made under that Act, which implement the provisions of the EU’s GDPR, it is pertinent to note the additional protections afforded through the provisions of the Processing of Data (Electronic Communications Sector) Regulations (SL 586.01) and the Electronic Communications Networks and Services (General) Regulations (S.L. 399.28).

The Processing of Data (Electronic Communications Sector) Regulations (SL 586.01) regulate data protection in the electronic communications sector. Thus, for instance, regulation 20 establishes that services providers must retain certain categories of data necessary to:

  • trace and identify the source of a communication;
  • identify the destination of a communication;
  • identify the date, time and duration of a communication;
  • identify the type of communication;
  • identify users’ communication equipment or what purports to be their equipment; and
  • identify the location of mobile communication equipment.

The Electronic Communications Networks and Services (General) Regulations (S.L. 399.28), on the other hand, requires undertakings which provide publicly available electronic communications services to inform subscribers and users (where possible) about the existence of any situations allowing the contents of communications to be unintentionally made known to persons who are not party to them. It also covers industry-specific considerations such as the obligation of telecoms undertakings to provide users with simple and free of charge solutions for the prevention of calling-line identification, preventing the presentation of the calling line identification of incoming calls and the rejection of incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber, and stopping automatic call forwarding by a third party to the terminal of that subscriber’s without delay. Such calling line identification prevention may be overridden when a subscriber requests the tracing of malicious or nuisance calls received on his/ her line or where the undertaking deems it necessary or expedient to trace any such calls.

New Zealand Small Flag New Zealand

The Privacy Act regulates the collection and processing of personal information. The Privacy Act currently contains twelve Information Privacy Principles (the "Principles") which apply to "personal information" (being information about an identifiable individual). The Principles relate to the manner and purpose of collection, storage, access, use, retention, disclosure and deletion of personal information. The consent of the individual concerned is not always required for the collection and processing of personal information, but it must always be lawfully obtained and managed in accordance with the terms of the Privacy Act.

The Privacy Act applies to "agencies", which is defined very broadly and would capture government agencies as well as private organisations.

In addition to the above, agencies providing personal or public health or disability services are also subject to the Health Information Privacy Code 1994, which includes specific rules regarding the processing of health information.

A Bill to amend the Privacy Act is currently before Parliament. Key proposed changes include:

  • the introduction of a mandatory breach notification regime for certain privacy breaches;
  • specific reference to overseas agencies, bringing them within the coverage of the Privacy Act to the extent they undertake regulated activities in the course of carrying on business in New Zealand; and
  • clarification that the Privacy Act will apply to all actions by a New Zealand agency, whether inside or outside of New Zealand.

Europe's GDPR may also be applicable to organisations operating in New Zealand where their activities fall within its jurisdiction.

Germany Small Flag Germany

The key protection for personal data is found in the GDPR (DS-GVO)[7] and the new version of the German Federal Data Protection Act (BDSG).[8] Since 25th May 2018 the GDPR and the revised BDSG have been in force. The new regulation on the protection of personal data for the whole of the European Union pursues the objective to ensure a quite harmonized approach to data protection within all member states. In general, the GDPR can be considered to be very strict, particularly due to the very high fines it imposes for breaches.

In accordance with Art. 6 GDPR the processing of personal data shall only be lawful if and to the extent that a statutory permission is applicable or the data subject has given consent to the processing. Art. 6 (2) GDPR permits the processing of personal data in particular to the extent necessary for the performance of a contract (lit. b), for compliance with a legal obligation (lit. c) and in case of prevailing interests of the data controller (lit. f) as general permissions.

In addition, German law also contains sector specific protection for personal data. Section 88 TKG is an important provision for the telecoms sector as it stipulates the requirement of secrecy of telecommunications. Further telecom-specific regulations on data protection are found in sections 91 et seqq. TKG. The data protection regulations of the TKG, which have been issued to implement the directive 2002/58/EG, will continue to be applicable in accordance with Art. 95 GDPR.

In respect of electronic information and communication services (“telemedia”) which are not consider telecommunications, in particular websites, specific protection rulings were found in sections 11 et seqq. in the Telemedia Act (TMG).[9] However, since the GDPR came into force, it was unclear whether the special regulations of the TMG remain applicable. The TMG was until now not adapted to the new data protection laws. In this regard the DSK (Datenschutzkonferenz, a joint committee of the data protection authorities of the German federal states) issued a position paper in April 2018. Hereinafter the sections 12, 13, 15 TMG are no longer applicable. Sections 67 et seqq. of the Volume X of Social Security Statute Act (SGB X)[10] contain special provisions protecting social data which have been revised in the context of the GDPR and continue to apply in this respect.

