You Are Viewing International

Safe Harbor Invalidation – Article 29 Working Party Sets January 2016 Deadline

Posted by fgilbert on October 16th, 2015

The long awaited reaction of the Working party to the ruling of the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case in now public. Late on October 15, the Article 29 Working Party published a statement outlining its first response to the landmark ruling. The Working Party’s statement summarizes the group’s evaluation of the first consequences to be drawn at European and national level.

The Working Party point out that the data protection authorities, EU institutions, Member States, and businesses are collectively responsible for finding sustainable solutions to implement the Court’s judgment. It stresses that businesses, in particular, should reflect on the eventual risks they take when transferring data to the United States, and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection principles.

Transfers under Safe Harbor Unlawful

Regarding the practical consequences of the CJEU judgment, the Working Party states that it is clear that transfers from the European Union to the United States can no longer be framed based on Safe Harbor mechanism and “transfers that are still taking place under the Safe Harbor after the CJEU judgment are unlawful.”

Standard Clauses and Binding Corporate Rules

Until the Working Party has completed its analysis of the impact of the CJEU judgment on other transfer tools, data protection authorities will consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. However, during this transition period, the Working Party warns that data protection authorities will continue to exercise their right to investigate particular cases, and to exercise their powers in order to protect individuals.

January 2016 Deadline

The Working Party’s press release sets a January 2016 deadline. If, by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities may start taking all actions that they may deem necessary, including coordinated enforcement actions.

Massive Surveillance an issue

The activities of US law enforcement agencies remain of great concern to the Working Party. The Working Party points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and existing transfer tools are not the solution to this issue.

Intergovernmental Agreement Suggested

While progress has been made with the recent signature of the Umbrella Agreement and the ongoing negotiations regarding Safe Harbor 2.0, the Working Party believes that more needs to be done. A new Safe Harbor agreement would only a part of the solution; more is necessary.

The Working Party urges Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling cross Atlantic data transfers that respect fundamental rights. In particular, it suggests that such solutions could be found through the negotiation of an intergovernmental agreement providing stronger guarantees to EU data subjects.

The Working Party identifies key points that should be addressed in these intergovernmental negotiations. In the Working Party’s opinion, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on:

  • Oversight of access by public authorities;
  • Transparency;
  • Proportionality;
  • Redress mechanisms; and
  • Data protection rights.

Shared Responsibility

The Working Party views it as a shared responsibility between data protection authorities, EU institutions, Member States, and businesses to find sustainable solutions to implement the Court’s judgment. It states that, in the context of the CJEU judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection laws and principles.

Safe Harbor Invalidation – What Consequences?

Posted by fgilbert on October 16th, 2015


In a 35-page ruling, published on October 6, 2015, the Court of Justice of the European Union has declared the EU-US Safe Harbor invalid. This means that the data transfers between European companies and the 4500+ US companies that have self-certified to their adherence to the EU-US Safe Harbor principles no longer have a legal basis and are exposed to the scrutiny of 31 Data Protection Authorities of the European Economic Area (EEA) Member states.

The CJEU ruling comes after lengthy proceedings initiated by an Austrian law student against Facebook, arguing that the transfer of his personal information from Austria to Facebook’s California servers under the protection of the Safe Harbor violates his rights. The original complaint argued that, based on the information provided by Edward Snowden regarding the mass surveillance powers of US National Security Agency, the United States offers no legal protection against data surveillance, and the powers of the US law enforcement agencies supersede the promises made in a company’s Safe Harbor self-certification.

The CJEU went beyond the specific question that had been raised in the Facebook case. It held that Article 3 of Decision 2000/520 (which allowed for the creation of the Safe Harbor) is invalid. And, because Article 3 of Decision 2000/520 is inseparable from the other provisions of Decision 2000/520, the invalidity of Article 3 invalidates Decision 2000/520 in its entirety.

As put simply and very concisely in the last line of the CJEU 35-page ruling: “Decision 2000/520 is invalid.”

What does this mean for US companies and their subsidiaries and trading partners located in the 31 Members States of the European Economic Area?

It means great uncertainty. There are long term and short term issues:

  • What to do immediately;
  • Whether this means a future with a series of data localization restrictions resulting in countries or regions adopting a silo approach to data storage.

Immediate Consequences

First, the legal basis of the EU-US Safe Harbor on which EEA companies had relied to transfer data to the United States has been declared invalid. However, the decision does not affect the Switzerland-US Safe Harbor. Thus transfers between Switzerland and the United States can continue under the existing Swiss-US Safe Harbor regime.

In the meantime, EEA data protection laws continue to prohibit the transfer of personal data outside the EEA territory unless there is a legal basis to show that the data, when on the US territory will benefit from the same protection as in the EEA.

