What key protections exist for personal data?


United States Small Flag United States

Sector-specific federal laws protect personal information in certain industries, such as health care, financial institutions, and telecommunications companies. Personal information is differently by the federal sector-specific statutes and their respective implementing regulations. For example, the federal Health Insurance Portability and Accountability Act (HIPAA) and its regulations require “covered entities,” such as hospitals and doctors’ offices, and “business associates,” which provide healthcare-related services to covered entities, to implement administrative, physical, and technical measures to prevent the disclosure of “protected health information” to unauthorized persons. The federal Department of Health and Human Services (HHS) can impose penalties against covered entities and business associates that fail to implement such required protections. HHS has imposed multi-million dollar penalties and has entered into settlement agreements with covered entities and business associates with multi-million dollar payment requirements.

Federal banking regulators, such as the Federal Deposit Insurance Commission (FDIC), can impose fines against FDIC-member banks that violate data security regulations, such as the Interagency Guidelines. The Federal Communications Commission (FCC) can similarly impose penalties against telecommunications companies that fail to secure “customer proprietary network information” (CPNI).

The Federal Trade Commission (FTC) has applied section 5 of the Fair Trade Commission Act to impose fines and to require corrective action by companies that represent that they will secure customers’ personal information and fail to do so. The FTC has brought section 5 cases against companies that fail to implement security measures to protect personal information regardless of whether the companies made any security representations to potential customers.

Forty-eight of the 50 states in the United States, as well as Washington, D.C., Puerto Rico, the U.S. Virgin Islands, and Guam have enacted data breach notification statutes that require businesses and other entries to notify customers, patients, employees, or other affected individuals when “personal information” has been accessed or acquired by an unauthorized individual. These statutes generally define “personal information” as including an individual’s first name or initial and last name, together with his or her Social Security number, payment card number, financial account number, driver’s license number, state identification card number, or passport number. Several states’ definitions of “personal information” are broader. State attorneys general may enforce these state statutes as authorized by the state’s breach notification law or pursuant to state’s consumer protection statute. State attorneys’ general contend that the law of the state where a potentially affected individual resides determines which state’s law applies, regardless of where the affected entity is located. The state statutes generally require that organizations must send notifications as soon as possible, although some states’ laws require organizations to send such notifications within 30 or 45 days after an incident is discovered.

Malta Small Flag Malta

The Data Protection Act, Chapter 440 of the Laws of Malta (the ‘DPA’), along with the subsidiary legislation issued thereunder provides the main protections for personal data. The DPA provides certain safeguards for personal data that must be ensured by anyone processing such data. In particular personal data must be processed fairly and lawfully, processed in accordance with good practice, only for specific, explicitly stated and legitimate purposes, is correct and kept up-to-date. Further to this, the DPA provides that personal data may only be processed if certain criteria are adhered to, such as when the data subject has unambiguously given his consent or that the processing of such personal data is necessary for the performance of a contract to which the data subject is party to. Moreover, the DPA states that where the data subject notifies the controller of personal data that he opposes to his personal data being processed for direct marketing purposes, then such data may not be processed.

With respect to sensitive personal data, the DPA requires that additional safeguards need to be implemented for the processing of such data and the processing is necessary in order that:

(i) the controller complies with his obligations or rights under employment law; or

(ii) the vital interests of the data subject or of some other person will be able to be protected and the data subject is physically or legally incapable of giving his consent; or

(iii) legal claims will be able to be established, exercised or defended.

In addition to this, the DPA provides specific purposes for when sensitive personal data may be processed such as processing concerning health or medical purposes, processing for research and statistics purposes and processing by foundations and similar entities. With respect to processing data relating to legal offences the DPA allows such data to solely be processed under the control of a public authority, unless otherwise provided under any law.

The DPA provides rights to data subjects such as requiring that the controller provides the data subject with relevant information and the right of access to his personal data, when requested. In fact, where such data is collected from a third party and not from the data subject himself the controller must provide the data subject with specific details.