[7] Datenschutzgrundverordnung
[8] Bundesdatenschutzgesetz neu 2018
[9] Telemediengesetz
[10] Zehntes Buch Sozialgesetzbuch

Indonesia Small Flag Indonesia

Consent requirement

During the processing of personal, the Electronic System Provider (“ESP”), as the entity collecting and processing personal data, is responsible to protect the personal data. The protection of personal data shall be made by ESP through ensuring that any action taken toward the personal data is made based on the data subject’s consent. Consent must be obtained during the collection personal data, which must be made in form written in Indonesian language. Consent must be obtained after the data subject has received a full explanation regarding the activity that will be conducted toward the personal data as well as the purpose of personal data collection.

Rights of personal data owner

Personal data owner has the following rights in relation to his personal data:

1. right to confidentiality of his personal data;
2. right to submit complaint to MCI to settle personal data dispute for any breach of personal data by ESP;
3. right to access or to have the opportunity to change or update his personal data without interfering the personal data management, unless stipulated otherwise by laws and regulations;
4. right to access or have the opportunity to obtain personal data history that is once provided to ESP as long as it is in accordance with the applicable laws and regulations;
5. right to request for obliteration of certain personal data in the electronic system managed by the ESP, unless stipulated otherwise by other laws and regulations.

Pakistan Small Flag Pakistan

The unauthorized access, unauthorized copying, transmission of data or information system with the intent of injury, wrongful gain, wrongful loss or harm to any person shall be treated as a punishable offence. The Federal Government or PTA, as the case may be, may issue directives to be followed by the owners of the designated information systems or service providers in the interest of preventing any offence under applicable law. Whoever obtains, sells, possesses, transmits or uses another person’s identity information without authorization is a punishable offence.

Further, all licensees of PTA are required to take all reasonable steps to ensure that those of its employees who obtain, in the course of their employment, information about customers of the licensee or about the customer's business ("Customer Information"), observe the provisions of a code of practice on the confidentiality of Customer Information (the "Confidentiality Code"). Such Confidentiality Code is required to be prepared by the licensee in consultation with PTA and shall, (a) specify the persons with whom Customer Information may not be disclosed to without the prior consent of that customer; and (b) regulate the Customer Information which may be disclosed without prior consent of that customer.

Additionally, all licensees of PTA are required to maintain confidentiality of information about consumers and also require each licensee to ensure that no information about consumers’ use of network or service is made available to any third person other than what is printed and published in services directories, agreed by the consumer or required by applicable law. We note from experience that a license granted to a licensee of PTA in Pakistan, generally inter alia contains a provision; that information about customers may only be disclosed to a third-party if the following conditions are complied with; (a) nature of the information to be disclosed has been specified; (b) recipient of the information is disclosed; (c) purpose of the disclosure has been provided; and (d) the customer has provided consent to such disclosure.

A draft data protection bill is in the process of being promulgated, which provides for certain additional protections to all data subjects, in terms of a data controller processing personal information of such data subjects. Pursuant to the law, the definition of the term “personal data” has been widened to include inter alia any information that related directly or indirectly to a data subject whereby, a data controller shall (when once the law is promulgated) be required to provide to the data subject in written notice, the legal basis for the processing of personal data and time duration for which the data is likely to be processed and retained thereafter.

The standards to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction shall be prescribed by the National Commission for Personal Data Protection (the “NCPDP”), a body envisaged to be incorporated under the new data protection legislation. However, since the law has not yet been promulgated, the requirements thereunder are not yet applicable.

Romania Small Flag Romania

On May 2018 the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) became directly applicable in Romania.

As a consequence, the former Romanian national legal framework has been repealed and new attributions have been granted to the National Supervisory Authority for Personal Data Processing (“Data Protection Authority”) by Law no. 129/2018 for modification and completion of Law no. 102/2005 regarding the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing and repealing Law no. 677/2001 with regard to the processing of personal data and on the free movement of such data (“Law 129/2018”).

Law 129/2018 mainly refers to the powers of the President of the Data Protection Authority, the control and claims settlement attributions of the said authority and the judicial remedies available to data subjects.