There may be temporary work around. There are other approved methods to achieve the “adequate protection” required by the EEA data protection laws. For example, EU and EEA companies may decide to enter into contracts based on Standard Contractual Clauses approved by the European Commmission. This might be the fastest and most efficient way to react in the short term. But before this solution may be implemented, significant due diligence must be performed, and many parties must agree to the applicable terms. The terms of the Standard clauses crease stringent restrictions and significant liabilities for which US companies may need additional insurance coverage. Multi-national entities may attempt to obtain approval of BCRs (“Binding Corporate Rules”) for their internal transfers. But there are significant hurdles. For example, currently, only 21 out of the 31 EEA countries recognize Binding Corporate Rules.  Further, the process for approval of a set of BRCs may take one to two years from beginning to end..

Long Term Issues

A much more fundamental question remains. What happens to EEA data when they are stored on US territory? And will the NSA surveillance activities continue to create heartburn for EEA citizens and institutions?

The argument initially raised in the Facebook case was that the Snowden revelations raised concern about whether, in spite of a series of laws regulating government access to data and communicants, the US legal framework offers no actual protection against excessive surveillance by US law enforcement agencies.

In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.

The invalidation of the 2000/520 Safe Harbor Decision does not solve this issue. Data transferred from the EEA to the United States under BCR or Standard Contractual clauses would suffer the same fate.

A world of silos?

The CJEU Decision in the Facebook case raises a much more fundamental question regarding cross border data transfers. It is not just the Safe Harbor program that is at stake.  It is the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws that is at stake.

Will the special powers granted to – or used by – law enforcement agencies in the US create such an obstacle to crossborder data transfers between the EEA and the US that US companies will have no choice but setting up data centers in the EEA, in order to store their EEA customers’ data within the EEA territory in an attempt to reduce the risk of being within the reach of the long arm of US law enforcement agencies?

And will this trend, combined with other data localization laws, such as the one in Russia, create a world of data silos? Will localization laws become the norm?

Is it already too late?

Russia Data Localization Law: an Enigma

Posted by fgilbert on April 6th, 2015

Companies that do business in Russia or with Russia residents have been struggling to understand the Federal Law No. 242-FZ (“Data Localization Law”).  The law, passed in July 2014, contains a series of amendments to Russian laws to “Specify the Procedure for Personal Data Processing by Information and Telecommunications Networks.” The need to understand the requirements of this new Data Localization Law has become even more urgent since its effective date has been advanced to September 1, 2015. While the original draft of the law planned to take effect as September 1, 2016, the Russian President signed an amendment to the law on December 31, 2014 , which advanced its effective date to September 1, 2015.  To date, there is still significant uncertainty regarding the meaning and interpretation of Federal Law 242-FZ


Among other things, the Data Localization Law 242-FZ amends several provisions of the current Russia Data Protection Law. In particular, it amends Article 18 of the Data Protection Law to require all companies holding personal data (with some exceptions) to host their servers on Russian soil. The new Article 18(5) provides:

When collecting personal data, including collection via Internet information and telecommunication network, an operator shall provide a record that the organization, accumulation, storage, update and retrieval of personal data of citizens of the Russian Federation is held on databases located within the Russian Federation.

At the highest level, the direction is simple. Data about Russian residents must be stored in Russia. The affected entities are data operators – i.e. entities performing the functions of data controller or data processor -. These include subsidiaries and representative offices of foreign companies that collect and process personal data of Russian nationals residing on the Russian territory.

Exceptions to this requirement include, for example: the processing of personal data for implementing an international agreement, administration of justice, enforcement of court rulings, and provision of public and municipal service, mass media, or creative work.

The law requires these data operators, to record, organize, store, update or retrieve personal data on servers that are physically located in the Russian Federation. However it is not clear which specific entities are concerned. For example, does a company that does not have operations or a physical presence in Russia but collects data, emails or content from Russia resident have to comply with the law?

There are other significant interpretation questions.  For example, does the fact that a copy of the data is stored in Russia prohibit any form of processing outside Russia? Can data stored in Russia be transferred out of Russia, for further processing outside of Russia? The literal wording of the law does not explicitly require data operators to perform data processing only within the Russian territory. It just requires that a copy of the data be stored in Russia. However, the provision might be interpreted differently when clarifying regulations are issued.


Notification of Server Location

Like most data protection laws throughout Europe, Russia’s current law on the protection of personal data, in its Article 22, requires covered entities to notify Roskomnadzor, the Russian agency in charge of personal data, before proceeding to the processing of personal data. With the enactment of the Data Localization Law, covered entities will have to indicate, in addition, the location of the databases that contain the personal data of Russian citizens in their notification form that are filed with Roskomnadzor.


