ANNUAL REVIEW

Data Protection & Privacy Laws 2013

September 2013  |  DATA PRIVACY

financierworldwide.com

Click cover to download

(Subscriber-only password access)

 

Not a subscriber?

Click here to join the FREE mailing list and receive password access

Financier Worldwide canvasses the opinions of leading professionals around the world on the latest trends in data protection & privacy laws.

 

UNITED STATES

S. Keith Moulsdale

Whiteford, Taylor & Preston LLP

“US regulatory risks stem from: the enforcement of sector-specific federal data privacy and security laws, such as the Gramm-Leach-Bliley Act – which regulates financial institutions, the Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act (FCRA); and expanded regulatory interpretations of laws which are neither sector-specific nor specific to data processing.”

 

CANADA

Adam Kardash

Heenan Blaikie

Canada has one of the most active privacy regulatory enforcement arenas in the world. In particular, the Office of the Privacy Commissioner of Canada (OPC) and the provincial privacy regulatory authorities in the provinces of Ontario, Alberta and British Columbia have been very active in investigating privacy complaints as well as publishing a prolific volume of guidance and research on a range of emerging privacy issues.”

 

MEXICO

Salomon Rico

Deloitte

One of the key regulatory risks that Mexican companies currently face is the risk of not complying with the requirements of the personal data protection law. Some of the negative consequences are related to loss of brand value, loss of client confidence, and fines.”

 

COLOMBIA

Enrique Álvarez

Lloreda Camacho & Co.

In Colombia, companies have undertaken activities related to data processing for a long time – nonetheless, those activities were not regulated and therefore data was collected with no specific requirements. Since data protection regulation was recently issued in Colombia, it has been established that in order to transfer and store data, companies must have authorisation from the data subject. International data transfer is not authorised unless the company complies with the requirements established in the law.”

 

CHILE

José Antonio Lagos Melo

Deloitte

As expected, the financial services industry is by far the most regulated. Local regulatory entities have increased requirements regarding business continuity in order to provide stability to the industry and increased control over third-party service providers. In this regard, operational changes towards cloud services are forcing every decision on technology strategy to be accompanied by an important risk assessment of how data is treated by third parties, for instance when personal or financial records are stored in cloud services supported in data centres abroad.”

 

UNITED KINGDOM

Bridget Treacy

Hunton & Williams

Businesses are aware of the opportunities created by aggregating vast volumes of data – for instance, big data – and using data analytics, but are often unaware that data protection laws impose limitations on these activities. A key constraint is that personal data collected for one purpose cannot be used for different purposes without the individual’s consent. Further, personal data may not be kept indefinitely, but only for as long as necessary for the purposes for which it was collected.”

 

GERMANY

Stefan Simon

Buse Heberer Fromm

Companies face a situation whereby the data protection provisions currently in effect, particularly those governing the use and transfer of data, do not meet the requirements of modern forms of economic collaboration. In particular, as a practical matter, there are no suitable legal standards with respect to cloud solutions for data storage and management under which companies can manage data with legal certainty. This applies especially to the question of access rights, deletion rights, and proof of data security for cloud solutions.”

 

SPAIN

Iban Díez

Gómez-Acebo & Pombo

Data protection becomes more complex from a regulatory standpoint as companies increase their data processing activities, which usually occurs when they experience fast growth. An example of this is the technical and organisational implementation of security measures required by regulation. The law features three levels of security: basic, medium and high. Taking this into account is crucial since the regulation is stricter, the higher the level.”

 

SWITZERLAND

Matthias Bossardt

KPMG

Data protection becomes more complex from a regulatory standpoint as companies increase their data processing activities, which usually occurs when they experience fast growth. An example of this is the technical and organisational implementation of security measures required by regulation. The law features three levels of security: basic, medium and high. Taking this into account is crucial since the regulation is stricter, the higher the level.”

 

BELGIUM

Wim Nauwelaerts

Hunton & Williams LLP

Companies face the risk that their data processing activities might be scrutinised by the Belgian data protection authority – the ‘Privacy Commission’. The Privacy Commission is in charge of monitoring compliance with Belgian privacy and data protection law. It has the power to investigate possible violations, at its own initiative or following complaints from individuals whose personal data are at stake.”

 

DENMARK

Peter Kold

KPMG Denmark

With increased centralisation of data processing activities and the utilisation of cross-border setups, certain local regulatory risks arise. Danish legislation prohibits the preservation of accounting data outside of Denmark. It is, however, possible to obtain an exemption under a number of conditions. We have seen an increased focus on compliance with local legal requirements and a rise in the number of applications for exemptions, as part of many companies’ outsourcing and off-shoring activities.”