Further to the above, the DPA explicitly requires that appropriate technical and organisational measures are implemented by the controller to ensure that any processed personal data is secured against unlawful forms of processing, accidental destruction or loss.

Norway Small Flag Norway

Act no. 31 of 14 April 2000 relating to the Processing of Personal Data (the Personal Data Act) Section 1 prescribes that the Act shall protect data subjects from violation of their rights to privacy through the processing of personal data and help to ensure that personal data are processed in accordance with the subjects fundamental rights to privacy.

As the Act has implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the data subjects are offered the Directive’s key protections such as the requirements of:

  • A lawful basis to process personal data;
  • explicit, lawful and specified purpose that restricts the processing of personal data to said purpose;
  • adequate, relevant and not excessive processing of the personal data;
  • accurate and, where necessary, up to date personal data;
  • personal data not being stored longer than necessary for the achievement of the stated purpose;
  • appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of, or the accidental loss or destruction of, or damage to, personal data; and
  • limitations on the transfer of the personal data to other countries.

Turkey Small Flag Turkey

The Law on Protection of Personal data w. no 6698 protects personal data. The Law which is similar to the 95/46 Directive is based on fundamental data protection principles.

Data controllers must comply with the principles set out in Article 4 of the Data Protection Law, that is, that the data must be:

  • processed fairly and lawfully;
  • accurate and up-to-date;
  • processed for a specific, explicit and legitimate purpose;
  • relevant, adequate and not excessive;
  • kept for a term that is necessary for the purpose for which the data is being processed.

Personal data can be processed by obtaining explicit consent of the data subject or with any of the 7 grounds mentioned below;

  • Processing is expressly ordered/required in the law.
  • Processing is necessary for the protection of the data subject's or third parties' life or physical integrity.
  • For processing personal data of contracting parties, provided the processing is directly related to the execution or performance of a contract.
  • Processing is mandatory for the data controller to perform his/her legal obligations under the law.
  • Personal data has been made open to the public by the data subject.
  • Processing is mandatory for assigning, using or protecting a right.
  • Processing is mandatory for the legitimate interest of data controller, provided the processing does not harm the data subject's fundamental rights and freedoms.

Further, data subjects have certain rights such as right to request deletion, rectification or request damages.

China Small Flag China

‘Personal data’ or ‘personal information’ under the Cyber Security Law refers to various types of information that can be used separately or in combination with other information to identify a natural person, including but not limited to name, date of birth, identity certificate number, genetic information, address and telephone numbers. According to the Cyber Security Law, when network operators collect personal information, they shall follow the principles of legitimacy, rightfulness and necessity, disclose their rules of collecting and using the information, specify the purpose, ways and scope of collecting and using the information, and obtain consent from the information subjects. Network operators shall not divulge, tamper with or damage the personal information they have collected, and shall not provide the personal information to others without the consent of the information subjects.

The Guidelines for the Protection of Personal Information (GB/Z 28828-2012) divides personal information into personal general information and personal sensitive information. Personal sensitive information means the information which, once exposed or modified, will have an adverse impact on the information subject. For personal sensitive information, before collecting the information, expressed consent from the information subject is required.

Further, the Article 253 of the Criminal Law and its 9th amendment defines the criminality of selling or providing citizen's personal information, causing serious circumstances. To give more guidance of applying the criminal law, the Interpretations of the Supreme Court and the Supreme Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Invading Personal Information further specifies the criminality stipulated in Article 253.

Mexico Small Flag Mexico

The protection of personal data is established in the Mexican Constitution (Constitución Política de los Estados Unidos Mexicanos) as a constitutional right, and the matter is regulated in a specific manner by the: (i) the Mexican Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares); (ii) The Regulations to the Law (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares); (iii) Guidelines and general criteria issued by the Ministry of Economy and the Mexican Data Protection Authority (“DPA”), including those related to the privacy notice, security measures to protect persona data, binding self-regulatory schemes and the implementation of compensatory measures; and (iv) the General Data Protection Law (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados).