Violation of the Data Localization Law

The Data Localization Law grants Roskomnadzor significant new powers: the power to block access from the Russian territory to the websites that violate the Data Localization law, and the power to organize a register of infringers. Banned domain names, network addresses, and other details will be recorded in that special state register of law infringers.

In addition to this blocking and black listing, the current sanctions under the Russian Data Protection Law will apply. The current fines are between RUB 5,000 to RUB 10,000. In addition, a responsible data officer may be fined personally, up to RUB 1,000. It is not clear whether the fines will be computed on a per incident basis or according to the number of data record affected.


Interpretation of the Data Localization Law

The provisions of the Data Localization Law are vague and can be construed in different ways. To date, there is little tangible and precise information on the proposed interpretation of the law. Subordinate legislation, for example in the form of regulations or guidelines, is expected to the adopted in 2015 before the new Data Localization Law comes into force.

In the meantime, during first months of 2015, Roskomnadzor held a series of conferences with industry groups to discuss the specifics of data storage in Russia and ways and mechanisms for controlling the physical location of data. These discussions were conducted on an informal basis, and are not intended to provide an official position. The information provided during these meetings is not legally binding. It is only an incomplete preview of the potential interpretation of the law by the Russian regulator.

Key points discussed during these meetings include:

  • The Data Localization Law would only apply to personal data of Russian citizens who are located in Russia at the time of the collection of these data.
  • All data operators would be affected, whether they are Russian or foreign. The key factor would be the collection of personal data from the Russian territory.
  • The law would apply only to the collection the personal data directly from the individual.
  • Any structured set of personal data would be subject to the law, irrespective of the format and means of processing. Thus, electronic databases, archives, and card files would be subject to the law.
  • Organizations would be required to store their primary database in Russia, where all processing should be performed.
  • It would not be sufficient to store a copy of the database that is primarily stored elsewhere.
  • Data stored in Russia would be transferable outside Russia if the transfer complies with the Russian cross-border transfer rules.

It is expected that more specific guidance will be provided in the near future, hopefully before the September 1, 2015 date. We will keep following these developments.

Posted in International
Comments Off on Russia Data Localization Law: an Enigma

Privacy v. Data Protection. What is the Difference?

Posted by fgilbert on October 1st, 2014

I recently participated in a discussion about the difference between “privacy” and “data protection.” My response was “it depends.” It depends on the country. It may also depend on other factors.

When some countries use the term “privacy,” they may mean the same thing or refer to the same principles as what other countries identify as “data protection.” In other countries, “data protection” may be used to mean “information security” and to overlap only slightly with “privacy.” In this case, the term “data protection” may encompass more than just the protection of personal information (but only through security measures). It may cover as well the protection of confidential or valuable information, trade secrets, know-how, or similar information assets.

In the extensive research I conducted when writing my two-volume treatise, Global Privacy and Security Law, which provides an in-depth analysis of the laws of about 70 countries on all continents, I noticed that the use of the terms “privacy” and “data protection” varies from country to country. It may depend on the language spoken in that particular country. It may depend on the region where the country is located.

While in the United States the term “privacy” seems to prevail when identifying the rules and practices regarding the collection, use and processing of personal information, outside the United States, the term “data protection” tends to be more widely used than “privacy.” Among other things, this might be due to the idiosyncrasies of the languages spoken in the respective countries, as explained below.

— “Data Protection” Outside the United States

Throughout the world, “data protection” is frequently used to designate what American privacy professionals call “privacy”, i.e., the rules and practices regarding the handling of personal information or personal data, such as the concepts of notice, consent, choice, purpose, security, etc.


In Europe, “data protection” is a key term used, among other things, to designate the agencies or individuals supervising the handling of personal information. The 1995 EU Data Protection Directive identifies these agencies as “Data Protection Supervisory Authority.” See, e.g. 1995 EU Data Protection Directive, Article 28 defining the “Data Protection Supervisory Authority,” the agency that regulates and oversees the handling of personal data in an EU Member State. The individuals responsible for the handling of personal information within a company – a role similar to, but different from, that of the American Chief Privacy Officer – are designated as “Data Protection Official.” See, e.g. 1995 EU Data Protection Directive, Article 18(2) and Article 19.


Outside Europe, the term “data protection” is also frequently used to designate activities that Americans would designate as “privacy” centric. In Asia, for example, the laws of Malaysia, Singapore, and Taiwan are named “Personal Data Protection Act.” The law of Japan is called “Act on the Protection of Personal Information.” South Korea’s laws, APICNU and the recent Personal information Protection Act also use the term “data protection.”


