ANNUAL REVIEW

Data Protection & Privacy Laws 2014

November 2014  | DATA PRIVACY

financierworldwide.com

Click cover to download

(Subscriber-only password access)

 

Not a subscriber?

Click here to join the FREE mailing list and receive password access

The advent of the digital age has presented companies with a variety of data protection and privacy challenges. Big data analytics, cloud computing, the internet of things and BYOD policies have all brought data privacy issues to the fore. In the modern business climate, data protection and privacy have become key concerns for both firms and regulators alike.

 

UNITED STATES

Margo H. K. Tank

BuckleySandler LLP

“Companies often focus on reacting to an immediate perceived threat or event, but may not be sufficiently mindful in implementing an effective, integrated, holistic program that is effective in managing the long-term risks of persistent data leakage or inappropriate use. Companies are recognising the need to expand data protection programs beyond the purview of IT departments to include the board and cover the entire enterprise. Developing integrated programs that measure effectiveness is still a work in progress.”

 

CANADA

Raymond Doray

Lavery, De Billy, LLP

“The digital age has certainly revolutionised the manner in which businesses conduct their affairs. The advent of the internet and the recent explosive growth of social media, for example, have allowed small local businesses around the world to instantaneously become international and have access to the Canadian market. Businesses are leaping into the cloud. Behavioural advertising transformed big data into even bigger data. However, increasingly interconnected technologies and the seemingly boundless collection of personal information brings considerable hazards.”

 

MEXICO

Eduardo Cocina

Deloitte

“In 2010, Mexico enacted the Federal Law to Protect Personal Data Held by Private Individuals (LFPDPPP), which requires that companies comply with certain rules. Our 2014 study on privacy in Mexico indicates that, almost four years after its enactment, 42 percent of companies are aware of the existence of the LFPDPPP at the management level and partially at the operating level, followed by 38 percent in which it has been promoted throughout the entire organisation. Only 6 percent of companies have no knowledge of this law, meaning that most entities are probably aware of the confidentiality and privacy obligations of the current digital age.”

 

UNITED KINGDOM

Bridget Treacy

Hunton & Williams LLP

“Companies vary considerably in their approach to managing data protection risk. In my experience, it is the enlightened few that have a comprehensive, risk-based approach to data protection compliance. Often these are companies that operate in regulated industries, with well-structured risk management procedures deeply embedded within the corporate culture, or companies that have experienced a data security breach or regulatory enforcement. Too many companies still overlook data privacy issues, or focus their attention too narrowly on data security, ignoring the numerous other aspects of data protection compliance.”

 

IRELAND

Breeda Cunningham

Dillon Eustace

“A number of high profile data security breaches in both the public and private sectors over the last number of years have put data security issues to the fore. Under the Data Protection Acts 1988 and 2003 (DPA), data controllers and data processors must have “appropriate security measures” in place. These measures must provide a level of security that is appropriate to the nature of the data concerned and is appropriate to the potential level of harm that could result from any unauthorised or unlawful processing or from any loss or destruction of personal data. In addition, data controllers and data processors must ensure that all employees comply with all security measures in place.”

 

FRANCE

Claire François

Hunton & Williams LLP

“Companies are definitely paying more attention to the risks associated with data protection, including reputational risks. This may be explained by a number of factors, and in particular, the increased publicity around privacy and data protection. The French data protection authority (CNIL) makes most of its decisions public and the media increasingly reports on privacy and data protection issues, such as the recent ruling of the Court of Justice acknowledging the right to be ‘de-listed’ from the list of results displayed by search engines.”

 

BELGIUM

Wim Nauwelaerts

Hunton & Williams LLP

“In my experience, many companies are still underestimating the risks of not complying with data protection rules, in particular the potential reputational harm that may result from such non-compliance. However, data protection compliance is slowly moving up the agenda of companies with business operations in Belgium, for a number of reasons. Individuals are becoming more vocal when it comes to the protection of their privacy and personal data, which is evidenced by an increasing number of data access requests and complaints submitted to the Belgian data protection authority – the Privacy Commission. Former employees seem more eager to invoke privacy and data protection issues when fighting their dismissal in court.”