The difference between the Mexican Data Protection Law and the General Data Protection Law is that the latter is applicable to the processing of personal data by authorities, entities, bodies and agencies of the Executive, Legislative and Judicial Branch, autonomous bodies, trusts and public funds and political parties on federal, state and municipal level, and the Mexican Data Protection Law is applicable for the processing of personal data by private parties (companies and individuals). Both laws regulate the protection of personal data of individuals (as opposed to entities).

The Mexican data protection agency is the National Institute for the Access of Information, Transparency and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, “INAI” by its acronym in Spanish). The INAI is the authority in charge of promoting the rights to protect personal data throughout Mexico, and has authorities to enforce and supervise due compliance of the provisions set forth by the applicable laws.

United Kingdom Small Flag United Kingdom

Personal data (being any data which – alone or in combination with other information in the hands of the party in question – would enable a living person to be individually identified) is subject to detailed regulation and protection by way of the Data Protection Act 1998. This will in 2017 be replaced/augmented by the General Data Protection Regulation (GDPR).

Under the 1998 Act, data controllers may only collect and process personal data when certain specific conditions are met, including:

  • where the data subject has consented;
  • where it is necessary for a contract to which the data subject is a party;
  • where there is a "legitimate reason" for processing which does not itself damage the data subject's rights, freedoms or own legitimate interests.

More stringent rules apply to "sensitive" personal data (eg as to health or sexual orientation etc).

All data controllers must take appropriate technical and organisational measures to safeguard against unauthorised or unlawful processing, and against accidental loss of or destruction of personal data. The ICO does not mandate any particular standard in this regard but recommends adherence to ISO 27001.

Romania Small Flag Romania

At present, the main legal framework is the Data Protection Act, Law no. 677/2001, which transposes the provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and sets the general framework for processing of personal data in Romania.

The Data Protection Act defines personal data and data processing, regulates consent rules, data transfers, the obligations of data controllers and the rights and remedies of data subjects.

As per the current form of the Data Protection Act, key protections for personal data may be found in several articles, as follows: data quality requirements (Article 4), conditions for legitimate processing of personal data (Article 5), rights of the data subject (Articles 12 – 18), security requirements (Article 20) and notification requirements of the Data Protection Agency (Article 22).

Obligations of the data controller
The protection of personal data is inherent in the following main obligations of the data controllers:

  • personal data must be processed in good faith;
  • personal data must be collected for explicit and legitimate purposes only;
  • personal data must be adequate, relevant and not excessive with regard to the scope for which it is collected and processed;
  • personal data must be accurate and updated when necessary;
  • personal data must be stored only for a specific period of time, as necessary for the processing.

Legitimate processing of personal data
Protection of personal data is also ensured on the condition that the processing is based on legitimate grounds.

Personal data may be processed as a matter of principle only with the data subject`s prior, voluntary and informed consent. The data subject may give such consent either in writing or electronically. For the processing of sensitive personal data the written consent of the data subject is required. The data controller must be able to prove at all times that the consent of the data subject has been provided properly and lawfully.

Notwithstanding, there are several cases when the processing of personal data can be performed without the data subject's consent, e.g. if the processing is performed for statistical, historical or scientific purposes, provided that the data remains anonymous, or if the processing is related to data resulting from publicly available documents / information.

Rights of the data subject
If personal data is obtained directly from the data subject, the data controller must provide to the data subject at least the following information:

  • the identity of the data controller or its representative;
  • the scope of the processing of the personal data; and
  • any other information, as required by the law.

In addition to the above obligations, if the personal data is not obtained directly from the data subject, the data controller is obliged to inform the data subject with regard to the collection and processing of personal data.

