GDPR – Legal Footprint of Data Protection Laws
GDPR has been one of the most widely talked about regulations in recent times. Contested and examined for hours amongst business owners, lawyers and consumers alike. Interpretations have differed widely but what is now undisputable, is the legal requirement to comply.
As of May 25, GDPR became a requirement within the European Union. Yet as a global business this has raised a much wider question. Will the rest of the world follow suit? Are people aware of the existing regulations in other regions and jurisdictions?
The asset management industry requires cross-jurisdictional collaboration on a daily basis. As a global business we must have a full understanding of all data regulations and laws impacting both our own business, and that of our clients’, on a global basis.
We’ve taken a lense to some of the other jurisdictions where data protection laws have had a substantial impact or there have been recent updates. In some instances there are synergies with GDPR and in others differences. Does your fund market into these jurisdictions? Take a look:
Founded in Bermuda in 2003, we have a good understanding of local data protection regulation. In 2016, Bermuda issued the Personal Information Protection Act (“PIPA”), however this will enter into force on in December this year. PIPA will regulate the future processing of all personal data in Bermuda under the supervision of a dedicated Privacy Commissioner (‘The Commissioner”). In addition to PIPA, Bermuda still recognises a duty of confidentiality in certain circumstances under its common law.
Synergies with GDPR:
Differences from GDPR:
Canada’s Anti-Spam Legislation
Data protection law in Canada is composed of a set of federal and provincial statutes. These laws include data protection statutes of general application, as well as sector-specific statutes. PIPEDA has the widest application for the private sector in Canada but does not apply in the provinces of Alberta, British Columbia or Quebec(which have their own laws).
In March 2018, the Canadian Government announced that data breach notification provisions (under the Digital Privacy Act 2015), amending the Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’), were to enter into force on 1 November 2018. Under this Act, an organisation must report any breach in security around personal information safeguards , to the Office of the Privacy Commissioner (‘OPC’) as soon as feasible, where there is a reasonable risk of significant harm to an individual.
In August 2008, the Uruguayan government issued the Data Protection Act Law No. 18.331, followed by the Decree No. 414/009 (31 August 2009) (the ‘Act’). Later in 2012 the European Commission issued an adequacy decision stating that Uruguay does in fact already ensure an adequate level of protection of individuals with regard to the processing of personal data and the free movement of such data, as defined in the Article 25(6) of Directive 95/46/EC of the European Parliament.
In 2017, the URCDP and AGESIC issued guidelines defining the concept of de-identification, anonymisation, re-identification and pseudonymisation.
Recent Updates:On 12th April 2018the AGESIC released a revised version of the cybersecurity framework (‘the Revised Framework’), to assist organisations in strengthening their data security practices, while also extending its applicability to any public or private organisation.
The United States does not have a single Data Protection Federal law, instead has approximately 20 sector specific national privacy or data security laws per state and territory.
For the purpose of this high level review,, we will focus on the two key federal laws which prevent “unfair and deceptive practices” highlighting the differences of data protection principles, versus GDPR.
Very forward thinking, in April 2018 the PCPD issued an EU General Data Protection Regulationbooklet (‘GDPR Booklet’) to raise awareness of the regulation and assist businesses with data protection compliance abroad. The GDPR Booklet highlights the key features of the GDPR and compares them with local requirements under the Personal Data (Privacy Ordinance) 1997 (‘the Ordinance’) as amended in 2013.
Data Protection Advisory Committee
Singapore has a robust Data Protection framework in place which was reinforced by the Personal Data Protection Act 2012 (‘PDPA’), implemented in three phases.
Recent UpdatesNew data protection management programme (“DPMP”) and data protection impact assessment (“DPIA”) guides were published by the Commission in November 2017.
Australian Privacy Principles (‘APPs’)
The key legislation in Australia related to Data Privacy is the Federal Privacy Act 1988 (‘Privacy Act’) and its Australian Privacy Principles (‘APPs’), however likewise in the USA, each Australian States and Territories (except for Western Australia and South Australia) also have their own data protection legislation applying to State Government agencies.
Middle East and Africas
Mauritius issued the Data Protection Act 2004 (“Act”) in 2004 which entered into force only in February 2009. The Act was predominantly based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
On July 2017 the 2004 Act was amended to ensure compliance with the provisions of the Regulation (EU) 2016/679 (‘GDPR’). The Data Protection Act 2017 came into force on January 2018 and represents now the main legislation in terms of data protection.
2. Dubai (DIFC)
The DIFC implemented DIFC Law No. 1 of 2007 Data Protection Law in 2007 which was subsequently amended by DIFC Law No. 5 of 2012 Data Protection Law Amendment Law (‘DPL’).
Recent Updates In January 2018 the Dubai International Financial Centre (‘DIFC’) Authority announced that some amendment to the existing legislation have been enacted, in order to bring clarity on the DPL and ensure they are in line with the Regulation (EU) 2016/679 (‘GDPR’).
3. Abu Dhabi (ADGM)
Data Protection Regulation (Amendments) 2018
The Board of Directors of the ADGM (‘Board’)
Recent UpdatesOn December 2017, the Abu Dhabi Global Market (‘ADGM’) Registration Authority announced the establishment of the Office of Data Protection (‘the Office’), with the intention of providing guidance on data protection, administering the register of data controllers, monitoring and enforcing compliance and assisting individuals with enquiries and complaints.
Federal Law of 21 July 2014 No. 242-FZ on Amending Some Legislative Acts of the Russian Federation in Concerns Updating the Procedure for Personal Data Processing in Information and Telecommunication Networks (23 May 2016)
On April 2018, the Ministry of Telecommunications and Mass Communications of the Russian Federation (‘Minsvyaz’) issued a draft to amendment the Federal Law of 27 July 2006 No. 152-FZ On Personal Data (‘the Draft Law’). The intention of this draft was to regulate consent for the processing of personal data, as well as to introduce a requirement to obtain consent for the processing of biometric data.
In addition, the Draft Law grants data subjects the ability to amend their consent to the processing of personal data.
For Europe and any other country being directly affected by GDPR, please refer to our GDPR Fundamentals to learn more about the new regulatory requirements.
Click Here to sign up to our Regulatory Mailing list and be the first to receive notification on global regulatory changes.
 PIPA defines “organisations” as any individual, entity or public authority that uses personal informations.
By clicking the button you confirming that you’re agree with our following Terms and Conditions