African countries also use the concept of “data protection” rather than “privacy.” South Africa named its new law “Protection of Personal Information Act.” Tunisia and Morocco, also named their privacy laws “law relating to the protection of individuals with respect to the processing of personal data.”


In the Americas, Canada’s PIPEDA stands for Personal Information Protection and Electronic Documents Act. The new Mexican law is called “Ley Federal de Protección de Datos Personales.”

—  “Privacy” in Foreign Laws

On the other hand, the term “privacy” is seldom used to identify foreign laws or regimes dealing with the protection of personal information. There are, however, a few example of the use of the term “privacy” outside the United States. APEC used the term “privacy” for its 2004 “APEC Privacy Framework.” The law of the Philippines is called “Data Privacy Act.”

— Translations of “Privacy”

When analyzing which term is used to address the protection of personal data throughout the world, it is also important to keep in mind that the word “privacy” (as understood in the United States) does not exist in some languages.


It is very difficult to translate “privacy” into French. There is no such word in French, even though the French are highly private and very much concerned about the protection of their personal information. If you look for a translation, you will find that “privacy” is translated into French as “intimité,” which is inaccurate, or very narrow. The French “intimité” is actually equivalent to “intimacy” in English and has little to do with the US concept of “privacy” or “information privacy.” Indeed, the French law of 2004 does not refer to “intimacy” but is titled “Act relating to the protection of individuals with regard to the processing of personal data.”


There is a similar disconnect with the translation of “privacy” into Spanish where “privacy” is translated into “privacidad,” which has a meaning closer to intimacy, remoteness, or isolation. Unsurprisingly, the Spanish law regarding data privacy is named “Organic Law data protection law on the Protection of Personal Data.” The term “privacidad” is not used.


 — Data Protection as “Security”

On the other hand, in the US, the term “privacy” seems to prevail. We commonly refer to HIPAA or COPPA as “privacy laws.”

What about “data protection”? I have noticed that, many US information security professional tend to use the term “data protection” to mean protecting the security of information, i.e. the protection of the integrity and accessibility of data. In this case, they do not distinguish the protection of personal data from the protection of company data because from a security standpoint, the same tools may apply to both types of data. In other circles, the terms “information security”, “data security”, “cybersecurity” are frequently used as well.

 — Online Searches

Finally, if you are based in the US, and you run an online search for “data protection”, you will see that the search results either provide links to “security” products (e.g. in my case, a link to McAfee Data Protection product that prevents data loss and leakage) or links to foreign laws dealing with what Americans call “privacy”, (e.g. in my case, a link to Guide to Data Protection from the UK Information Commissioner’s Office).

Posted in International, US Law
Comments Off on Privacy v. Data Protection. What is the Difference?

Review of the Safe Harbor soon?

Posted by fgilbert on March 27th, 2014

In a short statement following the EU-US summit held in Brussels earlier this week, Herman Van Rompuy, President of the European Council, announced on March 27, 2014, that the United States and the European Union have agreed to take steps to address concerns caused by last year’s revelations on the USA NSA surveillance programs, and restore trust.

He indicated that, with respect to commercial use of personal data, the United States “have agreed to a review of the so-called Safe Harbour framework” to ensure transparency and legal certainty. In addition, with respect to government access to personal data, the parties will “negotiate an umbrella agreement on data protection by this summer, based on equal treatment of EU and US citizens.”

The full text of Mr. Van Rampuy’s statement is available at


Posted in Europe, FTC, International
Comments Off on Review of the Safe Harbor soon?

Draft EU Privacy Regulation Amendments Approved

Posted by fgilbert on October 22nd, 2013


The European Union Committee on Civil Liberties, Justice, and Home Affairs, also known as the “LIBE Committee” approved amendments to the draft of the EU Data Protection Regulation on October 21, 2013.

The good news is that the “right to be forgotten” has been replaced with a “right of erasure” which is more narrowly phrased.

The bad news is … most of the other amendments. The revised draft would define a stronger and more stringent data protection regime, which is likely to create additional hurdles for US companies doing business in the European Union, or in need of transferring data out of the EU/EEA to the United States or to subsidiaries worldwide.

In particular, the revised draft increases significantly the maximum fine that might result from violation of the new law. The 2012 draft regulation set a maximum fine of 1,000,000 Euros or 2% of a company’s worldwide income and adopted a tiered approach. With the revised draft, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.  This is a significant jump.

The next step is the review and approval of the amended text by the European Union Council and the European Commission. After that, the final text of the proposed Regulation would be submitted to the European Parliament for a final discussion and vote. This vote is not likely to take place before May 2014. If an agreement is not reached before the Parliament closes down for the election of new MPs, the negotiation over the Regulation could continue in the next session of the EU Parliament. In this case, more delay might be likely if there were a change in the composition of the Parliament.