The data subject also has the following rights with respect to the collection/processing of personal data:

  • the right to access the data which is being processed;
  • the right to intervene over the data – rectify, remove or block the personal data;
  • the right to object against the processing of its personal data.

Security measures
Under Article 20 of the Data Protection Act, all necessary technical measures must be taken in order to protect personal data against unauthorized access, alteration, transfer or disclosure, accidental or unlawful destruction and loss. These measures must ensure a level of protection appropriate to the data that is being processed.

Notification of the Data Protection Agency
Data controllers must, in certain cases provided by law, notify the Data Protection Agency (in Romanian language – Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) before carrying out of processing operations.

Italy Small Flag Italy

The Italian Legislative Decree n. 196 of 30 June 2003 (the “Privacy Code”) brings together all the various laws, codes and regulations relating to data protection since 1996. The Privacy Code applies to all processing of personal data relating to natural persons (although certain provisions apply also to legal persons) carried by data controllers established in Italy and non-EU data controllers which make use of equipment located within the Italian territory (e.g. servers). Data controllers are required, inter alia, to (i) provide a data protection notice to the relevant data subject, (ii) obtain the prior and freely-given consent of the relevant data subject to the processing of his/her personal data (which must be given in writing if sensitive data are processed), unless another legal basis exists (e.g. the processing is necessary to comply with an Italian or EU law, or to perform an agreement which the data subject is a party to), (iii) appoint in writing the persons in charge of the processing and the data processors; (iv) implement certain minimum security measures to the protect the personal data; (v) notify the Italian Data Protection Authority (“DPA”) in case certain categories of processing are carried out (e.g. profiling) or certain categories of personal data are processed (e.g. genetic data); (vi) obtain the DPA’s authorization to the processing of sensitive data, unless the processing is already covered by one of the general authorizations issued by the DPA; (vii) file a prior checking request with the DPA if the processing is likely to present specific risks to data subjects’ fundamental rights and freedoms.

On 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) will become applicable in all Member States, including Italy. The key changes that will be introduced by the GDPR include: (i) a wider territorial scope, given that also data controllers and data processors based outside of the EU will be required to comply with the GDPR, if their processing activities are related to the offering of goods or services to individuals in the EU or the monitoring of the behaviour of individuals in the EU; (ii) direct legal responsibilities for data processors; (iii) the obligation to appoint a data protection officer for data controllers and data processors with core activities involving either the regular, systematic and large scale monitoring of individuals or the large scale processing of ‘special categories of data’ and/or ‘personal data relating to criminal convictions and offences’; (iv) the obligation for data controllers to perform a privacy impact assessment where, taking into account the nature, scope, context and purposes of the processing, there is likely a high risk to the rights and freedoms of individuals; (v) the requirement for both data controllers and data processors to keep relatively detailed records of their processing activities (there is an exemption for enterprises or organisations that employ fewer than 250 persons unless the processing is high risk, not occasional, or includes ‘special categories of data’ and/or personal data relating to criminal convictions and offences); and (vi) a system of mandatory notification for data breaches (data controllers will be required to notify personal data breaches to supervisory Authorities without undue delay and, where feasible, no later than 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals; in some cases, also data subjects must be notified of the breach).

The Netherlands Small Flag The Netherlands

The processing of personal data (i.e., any information relating to an identified or identifiable natural person) is subject to the rules laid down in the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, "Wbp").

On 25 May 2018, the Wbp will be replaced by the General Data Protection Regulation (GDPR). Under the Wbp, data controllers may only process personal data when certain specific conditions are met, including:

  • Personal data may only be processed if there is a lawful basis to such processing activity (e.g., consent of the individual, the performance of a contract or the legitimate interests of the data controller);
  • Personal data may only be processed for well-defined purposes;
  • Personal data may not be kept longer than necessary in view of the purposes for which the data were collected;
  • Appropriate technical and organisational measures should be implemented to safeguard personal data;
  • Etc.

