INDEPTH FEATURE

Data Protection & Privacy Laws 2022

July 2022  |  DATA PRIVACY

financierworldwide.com

Click cover to download

(Subscriber-only password access)

 

Not a subscriber?

Click here to join the FREE mailing list and receive password access

As data becomes ever more central to business operations, companies need to get to grips with the collection, storage, use, analysis and transfer of data, including compliance with evolving regulatory requirements. Deficiencies in data practices can easily be exposed in the event of a breach. Adequate data retention policies go some way to reducing an organisation’s digital footprint, which, in turn, will lead to fewer individuals being impacted in the event of a cyber security incident.

 

UNITED STATES

Norton Rose Fulbright

“Fully understanding the duties of confidentiality and data protection in this age of ever-changing laws and regulations would be quite a remarkable feat. In the US, the web of federal and state laws adds an additional layer of complexity as companies try to navigate the patchwork of existing and forthcoming laws. In fact, the global nature of today’s business requires that companies understand their duties across regions to serve business partners and customers beyond the borders in the US.”

 

CANADA

Norton Rose Fulbright Canada LLP

“Confidentiality is not a novel concept for most organisations. At a minimum, privacy practices have generally involved sharing information on a ‘need to know’ basis, restricting physical and technological access to a limited number of individuals, and training employees on maintaining security measures as part of their risk mitigation strategy. Over recent years, nuanced privacy considerations have been gaining increasing traction.”

 

UNITED KINGDOM

Orrick Herrington & Sutcliffe LLP

“While companies are generally aware of the importance of privacy and data protection compliance, good compliance varies widely, depending on the company’s business model, the amount and nature of their processing activities and the types of personal data processed. An in-depth professional review of the company’s processing activity is usually required to tailor a compliance programme that is fit for its purposes. Since the EU General Data Protection Regulation (GDPR) came into effect in the UK in 2018 the landscape of data protection legislation has changed hugely.”

 

REPUBLIC OF IRELAND

Deloitte Ireland LLP

“Four years after the EU General Data Protection Regulation (GDPR) came into effect in Ireland, there is a much better understanding of what compliance means, guided by the obligations under the GDPR and guidance from the Irish Data Protection Commission (DPC). However, when we consider ‘true compliance’, based on a model of a truly independent data protection officer (DPO) with a privacy framework that is embedded into all operations, there are certainly gaps in understanding. Quite often, the DPO is also the organisation’s chief risk officer (CRO), chief financial officer (CFO), chief information security officer (CISO), or even chief data officer (CDO), and the balance of interests can be difficult.”

 

FRANCE

Gibson, Dunn & Crutcher LLP

“It is still challenging for organisations to fully understand their duties under applicable privacy laws since some of the legal requirements remain subject to interpretation. Although guidelines issued by the French Data Protection Authority (DPA) and the European Data Protection Board have shed some light on certain obligations imposed by the General Data Protection Regulation (GDPR), there are still some grey areas which are difficult to address.”

 

PAKISTAN

S. U. Khan Associates Corporate & Legal Consultants

“Pakistan is in the process of developing a law on personal data protection. A draft of the proposed law, the ‘Personal Data Protection Bill, 2021’, has been issued by the Ministry of Information Technology & Telecommunication, and after passing through the consultation stage the federal cabinet has also approved the draft bill. The draft will now be presented before the legislature. Currently, there is no specific law governing the protection of personal data. Therefore, the understanding of companies regarding their duties of confidentiality may be viewed from two angles.”

 

PEOPLE’S REPUBLIC OF CHINA

Shihui Partners

“In recent years, and especially since the Personal Information Protection Law (PIPL) took effect in 2021, we have seen an apparent rise of company awareness concerning privacy and data protection in China. An increasing number of companies are moving data issues to the centre of their compliance focus, conducting health checks of their core business procedures, updating their internal and public-facing policies, conducting privacy impact assessments, improving their user interfaces, and so on.”

 

HONG KONG

Hogan Lovells

“With evolving consumer expectations around data privacy and an active privacy regulator in Hong Kong, companies are increasingly aware of their data protection obligations. At the same time, the number of personal data breach incidents is growing. In 2021, the number of breach notifications to the Office of the Privacy Commissioner for Personal Data (PCPD) increased by 36 percent year-on-year, despite there being no mandatory notification regime in Hong Kong. Recent high profile data breach cases in various industries, such as aviation, hospitality and telecommunications, have exposed shortcomings in companies’ data protection measures.”

 

UNITED ARAB EMIRATES

Clifford Chance

“The United Arab Emirates (UAE) is a federation of seven emirates – Abu Dhabi, Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. Each emirate has a local government that issues emirate-level laws. There is also the federal government of the UAE which issues federal laws that apply to the whole of the UAE. In November 2021, the UAE published its first federal data protection law, the UAE DP Law, which adopts various concepts from the EU’s General Data Protection Regulation (GDPR). There are a number of free zones established within the UAE, including the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC).”

 

SOUTH AFRICA

CMS RM Partners Inc

“In South Africa, medium to large companies generally have a strong understanding of their duties of confidentiality and data protection. These companies tend to have dedicated compliance teams and personnel focused on ensuring compliance with, among others, South Africa’s data privacy legislation: the Protection of Personal Information Act No 4 of 2013 (POPI). This is also the case with multinational companies operating in South Africa where we have seen a lot of emphasis placed on ensuring that their South African operations are fully compliant with POPI.”

CONTRIBUTORS

Clifford Chance

CMS RM Partners Inc

Deloitte Ireland LLP

Gibson, Dunn & Crutcher LLP

Hogan Lovells

Norton Rose Fulbright

Norton Rose Fulbright Canada LLP

Orrick Herrington & Sutcliffe LLP

S. U. Khan Associates Corporate & Legal Consultants

Shihui Partners

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.