The text of the approved amendment is available here.

Posted in Europe, International
Comments Off on Draft EU Privacy Regulation Amendments Approved

Global Privacy and Security Law treatise, Supplement #12

Posted by fgilbert on October 4th, 2013

Supplement #12 to our two-volume treatise Global Privacy and Security Law has been shipped to our subscribers!!

29 chapters have been updated. The most significant changes are described below.


  • Chapter 17 – Canada: The Federal Privacy Commissioner of Canada has issued several reports, including reports requesting amendments to PIPEDAs. The update also provides information regarding several court cases and decisions that affect data privacy and security.
  • Chapter 24 – Dominican Republic: In the Dominican Republic, the Constitutional Court has issued a decision on the publication of criminal records in public access registers.
  • Chapter 65 – United States of America: The United States chapter has been significantly reorganized and supplemented to take into account the evolution of the American legal and regulatory landscape since the first publication of the Global Privacy and Security Law treatise in 2009, the driving role played by the Federal Trade Commission, and the recent interest in the laws that regulate US government access to data. In addition, the chapter includes an analysis of the new Health Information Rules (developed under HIPAA and the HITECH Act), which came into force at the end of September 2013, and the new Children’s Online Information Protection Rule (developed under COPPA), which came into effect on July 1, 2013.


  • Chapter 19 – China: In March 2012, China’s Ministry of Industry and Information Technology issued “Several Provisions” that regulate the telecommunications market, these provisions supersede the Administrative Provisions on Internet Information Services for soliciting public opinions (issued on July 2011). The chapter has been updated with information regarding definitions, rules, and regulations for ISP’s under “Several Provisions.”
  • Chapter 38 – Japan: The update provides a status of the enforcement of the Data Protection Law.
  • Chapter 10 – APEC: Asia continues its progress in the development of a privacy framework that is less stringent than the one currently in effect in the European Union. In the recent months, the Crossborder Privacy Rules, an initiative intended to reduce barriers to information flows, has made progress. The United States has already been approved to participate in the CBPR System, and the Federal Trade Commission as its first enforcement authority. Mexico recently obtained its approval and in June 2013, Japan applied to participate.


  • Chapter 26 – Estonia: In Estonia, the Employee Information section has been updated to include information on recording telephone calls. Clarification has also been provided regarding the rules for employee consent.
  • Chapter 28 – France: This update provides a brief summary of the CNIL 33rd activity report for 2012. The section on video surveillance is supplemented with information about a recent case in Paris. A new section has also been added regarding Illegal Downloading, which describes the requirements for employers to monitor Internet usage of their employees.
  • Chapter 32 – Hungary: The update describes the recent recommendation by the Hungarian Data Protection and Freedom of Information Agency on video surveillance in the workplace and other developments regarding data processors ability to subcontract work to other processors.  The Agency has also been vested with a new function, that of auditor for data controllers.
  • Chapter 33 – Iceland: Two new sections have been added regarding International Treaties and Agreements to which Iceland is party and about data protection guaranties found in the Constitution of the Republic of Iceland. The chapter has also been supplemented with information regarding the status of implementation of Article 5(3) of the 2009 Directive regarding the use of cookies.
  • Chapter 40 – Liechtenstein: The update includes information regarding International Treaties and Agreements to which Liechtenstein is party and information regarding data protection in the country’s Constitution. The update also provides information regarding the status of implementation of Article 5(3) of the 2009 Directive.
  • Chapter 41 – Lithuania: Two new subsections on the exchange of personal data for evaluation of solvency and debt management and on video surveillance have been added to the Data Protection Law section.
  • Chapter 46 – Netherlands: The update to the Netherlands chapter provides an overview of the Article 29 opinion on the definition of “personal information,” “purpose limitation” and “use limitation.” The chapter also describes the status of the 2009 cookie directive implementation. Netherlands appears to be leaning towards a less strict interpretation of the 2009 provisions. The Netherlands Data Protection Commissioner has published guidelines for the security of personal data, which provides a checklist of appropriate measures. Finally, the chapter provides an in depth analysis of the whistle blowing provisions that apply to civil servants.
  • Chapter 47 – Norway: The 2009 Directive has not yet been implemented but the Norwegian Parliament has submitted a plan on its implementation. A new section on health information has been added, and the section on electronic communications has been supplemented with information regarding traffic data. Also described in this updated is the Supreme Court’s ruling on a case involving the collection of employee GPS location data by a waste company.
  • Chapter 50 – Portugal: An update on the implementation of the 2009 Directive with respect to cookies and security breach disclosure requirements is included in this supplement.
  • Chapter 51 – Romania: The update to the Romania chapter focuses on the implementation of the 2009 amendment to the 2002 e-Privacy Directive into the Data Protection Law regarding the use of cookies.
  • Chapter 54 – Slovakia: The chapter describes recent reports of the Office for Personal Data Protection regarding the processing of biometric data, its investigation of e-shops, and the requirements to notify data subjects when performing video surveillance.
  • Chapter 55 – Slovenia: The Electronic Communications Act came into force, implementing Article 5(3) of the 2009 amendment to the 2002 ePrivacy Directive.
  • Chapter 59 – Sweden: The update to the Sweden chapter describes a 2012 case involving surveillance cameras in a high school. An update on the ePhone case is also included.
  • Croatia: In addition to the above, to take into account the arrival of Croatia in the European Union as its 28th member state, several chapters have been slightly modified.  Supplement # 13 to the Global Privacy and Security Law treatise will contain a new chapter, which will analyze Croatia’s data protection laws in the same way as the other laws of other countries have been described and analyzed.