More stringent rules apply to "sensitive" personal data, such as health data or data related to criminal convictions. Also, under the Wbp mandatory notification duties may apply in case of unauthorised or unlawful processing, and against accidental loss of or destruction of personal data. Notification may have to be submitted to the Dutch Personal Data Protection Authority and the individual to which the personal data relates.

Brazil Small Flag Brazil

In Brazil, privacy and data protection are treated as fundamental rights of individuals under the Federal Constitution. Individuals who suffer material or moral damages as a result of violation of such rights have the right to indemnification. In addition to the Federal Constitution, the Brazilian Civil Code (Law No. 10,406/02), the Consumer Protection Code (Law No. 8,078/9, the “Consumer Code”) and the Internet Act (Law No. 12,965/14) are the most prominent statutes governing the use, collection and processing of personal data in specific cases by private enterprise.

The Brazilian Civil Code acknowledges and reinforces the principle that privacy is inherent to an individual’s personality and dignity, providing that such right is non-assignable and not subject to waiver, and cannot be voluntarily limited. Still under this statute, the private life of an individual is inviolable and the court shall, upon request, take such actions as necessary to prevent or cease the violation, without prejudice to material and moral damages and other applicable sanctions.

The Consumer Code is applicable whenever a consumer relationship is formed between an individual (or corporate entity, in certain circumstances) and a service provider or a product manufacturer. The privacy of consumer relations and handling of databases are regulated by this Code. The Consumer Code requires that the individual whose data is being collected must be informed of the input of his/her information into a database (there is no requirement for consent, but rather, a notice). The consumer should have the right to access, rectify and correct his/her database information.

The Internet Act establishes other principles and rules with respect to the privacy and protection of internet users’ personal and behavioural data. It contemplates specific rules on the collection, storage and processing of personal information through internet services and applications. One of the important provisions of the Internet Act deals with the users’ rights to be fully informed, on a clear and direct manner, of the data treatment, which can only be made: (i) for the reasons that justified its collection; (ii) if not prohibited by law; and (iii) if allowed by the applicable service agreements or terms of use. Free, express and informed consent is required from data subjects. Any information that may be collected in excess of the reason why such information has been collected may trigger liability. Under the Internet Act, personal data must be kept in secrecy, and shall only be disclosed upon a valid court order, if authorized by user or if expressly provided by law. In addition to the data subject´s right of access, rectification and correction of his/her personal data, the Internet Act also provides for the right of deletion of personal data.

In addition to the aforementioned laws, there are other sector-specific laws that deal with privacy and data protection, such as the Wiretap Act (Law No. 9,296/96), the Bank Secrecy Act (Complementary Law No. 105/01), and the Information Access Act (Law No. 12,527/01), which governs information collected by federal government. Other privacy and data protection regulations apply to specific sectors of the economy, labor relationships and the exercise of profession (doctors, attorneys and financial advisors, for example).

In the past couple of years, the Brazilian National Congress has been discussing a comprehensive data protection law that will apply across multiple sectors and in all kind of personal or professional relationships. The most important bills under discussion are the Senate Bill No. 330 and House of Representatives Bill No. 5,276 (the “Bills”). Based on the discussions in the Brazilian National Congress, a federal law on privacy and data protection is expected to be approved until the end of 2018. Both Bills were inspired in the European data protection legal framework and, if approved, the new law will significantly affect the way companies and individuals act with respect to privacy and data protection in Brazil. International data transfer, coverage and enforceability of the law and the requirement of express consent by the data subject are the main aspects covered by this new law.

Indonesia Small Flag Indonesia

The key protections for personal data under Indonesian law are:

  1. the requirement of consent for any electronic system provider to handle personal data (e.g., collecting, processing, distributing);
  2. the requirement of data-onshoring for any electronic system provider providing “public services” (as explained below);
  3. the requirement of full disclosure for any use of personal data;
  4. the deletion of personal data after a certain period of time or at the request of the personal data owner.