In order to implement the provisions of article 9 paragraph (4) and articles 37-39, 42, 43, 83, 87-89 of GDPR, Romania has also adopted Law no. 190/2018 on GDPR implementing measures (“Law 190/2018”).

The implementing measures provided by Law 190/2018 mainly refer to the following:

  • the processing of genetic data, biometric data or data concerning health for an automated decision-making or profiling should be made based upon the explicit consent of the data subject or an express legal provision and with the establishment of appropriated measures;
  • the processing of a national identification data (personal identification number, identity card’s series and number, passport and driver license number, health social security number) and collection or disclosure of the documents that contain the same can be made only in accordance with article 6 paragraph (1) of GDPR; in case of a processing based upon letter f) of article 6 paragraph (1) of GDPR, the controller or the third party should establish certain warranties;
  • data processing in the context of employment; in case an employer utilizes monitoring systems by electronic and / or video means, the processing of employees’ personal data based on employer’s legitimate interest is permitted only under certain specific conditions set out by Law 190/2018;
  • for the processing of personal data and of special categories of personal data in the context of fulfilling a task carried out in the public interest, the controller or the third party should establish certain warranties set out by the law;
  • the processing of personal data carried out for journalistic purposes or the purpose of academic artistic or literary expression can be made if the used data have been explicitly made public by the data subject or such data are closely linked to the capacity of the data subject as a public person or to the public character of the data subject facts;
  • derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are granted pursuant to article 89 of GDPR;
  • the processing of personal data and of special categories of personal data by political parties, nongovernmental organizations of citizens belonging to national minorities and nongovernmental organization is permitted without the consent of the data subject, subject to certain warranties;
  • the designation and the tasks of the data protection officer are in line with the ones provided by articles 37-39 of GDPR;
  • the accreditation of certification bodies provided by article 43 of GDPR shall be made by Romanian Accreditation Association (in Romanian language - Asociația de Acreditare din România – RENAR) according to the EN-ISO/IEC 17065 standard and supplementary requirements issued by the Data Protection Authority; the corrective measures and penalties for public authorities and bodies are derogatory and refer to a remedy plan and the level of maximum fine (Ron 200,000, approximately EUR 43,000).

During 2018, the Data Protection Authority supplemented the regulatory framework for protection of personal data with rules and procedures regarding (i) the receipt and resolution of complaints by the Authority (Decision no. 133 issued on July 3, 2018), (ii) how investigations are to be conducted (Decision no. 161 issued on October 9, 2018) and (iii) operations for which a data protection impact assessment is mandatory ( Decision no. 174 issued on October 18, 2018).

South Korea Small Flag South Korea

The Personal Information Protection Act (“PIPA”) is Korea’s comprehensive general law on personal data protection. In addition, there are a set of special laws regulating the processing of personal data in specific industries. For example, most notably, the Network Act regulates the processing of users’ personal data by information and communications service providers, while the Utilisation and Protection of Credit Information Act governs the processing of personal credit information by financial institutions and credit companies. The Act on the Protection and Use of Location Information regulates the processing of location information.

Spain Small Flag Spain

In Spain, until 25 May 2018, personal data has been regulated under Organic Law 15/1999, of 13 December 1999, on the Protection of Personal Data ("LOPD") and Royal Decree 1720/2007, of 21 December 2007, that approves the implementation of Regulation of the LOPD ("RLOPD"). Since the 25 May 2016, the GDPR has partially de-regulated both the LOPD and the RLOPD and is now the main regulation that sets out how personal data shall be processed in Spain. A new Spanish data protection act, which implements and complements the GDPR, was adopted on December 2018; the LOPDGDD.

The GDPR lays down many obligations for companies that process personal data within the EU and/or personal data of EU nationals. In general terms, under the GDPR personal data shall be processed in accordance with the data protection principles ("lawfulness, fairness and transparency"); collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation"). Other obligations include the need to satisfy the data protection rights of data subjects, to notify the Spanish Data Protection Supervisory Authority (Agencia Española de Protección de Datos, in Spanish or "AEPD") of personal data breaches, the need to have in place a record of processing activities, the obligation to adopt appropriate security measures or the need to respect the restrictions for international transfers of personal data.

Sweden Small Flag Sweden

The key protections are mainly laid out in the GDPR, together with some supplementary Swedish legislation. In summary, the following can be said about the protection.