Middle East – Africa

If you are a subscriber, and you have not yet received your copy please let me know.

Posted in International
Comments Off on Global Privacy and Security Law treatise, Supplement #12

Foreign Laws on Government Access to Data

Posted by fgilbert on April 11th, 2013

Companies and individuals who upload their files in the cloud often ask (or should ask) the question: “Where are my files and who can have access to them?”

In a prior article, we analyzed the laws that regulate US government access to data. In this article we will review their equivalent in three countries on three continents. What may be surprising to some is that most countries grant their law enforcement or intelligence services extensive powers that are similar to, and at times more substantial than, those of their U.S. counterparts.


In Canada, Part II of the Security Intelligence Service Act allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment ofany information, record, document or thing. The judge may issue a warrant authorizing the persons to whom it is directed to intercept any communication or obtain any information, record, document or thing and, for that purpose:

To enter any place or open or obtain access to any thing;

  • To search for, remove or return; or examine, take extracts from or make copies of; or record in any other manner the information, record, document or thing; or
  • To install, maintain or remove any thing.

The National Defense Act gives the Minister of National Defense powers that are similar to those granted by the U.S. Foreign Intelligence Surveillance Act,such as the power to authorize the Communications Security Establishment to intercept communications for the purpose of obtaining foreign intelligence. The Minister may only issue an authorization if satisfied of the following:

  1. The interception will be directed at foreign entities located outside Canada;
  2. The information to be obtained could not reasonably be obtained by other means;
  3. The expected foreign intelligence value of the information that would be derived from the interception justifies it; and
  4. Satisfactory measures are in place to protect the privacy of Canadians and to ensure that private communications will only be used or retained if they are essential to international affairs, defense or security.

Further, several provisions of PIPEDA, the Canadian federal law that governs the protection of personal data, allow national security policies to take precedence over privacy rights. For example, PIPEDA allows an organization to collect, use or disclose an individuals’ personal data without the knowledge or consent of the individualin connection with an investigation, or if the information relates to national security, the defense of Canada, international affairs or an investigation, orto comply with a warrant or subpoena.

PIPEDA also contains an exception regarding individuals’ right of access to information about them held by organizations,when the organization has disclosed personal information to governmental agencies as described above. If an individual requests that the organizationinform him or her about a disclosure of information made to the intelligence services, the organization must notify the government agency (in writing andwithout delay) to which the disclosure was initially made and cannot respond to the individual until it has received the government agency’s response.


In India, the 2008 amendments to the Information Technology Act of 2000 gives extensive powers of investigation to the Indian government for combatting terrorism. For example, the Information Technology Act allows any agency of the Central or State Government to intercept, monitor or decrypt any information transmitted, received or storedthrough any computer resource, when it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign states or public order.

In addition, it gives the police the power to enter any public place and search and arrest, without a warrant, any person suspectedof having committed, or of committing or about to commit, any act prohibited by the Information Technology Act.

United Kingdom

The United Kingdom’s Regulation of Investigatory Powers Act 2000 (RIPA) defines the powers of public agencies to carry out surveillance and investigations, intercept and use communications, conduct other related investigations, and follow people and use human intelligence sources.

The law allows public agencies to take part in such activities for national security and for detecting crime, preventing disorder, public safety and public health. RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources. It may require individuals or companies to supply decrypted information that has been previously encrypted. Failure to disclose this information may be subject to up to two years in jail.

The broad powers of intelligence services

All countries have the same general needs for information and concerns over secrecy. In the global fight against terrorism, espionage and money laundering, among others, intelligence services have been granted significant powers in most countries. They frequently cooperate with each other across borders as a result.