 

GERMANY

Dr Stefan Simon

SPITZWEG Partnerschaft

“Most companies in Germany have a ‘feel’ for data protection in general, and with respect to the kinds of individual issues raised due to public scandals. There is still essentially no understanding and no knowledge of the specifics of data protection for employee or customer data, or the permissibility of transferring data to an outside service provider or internationally within a corporate group. The fact is that data protection, so far, is not considered an issue for the CEO. But a process for change has been initiated in the last months of 2014. Some key factors, such as the Snowden-affair, political based discussions in the US and EU on global data protection, and national movements including public-private initiatives on national IT-security conferences, have caught companies’ attention.”

 

SPAIN

Iban Díez

Gómez-Acebo & Pombo Abogados S. L. P.

“There is still a lot of work to do, but companies are increasingly paying attention to the risks associated with data protection. The digital age is imposing upon companies many challenges in data and information processing, such as dealing with large amounts of data and facing increasingly sophisticated international data transfer activities. These challenges, jointly with the enforcement activity carried out by the Spanish Data Protection Authority (SDPA) in recent years, have forced Spanish companies to fully understand and be responsive to new confidentiality and data protection challenges.”

 

NORWAY

Halvor S. Oseid

KPMG

“Although in the recent years there has been increasing attention on the importance of securing personal and corporate data, in our experience both the private and public sectors are not sufficiently mature in their understanding and management of the associated risks. At the same time, there has been an increased market demand for IT hosting and cloud services, but a safe home for servers is only part of the data protection picture. We have also seen an increasing demand for assistance with statement of compliance (SOC) reports in the IT area.”

 

UKRAINE

Svitlana Kheda

Sayenko Kharenko

“Before 2010, almost no one in Ukraine considered privacy issues. The notion of personal data was foreign to Ukrainian law before the Personal Data Protection (PDP) Law came into force on 1 January 2011. Even though, after this date, the risk of liability for breaching data protection laws became evident, many Ukrainian businesses still do not take privacy and data protection issues seriously, focusing instead on pro forma compliance. Based on our experience, many Ukrainian companies with no foreign element often decide to take the liability risk rather than dedicate resources to developing a proper data protection regulation within the company.”

 

TURKEY

Gönenç Gürkaynak

ELIG, Attorneys-at-Law

“Companies in Turkey have recently started to pay attention to the risks associated with data protection and to understand their duties of confidentiality and privacy in the digital age. The main reason that ‘protection of personal data’ is a new concept for Turkish companies is the absence or weakness of legal measures around data protection in the country. As of November 2014, Turkey still lacks a dedicated and separate data protection law and the legislation has been off the shelf since 2007. The end of 2014 is expected to be important for data protection measures in Turkey. On 1 August 2014, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data was sent to the Turkish Grand National Assembly (TGNA) and currently awaits ratification.”

 

ISRAEL

Haim Ravia

Pearl Cohen Zedek Latzer Baratz

“As time goes by, companies are growing more aware of the rights and obligations emanating from Israeli privacy law. This is a result of several events and processes that have unfolded in Israel in recent years. In 2006, the Israeli privacy regulator was reorganised under a newly established unit, the Israeli Law Information and Technology Authority (ILITA). Advocate Yoram Hacohen was appointed as chief of the newly established ILITA, serving up through 2013. His tenure was characterised by vigorous enforcement and regulatory activities. During this period, ILITA published several regulatory guidelines that serve as legal basis for ILITA’s oversight and enforcement activities, including guidelines on the use of outsourcing services for processing personal information, use of security and surveillance cameras, and applicability of the Israeli Protection of Privacy Law to recruitment, assessment and placement agencies.”

 

CHINA & HONG KONG

Manuel Maisog

Hunton & Williams LLP

“In Mainland China, it is hard to give a single consistent answer because China’s data privacy framework is emerging on a patchwork, sector-by-sector basis. As such, companies in some sectors are becoming aware of the risks and duties associated with collecting and handling personal information, while companies in other sectors have little awareness of the same risks and little incentive to develop any awareness of them. On the whole, however, it is probably true that companies in Mainland China are not as aware of the risks and duties associated with personal information as they should be. Chinese government authorities, however, are improving their knowledge and skills in formulating and enforcing the nation’s privacy and data protection rules.”

CONTRIBUTORS

BuckleySandler LLP

Deloitte

Dillon Eustace

ELIG, Attorneys-at-Law

Gómez-Acebo & Pombo Abogados S. L. P.

Hunton & Williams LLP

KPMG

Lavery, De Billy, LLP

Pearl Cohen Zedek Latzer Baratz

Sayenko Kharenko

SPITZWEG Partnerschaft

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.