India Small Flag India

Protection of personal data is primarily addressed in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”). As per the Privacy Rules, the following types of data or information are defined as ‘sensitive personal data or information’: (a) Password; (b) Financial information, including information relating to bank accounts and payment cards (credit and debit cards); (c) Physical, physiological and mental health condition; (d) Sexual orientation; (e) Medical records and history; and (f) Biometric information. “Personal Information” is also defined under the Privacy Rules and means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available, is capable of identifying such person.

The Privacy Rules state that a body corporate that obtains personal information including sensitive personal data or information has the following obligations:

  1. Publish a privacy policy on its website for handling such information, explaining the types of information collected, means and purpose of collection, usage and disclosure of such information, and the security practices adopted by it;
  2. On request, to review the information provided and ensure that any information found to be inaccurate or deficient is corrected or amended as feasible;
  3. Provide an option to the provider of the information to not to provide the data or information sought to be collected and withdrawal of consent;
  4. Designate a grievance officer;
  5. Ensure that information is used for the purpose for which it was collected; and
  6. Maintain the specified standards of information security to ensure the safety and confidentiality of such information.

The Privacy Rules state that a body corporate that obtains sensitive personal data or information has the following additional obligations:

  1. Obtain written consent from the provider of such information regarding the purpose of usage prior to collection of information;
  2. Ensure that the collection of information is for a lawful purpose connected with the activity of the body corporate collecting the information and is considered necessary for that purpose;
  3. Retention of information for no longer than is required for the purposes for which such information may lawfully be used or is otherwise required under law;
  4. Disclose of information to third parties only upon obtaining prior consent of the provider of information, unless such disclosure has been agreed to under contract or is in compliance with a legal obligation, and ensure that the third party to whom such information is disclosed shall not disclose it further; and
  5. In the case of transfer of information, require the transferee to maintain the requisite security standards to protect such information.

Therefore, the Privacy rules impose more stringent obligations while dealing with sensitive personal data or information.

Apart from the above, personal data can be protected by way of contracts such as nondisclosure agreements. Indian courts have extended protection created by confidentiality contracts or provisions both during and after the term of such contracts.

Israel Small Flag Israel

Key protections of personal data are granted under the Basic Law: Human Dignity and Liberty, 5752 – 1992, and the Protection of Privacy Law, 5741-1981 ("PPL") and its Regulations, and include among others:

  1. The right for privacy is a constitutional right. Accordingly, any statute which limits this right must befit the values of the state of Israel, be for a proper purpose, and not be broader than required.
  2. The PPL states that a data-subject should be duly informed by the data-owner, when requested to provide personal data: (a) whether he/she is obligated by law or legal requirement to provide such information, or whether the provision of such information is based on free will; (b) the purposes for which the data-owner requests such information; and (c) who are the recipients of such information (if and to the extent applicable), and for what purposes will recipients use such data.
  3. The use of personal data should be pursuant to the data-subject's informed consent. As a result, the data-owner (and data-holder) may not use the personal data for any other purpose. In the event the purposes for use of information are changed, data subject's informed consent should be re-obtained.
  4. Unless specifically prohibited under the PPL, each data-subject may view, inspect and amend his/her personal data which resides in the data-owner's systems, the extent to which he/she finds the information incorrect, incomplete, unclear or not up to date.
  5. Further, each data-subject has the right to ask for deletion of his/her information from a database which is being used for direct mailing. Based on the recent Israeli Database Registrar's Guidelines (2/2017) regarding direct mailing and direct mailing services, such right also applies to databases for direct mailing services. However, to the extent such databases are being used for other purposes (such as providing services) - other information may be retained by the data-owner as deemed required for legitimate business reasons, for the duration as required under applicable law.
  6. The new Privacy Protection Regulations (Data Security), 5777-2017 (the "Security Regulations") promulgated pursuant to the PPL incorporate minimization requirements with respect to the amount of information stored, the purpose of collection, the use of the information, and access privileges granted to employees and providers of outsourcing services. Also, under the Security Regulations (which will enter into force in May 2018), any data-owner and data-holder will be required to implement various security measures to protect personal data.