If a cloud service provider (CSP) receives a request from an intelligence service or other law enforcement authority of the country in which it is located, in the manner prescribed by applicable law, it does not have many choices beyond providing access to the company’s data, unless the CSP opts to fight the request and argue that the request is illegal, does not conform to the legal requirements or is too broad.

The problem of the prerogatives and powers granted to United States intelligence services may  be less serious than in other countries, because U.S. laws generally contain strict and detailed rules, provide transparency and require law enforcement agencies to make numerous disclosures of their activities. U.S. laws also include many control measures (e.g., annual reports), detailed procedures (e.g., warrant or a court order)and procedural rules. In countries such as India, access to servers by judicial police or intelligence services is less regulated. This lack of transparency may cause the public to be unaware of the extent of the government’s surveillance capabilities.


Wherever their data are stored or hosted by a third party, cloud service users should remain aware of the possibility that a government can obtain access to the data, especially when there are overarching reasons, such as national security or the prosecution or prevention of serious crimes. This has always been the case, even when data were stored on server farms in the same city. The cloud changes the dynamic, because the data may beheld in a server located anywhere in the world, which makes them accessible by more governments under many more laws.

When CSPs operate within the jurisdiction of a country, they must understand and abide by the rules in effect in that country. Concurrently, they have an obligation to their customers to respond to government and other requests for access to data in their custody in a responsible manner. They must evaluate the request for access to determine whether it conforms to the requirements of the applicable law and, when possible and permitted, inform the customer that their data was accessed.

To be able to address such requests in an appropriate manner, they should implement processes and procedures to analyze government and third-party requests for access and to respond to these requests in accordance with the applicable laws. Before engaging a CSP, customers should perform due diligence and inquire about the existence of these processes and procedures, as a way to evaluate the CSP’s level of awareness of these laws and complex issues.

Originally published in on 27 Feb 2013



Posted in International
Comments Off on Foreign Laws on Government Access to Data

Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know

Posted by fgilbert on January 27th, 2012

If the vision of Ms. Reding, Vice-President of the European Commission, as expressed in the January 25, 2012 data protection package is implemented in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States and will have removed much of the administrative burden that are currently costing billions of Euros to companies. The saving would allow companies to reinvest in more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

The series of legislative texts and documents that were published on January 25, 2012 by the European Commission are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. Ms. Reding’s vision is to have a Regulation address the general privacy issues, and a Directive address the special issues associated with criminal investigations.

The publication of these drafts signal a very important shift in the way data protection will be handled in the future throughout the European Union. The proposed rules would create more obligations for companies and more rights for individuals, while some of the current administrative burdens and complexities would be removed. This is consistent with the plan of action that was presented in late 2010 in Communication 609. What is new, and a paradigm shift, is that there will be one single data protection law throughout the European Union, and companies will not longer have to suffer from the fragmentationresulting from the fact that the 27 Member States interpreted and implemented differently the principles set forth in Directive 95/46/EC.

A single set of rules on data protection, valid across the EU would make it easier for companies to know the rules. Unnecessary administrative burdens, such as notification requirements for companies, would be removed. Instead, the proposed Regulation provides for increased responsibility and accountability for those processing personal data. In the new regime, organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people would be able to refer to thedata protection authority in their country, even when their data are processed by a company based outside the EU.

US companies that do business in or with the European Economic Area must start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, and incident response plans will have be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions.

The Foundation Documents

The proposed data protection package contains two important legislative texts:

The draft Regulation and draft Directive will now be discussed by the European Parliament and EU Member States meeting in the Council of Ministers. Thus, there will be more opportunities for discussion, changes, and modifications of the current provisions, and there is currently no certainty that the provisions as stated in the January 25, 2012 draft will remain.

However, given the energy, speed, and determination with which the reform of the EU data protection regime has been handled, it is likely that a final vote will take place sooner than later. Once in their final form and formally adopted by the European Parliament, the rules are expected to take effect two years later. Thus, it is likely that, by the end of 2014, or early 2015, the European Economic Area will be subject to a new, improved, but stricter data protection regime.

This article discusses only the Proposed Regulation.

A Regulation, Not a Directive

The European Union is over 50 years old. For a long time, the Union has functioned as a group of countries operating under a set of rules that attempted to be consistent with each other, in order to ease the flow of people and goods among the Member States. This was achieved by implementing on a piecemeal basis the principles of numerous directives, with each Member State, in fact, retaining a lot of independence and autonomy. While this strategy allowed to slowly create a sense of unity among countries that had different cultures, history and personalities, it ended up creating a patchwork of national laws that had some resemblance but also their own personality. A difficult setting for companies operating in several Member States.

