INDEPTH FEATURE
Data Protection & Privacy Laws 2020
November 2020 | DATA PRIVACY
financierworldwide.com
Click cover to download
(Subscriber-only password access)
Not a subscriber?
Click here to join the FREE mailing list and receive password access
Data protection and privacy issues have continued to attract attention over the last year, particularly as many companies ramp up digitalisation of their products, services and internal processes. While the trend toward increased digitalisation has gained momentum, the unique circumstances of 2020 and the challenges created by COVID-19 have intensified those efforts, substantially increasing the spread of technology, and highlighting related data protection and privacy concerns.
UNITED STATES
Skadden, Arps, Slate, Meagher & Flom LLP
“Most companies are aware of the issue of data protection generally, but the level of familiarity depends on whether risk management systems have pushed the issue to the forefront. Understanding their duties is distinct from organisation-wide implementation of best practices, which require commitment of attention and resources. It also requires dedication to tracking developments, since privacy laws and their application are in a nascent stage. All understanding is complicated by companies operating in multiple jurisdictions and the fact that many jurisdictions have developing laws and regulations that establish the respective duties.”
FRANCE
Gibson Dunn
“The General Data Protection Regulation (GDPR) has strongly contributed to the spread of data privacy compliance culture within organisations. Companies are increasingly aware of their obligations related to privacy and data security, which is a prerequisite to ensuring compliance. Yet, this is still a challenging task for companies to achieve for many reasons. First, EU member states still have the right to adopt additional requirements. Second, national supervisory authorities may have a different level of interpretation of certain provisions.”
BELGIUM
Gibson Dunn
“Companies have understood that the General Data Protection Regulation (GDPR) requires them to enhance their duties of confidentiality and data protection. For example, the GDPR introduced substantive obligations regarding security, confidentiality and accountability, which are clear to managers. Companies also understand that they need to minimise risks that could lead to reportable data breaches. However, companies may still need to fully comprehend and assimilate the practical implications of the GDPR. For example, data minimisation obligations require companies to ensure that only the requisite data is processed during the different stages of their operations.”
GERMANY
Ashurst LLP
“We continue to see a strong push from parties to digitalise products and services as well as their internal processes. This goes hand in hand with an increased awareness of the commercial value of data and the willingness to develop or adjust existing business models to realise the value of data assets. Big Data applications, the combination of data sets and the use of algorithms to detect or create value are spreading rapidly into the business models of some of the more traditional industries. Inevitably, this means not only that the volume of data processed increases rapidly but also that that data is processed in new and innovative ways.”
SPAIN
Hogan Lovells International LLP
“It is safe to say that companies in Spain are aware of their data protection and e-privacy duties and obligations. The main catalyst driving this awareness forward is the sensitivity shown, and demanded, by individuals with regard to their personal data, both in offline and online environments. However, navigating a convoluted ocean of requirements and obligations can be challenging for any company given that the General Data Protection Regulation (GDPR) is a ‘new’ framework subject to ongoing analysis and interpretation and needs to be translated into clear and practical guidelines.”
RUSSIAN FEDERATION
Gorodissky & Partners
“Globally, data privacy and protection have become one of the most discussed topics in the information technology (IT) legal sector in the last couple of years, and the Russian jurisdiction is no exception in this regard. In the digital age and with the constant evolution of e-commerce, companies currently operating in Russia should carefully assess not only their international, but also their national data protection strategies, especially when they overlap and proceed with local data privacy compliance, in order to mitigate the associated risks.”
CHINA
CMS
“Over the past three years, and particularly since June 2017 when the Cyber Security Law of the People’s Republic of China (PRC) took effect, raising companies’ awareness of the new regulatory regime on data protection and enforcement against non-compliance operations were the two main areas of focus for regulators. On 21 October 2020, the National People’s Congress published the Draft Personal Data Protection Law for public consultation. Once passed, this legislation will be the first designated personal data protection law in China.”
JAPAN
Anderson Mori & Tomotsune
“According to a 2018 survey of 10,000 businesses conducted by the Personal Information Protection Commission (PPC), while 35.8 percent of respondents noted that they were concerned with the lack of professionals with expert knowledge on data privacy, 32.4 percent of respondents said that a lack of knowledge among its employees was another concern. Against this backdrop, on 28 August 2020, the Ministry of Economy, Trade and Industry (METI) and the Ministry of Internal Affairs and Communications (MIC) published the ‘Guidebook on Corporate Governance for Privacy in Digital Transformation (DX) ver.1.0,’(Privacy Governance Guidebook).”
CONTRIBUTORS
Anderson Mori & Tomotsune
Ashurst LLP
CMS
Gibson Dunn
Gorodissky & Partners
Hogan Lovells International LLP
Skadden, Arps, Slate, Meagher & Flom LLP