Basic principles

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Furthermore, data controllers are obliged to be able to demonstrate that, and how, they fulfil the obligations of the GDPR (accountability).

Legal basis

All processing of personal data has to rest on at least one of the six legal grounds set out in the GDPR. The six legal grounds are the following:

  • Processing of personal data that emanates from consent from the data subject. The consent can cover one or several specific purposes.
  • Processing of personal data that is necessary to fulfil a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing of personal data that is necessary to fulfil a legal obligation.
  • Processing of personal data that is necessary to protect vital interests of the data subject or other natural persons.
  • Processing of personal data that is necessary to carry out a task that is of public interest, or in line with the exercise of official authority of the data controller.
  • Processing of personal data that is necessary for purposes of legitimate interests pursued by the data controller or a third party. This does not apply when interests or fundamental rights and freedoms of the data subject require protection of the personal data, especially when the data subject is a child. The exclusion cannot be applied to processing executed by public authorities in the performance of their tasks.

Information duty

It must be clear for the data subjects how their personal data are processed. Accordingly, the data subjects must be made aware of the processing of personal data per se, why the data is being processed, and how it is used. Understandable information must be provided by the data controller about the processing and in a manner which makes it easy for the data subjects to find the information. If the data subjects are children, the language needs to be even clearer. See articles 13 and 14 of the GDPR.

Rights of the data subjects

Data subjects have a number of rights listed in the GDPR. These are mainly laid out in articles 15 up to and including 21 and comprise the following rights:

  • Right to information and access by the data subject;

  • Right to rectification;
  • Right to erasure;
  • Right to restriction of processing;
  • Right to notification of erasure or restriction of processing;
  • Right to data portability; and
  • Right to object.

The data subjects have the right to receive the personal data provided to a data controller in a structured, commonly used and machine-readable format (Right to access). Upon request from the data subject, the personal data is under certain circumstances to be erased (Right to erasure). Moreover, the data subject has the right to transfer those data to another data controller without hindrance where (i) the processing is based on consent pursuant to point (a) of article 6(1) or point (a) of article 9(2) or on a contract pursuant to point (b) of article 6(1); and (ii) the processing is carried out by automated means (Right to data portability). When it is technically feasible, the data subject has the right to have personal data transmitted directly from one data controller to another.

It shall also be noted that more stringent rules apply to ‘sensitive’ personal data (e.g. personal data relating to health or trade union membership).

Taiwan Small Flag Taiwan

The Personal Data Protection Act of Taiwan (the “PDPA”) adopts a regulatory framework similar to GDPR. The PDPA is a general law regulating the collection, processing and use of personal data in Taiwan. The PDPA defines “personal data” as a natural person’s name, date of birth, national identification number, passport number, physical appearance, fingerprint, marital status, family background, educational background, occupation, medical history, medical treatments, genetic data, sex life, health check results, criminal record, contact information, financial condition, social activities and any other information that may be used to directly or indirectly identify a natural person.

The PDPA requires, among others, that a data owner’s collection and processing of personal data must be for specific purpose(s) and have at least one of the legal grounds prescribed under Article 19 of the PDPA. Moreover, under the PDPA, a data collector must inform the data subject of the following information at the time of collection: (i) the identity of the data collector; (ii) the purpose(s) for which his/her data is collected; (iii) the type of data collected; (iv) the term, place and method of use and the persons who may use the data; (v) the data subject’s rights in relation to his/her personal data under the PDPA; and (vi) the consequences of his/her failure to provide the required personal data.

Turkey Small Flag Turkey

The Law No. 6698 on Protection of Personal Data (DPL) provides the principles and procedures as to processing of personal data. Under the DPL, processing personal data requires either explicit consent of the data subjects, in principle, or existence of one of the legal grounds set out under Article 5 of the DPL (such as legitimate interest, performance of a contract or legal obligation etc.). DPL also requires data controllers to inform the data subjects regarding the purpose of data processing, the identity of the data controller, the persons to whom data will be transferred and the reasons of these transfers, the method and legal reason of data collection and their rights during collection of their personal data.

United Kingdom Small Flag United Kingdom

Personal data (being any data which - alone or in combination with other information in the hands of the party in question - would enable a living person to be individually identified) is subject to detailed regulation and protection by way of the General Data Protection Regulation (GDPR).