Singapore Small Flag Singapore

The Personal Data Protection Act (Act 26 of 2012) ("PDPA") provides the overarching legislative framework which governs the protection of personal data in Singapore. The PDPA sets out minimum standards and obligations for organisations to comply with when handling personal data. The following are the key principles of the PDPA relating to the collection, use and disclosure of personal data: (i) consent; (ii) notification of purpose; (iii) access and correction; (iv) retention; (v) protection; (vi) accuracy; and (vii) transfer out of Singapore.

Additionally, there are also sector-specific legislative and regulatory frameworks which operate in tandem with the PDPA. Examples of such sector-specific considerations include additional legislation and/or regulations governing the handling of personal data by financial institutions or certain organisations in the life sciences or healthcare industry. Such other legislations would prevail over the PDPA to the extent of any inconsistencies.

France Small Flag France

The processing of ‘personal data’ (defined as data which, alone or combined together, allow to identify a natural person directly or indirectly) is ruled in France by the Act No. 78-17 of 6 January 1978 (the 1978 Act). The implementation of this act led to the adoption at the EU level of EU directive 95/46/EC of 24 October 1995. These texts are about to be replaced on 25 May 2018, when EU regulation 2016/679 of 27 April 2016 (the ‘General Data Protection Regulation’ or GDPR) takes effect.

Under the 1978 Act and, afterwards, the GDPR, personal data may be collected and further processed only under certain conditions, such as:

  • when the concerned person (‘data subject’) has consented;
  • when it is necessary for the performance of a contract to which the data subject is a party, or to comply with a legal obligation imposed on the data controller; or
  • where there is a ‘legitimate reason’ for the processing, provided this does not harm the data subject's fundamental rights and freedoms.

Furthermore, the ‘data controller’ (considered to be the person who determines the purposes and means of the data processing) must comply with several principles:

  • the personal data must be processed lawfully, fairly and in a transparent manner;
  • personal data must be collected for specified, explicit and legitimate purposes and must be subsequently processed in accordance with these purposes;
  • the personal data that is collected must be adequate, relevant, and non-excessive in view of the purposes for which it is collected (this is called ‘data minimisation’);
  • all personal data must be accurate and, when necessary, kept up to date;
  • personal data must not be retained for longer than necessary in light of the purposes for which it is processed; and
  • the data controller must implement appropriate organizational and technical measures to ensure the security and confidentiality of the personal data, both against unauthorized or unlawful processing and against accidental loss, destruction or damage to the data.

On their side, data subjects are granted certain specific rights that include the right to access data concerning them and to request correction or deletion of such data.

More stringent rules apply to ‘sensitive’ personal data (e.g. data relating to health or the sexual orientation of a person).

Generally speaking, the above principles and rules are detailed in regulations and recommendations issued by the national regulatory authority in charge of personal data regulation, the Commission Nationale de l’Informatique et des Libertés (CNIL). This authority‘s power to control data processings and to impose sanctions also belong to the key protections granted to individuals in this area.

Germany Small Flag Germany

The key protection for personal data is found in the German Federal Data Protection Act (BDSG) . For May 2018, this law will be largely substituted by the General Data Protection Regulation (GDPR), which is going to be in force for the whole of the European Union to ensure a quite harmonized approach to data protection within all member states.

As a status quo, German data protection laws may be considered to be very strict. In accordance with section 4 BDSG the collecting, processing and use of data is prohibited with exceptions in case of a statutory permission or data subject’s consent. Section 28 BDSG regulates more precisely the data gathering and data storage for own business purposes which is one of the most important statutory permissions.

In addition, German law also contains sector specific protection for personal data. Section 88 TKG is an important provision for the telecoms sector as it stipulates the requirement of secrecy of telecommunications. Further telecom-specific regulations on data protection are found in sections 91 et seqq. TKG.