 

SWEDEN

Emil Gullers

PricewaterhouseCoopers AB

New and emerging technologies bring challenges when it comes to data privacy and data protection. For example, cloud technologies, off-shoring, multi-sourcing, service applications, social media and mobility, all make the ICT landscape and echo system even more interconnected. Complying with data privacy requirements becomes a more complex task and it is no longer adequate to simply consider domestic laws and regulations. Organisations must adopt an organisation-wide global approach and engage specialists with global experience and reach.”

 

TURKEY

Gökhan Gökçe

YukselKarkinKucuk Attorney

In Turkey, data protection is regulated by the general provisions of various laws and some sector specific regulations, but there is still no specific data protection law. However, commercial practice is far ahead of this legislative status, as Turkey acts as a hub between Europe and Asia and attracts a significant level of direct foreign investment. Presently, the lack of a data protection authority and specific legislation appears to be the main hurdle that companies face, as they are not able to receive any administrative guidance.”

 

INDIA

Atul Dua

Seth Dua & Associates

Companies are required to abide with the Intermediary Guidelines and the Sensitive Personal Data Rules while handling ‘sensitive personal data’. Obtaining the consent of the data subject is one of the prerequisites to the collection, disclosure and transfer of sensitive personal data. If the body corporate handling the sensitive personal data is negligent in implementing and maintaining the reasonable security practices and procedures, causing wrongful loss or wrongful gain to a person, the body corporate shall be liable to pay damages as compensation to the affected person.”

 

PHILIPPINES

Jaime Renato B. Gatmaytan

Gatmaytan Yap Patacsil Gutierrez & Protacio

Certain entities, such as banks and other financial institutions, may need to strike a balance between the requirements of data privacy and protection against those of other laws and regulations that apply to them or their operations. The Data Privacy Act expressly provides that its provisions do not amend or repeal the provisions of existing laws governing the secrecy of bank deposits, and yet information needed by public authorities in order for the Philippine central monetary authority, law enforcement, and regulatory agencies to perform their functions are denied the protection of the Data Privacy Act.”

 

MALAYSIA

Bong Kwang Teo

Wong Jin Nee & Teo

In 2010, Malaysia passed the Personal Data Protection Act 2010 (PDPA). The PDPA was scheduled to come into force on 16 August 2013, but due to technical reasons, the operative date of the PDPA has been deferred. The PDPA has adopted the seven data protection principles – similar to those found in the UK PDPA – namely, the General Principle; the Notice and Choice Principle; the Disclosure Principle; the Security Principle; the Retention Principle; the Data Integrity Principle; and the Access Principle.”

 

AUSTRALIA

Matthew McMillan

Henry Davis York

Companies engaged in the processing of personal information face increased regulatory risks with the recent amendments to the Privacy Act and the 13 Australian Privacy Principles (APPs) which come into force in March 2014. These APPs apply to the majority of organisations in Australia and govern their handling of personal information throughout the information-handling lifecycle, including transfer and storage. A company in breach may be investigated by the Australian Privacy Commissioner – either in response to a complaint by an individual or on the initiative of the Commissioner himself.”

 

UNITED ARAB EMIRATES

James Bowden

Afridi & Angell Legal Consultants

The laws of the UAE pertaining to data protection were, with a small number of recent exceptions, not drafted in contemplation of the information age. As a result, there is significant ambiguity around this area of law in the UAE. These laws essentially focus on the confidentiality of information, and require that certain information or records be retained by parties in certain relationships, such as employer/employee, certain professionals and their clients, and so on.”

 

SOUTH AFRICA

Russell Nel

PwC South Africa

In South Africa, there are a number of laws that regulate data protection and privacy. Regulatory compliance risks include reputation damage, financial penalties and imprisonment. Depending on the applicable law and the nature of the offence, fines can range from R5000 to R5m. Prison sentences typically fall into two categories: less severe offences or misdemeanours carry a sentence of up to 12 months, while more severe offences carry sentences of up to 10 years.”

CONTRIBUTORS 

Afridi & Angell Legal Consultants

Buse Heberer Fromm

Deloitte

Gatmaytan Yap Patacsil Gutierrez & Protacio

Gómez-Acebo & Pombo

Heenan Blaikie

Henry Davis York

Hunton & Williams LLP

KPMG

Lloreda Camacho & Co.

PricewaterhouseCoopers AB

PwC South Africa

Seth Dua & Associates

Whiteford, Taylor & Preston LLP

Wong Jin Nee & Teo

YukselKarkinKucuk Attorney

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.