The main rights afforded to individuals generally under the GDPR are:

  • the right to be informed - individuals have the right to be informed about the collection and use of their personal data;
  • the right of access - individuals have the right to access their personal data and supplementary information. This right allows individuals to be aware of and verify the lawfulness of the processing;
  • the right to rectification - individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete;
  • the right to erasure - individuals have the right to have personal data erased;
  • the right to restrict processing - individuals have the right to request the restriction or suppression of their personal data;
  • the right to data portability - individuals have the right to obtain and reuse their personal data for their own purposes across different services; and
  • the right to object - individuals have the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest / exercise of an official authority; (ii) direct marketing; and (iii) processing for the purposes of scientific or historical research and statistics.

Under the GDPR, data controllers may only collect and process personal data when certain specific conditions are met, including:

  • where the data subject has consented;
  • where it is necessary for a contract to which the data subject is a party; and
  • where there is a "legitimate reason" for processing which does not itself damage the data subject's rights, freedoms or own legitimate interests.

More stringent rules apply to special categories of personal data (e.g. as to health or sexual orientation etc.).

All data controllers must take appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing, and against accidental loss of or destruction of personal data. The ICO does not mandate any particular standard in this regard but recommends adherence to ISO 27001.

United States Small Flag United States

The U.S. does not have omnibus protection for personal data; rather, it has taken a sectoral approach. Health related information is protected under the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA's Privacy Rule (and the privacy requirements under the HITECH Act) regulate the use and disclosure of protected health information by "covered entities", such as health plans, insurers and medical service providers, as well as "business associates", such as contractors and other service providers to covered entities. Individuals have a right to know the protected health information held by a covered entity and to require the correction of inaccurate information. HIPAA's Security Rule requires covered entities and business associates to maintain administrative, physical and technical measures to protect health information.

Consumer financial data is protected under the Financial Privacy Rule pursuant to the Gramm-Leach-Bliley Act ("GLBA"). The Privacy Rule requires financial institutions to provide privacy notices to consumers that permit them to opt out of sharing financial data with unaffiliated third parties. GLBA's Security Rule requires written security procedures to be in place for the safeguarding of consumer financial information. The Fair Credit Reporting Act ("FCRA") and the Fair and Accurate Credit Transactions Act ("FACTA") regulate the use of consumer credit information, entitle consumers to a free copy of their credit report from each credit reporting agency and provide for disputing inaccurate information.

The FTC, under its general Section 5 authority to prevent unfair and deceptive practices, also enforces protections for personal data by requiring companies to observe the promises made by a company in its privacy policy.

All 50 states have enacted legislation requiring notice to customers when a security breach has or is reasonably believed to have exposed a consumer's personal information. Personal information under data breach is typically defined as a first name or initial, a last name, plus a social security number, driver's license or state ID number or an account number with a password or PIN. Recently, states have expanded this definition to include login credentials plus password. Recently, some states have begun to include biometric information as personal data for purposes of breach notification laws. The threshold for notice, timing requirements and liability vary by state.

There are also recent developments in state law that are expanding privacy protections beyond specific sectors. When the California Consumer Privacy Act of 2018 (“CCPA”) comes into effect in 2020, all businesses in California will have to observe restrictions on data monetization, accommodate individuals' rights to access, deletion, and porting of personal data.

Australia Small Flag Australia

The Privacy Act 1988 (Privacy Act) regulates the collection and handling of personal information. The Australian Privacy Principles (APPs), which comprise Schedule 1 to the Privacy Act, contain 13 key protections for personal information, and regulate the following activities with respect to personal and sensitive information (as those terms are defined in the Privacy Act):

(a) collection, use and disclosure;

(b) direct marketing (to the extent the provisions of the Spam Act 2003 (Cth) or the Do Not Call Register Act 2006 (Cth) do not apply);

(c) cross-border disclosure; and

(d) security.

Consent is not always needed for the collection of personal information, however it must be lawfully obtained in accordance with the requirements of the Privacy Act. Once collected, subject to limited exceptions, APP 6 provides that personal information may only be used or disclosed by an organisation where an individual has either expressly or impliedly consented to such activities or would reasonably expect their personal information to be used for such purposes. Breach of an APP is considered an interference with privacy, and such a breach is subject to the same penalties as any other contravention of the Privacy Act.

The APPs are binding on government agencies and organisations, with small businesses being exempt. However, it is considered good practice to comply with the APPs despite not being bound to do so.

Updated: August 27, 2019