In respect of electronic information and communication services (“telemedia”) which are not consider telecommunications, in particular websites, specific protection rulings are found in sections 11 et seqq. in the Telemedia Act (TMG) . Sections 67 et seqq. of the Volume X of Social Security Statute Act (SGB X) contain special provisions protecting social data.

As the sector specific provisions prevail over the general provisions in the BDSG but are not comprehensive, this adds additional complexity to the application of data protections laws.

Switzerland Small Flag Switzerland

Switzerland has dedicated data protection laws. The Federal Data Protection Act (DPA) of 19 June 1992, as amended (DPA), and the Ordinance to the Federal Act on Data Protection of 14 June 1993, as amended (DPO), govern the processing of what in Switzerland is referred to as "personal data" by private parties or federal bodies. Several other federal laws contain provisions on data protection, which further address the collection and processing of personal data, in particular as regards the processing of personal data in regulated industries. As regards the telecommunications industry, the TCA regulates the use of cookies. As a general principle, personal information must always be processed (this includes collection and usage) lawfully. Such processing is lawful if it is either processed in compliance with the general principles set out in the DPA (including, among others, the principle that the collection of personal information and, in particular, the purpose of its processing, must be evident to the data subject at the time of collection) or non-compliance with these general principles is justified (e.g. by the data subject’s voluntary informed consent or by law). The disclosure of personal information to third parties is generally lawful under the same conditions.

Switzerland is a member state to certain international treaties regarding data protection, such as the European Convention on Human Rights and Fundamental Freedoms and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (Convention ETS 108) and its additional protocol of 8 November 2001.

The DPA is currently being revised. Changes are in particular expected in the area of information, documentation and notification obligations, automated decisions and criminal penalties. A final version of the revised DPA is not expected to enter into force before 2018. It is intended that the revision ensures the alignment with international rules on data protection in order to comply with the upcoming revision of Convention ETS 108 and the EU General Data Protection Regulation 2016/679 (GDPR).

Ecuador Small Flag Ecuador

In Ecuador, personal information or data is protected under the Constitution, which recognizes and guarantees the right of every person to the protection of data of a personal nature. As a result, said information can only be accessed through the express authorization of its owner.

Currently, there is no specific law that regulates personal data in Ecuador. Nevertheless, the right is protected and regulated through the Constitution of the Republic of Ecuador, the Organic Telecommunications Law, the Organic Knowledge Social Economy Code and the Organic Transparency and Access to Public Information Law.

Accordingly, the Organic Telecommunications Law establishes that telecommunications services providers are prohibited from executing or omitting actions that violate the right to the protection of personal data. In other words, causing the destruction, loss, tampering, disclosure or unauthorized access of personal data transmitted, stored or processed in the provision of the telecommunications services.

Personal data delivered by users to the providers of telecommunications services cannot be used for sales promotion of services or products, even by the operator itself, unless by express authorization of the user.

Along the same line, the Organic Transparency and Access to Public Information Law regulates the exercise of the fundamental right of every person to access information, and classifies confidential information as personal information of the citizen product of its personal and fundamental rights.

Furthermore, as previously stated, the Organic Knowledge Social Economy Code establishes that personal information contained in databases cannot be disclosed, unless there is express authorization by its owner.

Presently, there is draft bill called “Law that regulates hate and discrimination acts in social networks and the Internet”, which was introduced before the National Assembly on May 23, 2017. The scope of the law is to regulate the actions of service providers that operate through telematics communications, Internet platforms or technologies of a similar nature, which allow users to share with others or publicly disseminate content, and that reach a hundred thousand registered users in the Republic of Ecuador.

This draft bill also determines that the providers of social networks must assign a home or local agent, who will be responsible for the compliance of obligations regarding the treatment of content and information that may constitute discrimination or hate acts.

Updated: October 10, 2017