The ratification of the Treaty of Lisbon in late 2009 was a very important milestone in the morphing of the European Union as a united power.  It marked a very important step in the evolution of the Union, creating deep changes in its rules of operation, removing the three-pillar system that fragmented the operations, and moving the federation into a closer, tighter structure. With the Treaty of Lisbon, the European Union moved towards more cohesion, more consistency, and more unity.

With this background in mind, it is logical that the European Commission found that a “Regulation,” as opposed to a “Directive,” was the most appropriate legal instrument to define the new framework for the protection of personal data in the European Union in connection with the processing of these data by companies and government agencies in their day-to-day operations. Due to the legal nature of a regulation under EU law, the proposed data protection Regulation will establish a single rule that applies directly and uniformly.

EU regulations are the most direct form of EU law. A regulation is directly binding upon the Member States and is directly applicable within the Member States. As soon as a regulation is passed, it automatically becomes part of the national legal system of each Member State. There is no need for the creation of a new legislative text.

EU directives, on the other end, are used to bring different national laws in-line with each other. They prescribe only an end result that must be achieved in every Member State. The form and methods of implementing the principles set forth in a directive are a matter for each Member State to decide for itself. Once a directive is passed at the European Union level, each Member State must implement or “transpose” the directive into its legal system, but can do so in its own words. A directive only takes effect through national legislation that implements the measures.

The current data protection regime, which is based on a series of directives – Directive 96/45/EC, Directive 2002/558/EC (as amended) and Directive 2006/2006/24/EC – has proved to be very cumbersome due to the significant discrepancies between the interpretations or implementations of the directive that were made in the various Member State data protection laws. There is currently a patchwork of 27 rules in 27 countries. This fragmentation creates a significant burden on businesses which are forced to act as chameleon, and adapt to the different privacy rules of the countries in which they operate.

Conversely, a regulation is directly applicable, as is, in the Member States. By adopting a Regulation for data protection matters, the EU will equip each of its Member States with the same legal instrument that applies uniformly to all companies, all organizations, and all individuals. The choice of a regulation for the new general regime for personal data protection should provide greater legal certainty by introducing a harmonized set of core rules that will be exactly the same in each Member State. Of course, each country’s government agencies and judicial system are still likely to have their own interpretation of the same text, but the discrepancies between these interpretations should be less significant than those that are currently found among the Member State data protection laws.

Overview of the Draft Regulation

The 119-page draft Regulation lays out the proposed new rules. Among the most significant changes, the Proposed Regulation would shift the consent requirement to that of an “explicit” consent. It would introduce some new concepts that were not in Directive 95/46/EC, such as the concept of breach of security, the protection of the information of children, the use of binding corporate rules, the special status of data regarding health, and the requirement for a data protection officer. It would require companies to conduct privacy impact assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their application. Individuals would have greater rights, such as the “Right to be Forgotten” and the “Right to Data Portability.” Some of the key components of the Proposed Regulation are discussed below.

–  New, Expanded Data Protection Principles

Articles 5 through 10 would incorporate the general principles governing personal data processing that were laid out in Article 6 of Directive 95/46/EC and add new elements such as: transparency principle, comprehensive responsibility and liability of the controller, and clarification of the data minimization principle.

One of the significant differences with Directive 95/46/EC is that the notion of consent is strengthened. Currently, in most EU Member States, consent is implied in many circumstances. An individual who uses a website is assumed to have agreed to the privacy policy of that website. Under the new regime, when consent is the basis for the legitimacy of the processing, it will have to be “specific, informed, and explicit.” The controller would have to bear the burden of proving that the data subjects have given their consent to the processing of their personal data for specified purposes. For companies, this means that they may have to find ways to keep track of the consent received from their customers, users, visitors and other data subjects, or will be forced to ask again for this consent.

–  Special Categories of Processing

The rules that apply to special categories of processing would be found in Articles 80 through 85. The special categories would include processing of personal data for:

  • Journalistic purposes;
  • Health purposes;
  • Use in the employment context;
  • Historical, statistical or scientific purposes;
  • Use by individuals bound by a duty of professional secrecy;
  • Public interest.

There are also provisions to protect the rights of a child. A “child” is currently defined as an individual under 13 (Article 8). In addition, the definition of “sensitive data” would be expanded to include genetic data and criminal convictions or related security measures. (Article 9).

–  Transparency and Better Communications

Article 11 of the proposed Regulation would introduce the obligation for transparent and easily accessible and understandable information, while Article 12 would require the controller to provide procedures and a mechanism for exercising the data subject’s rights, including means for electronic requests, requiring that response to the data subject’s request be made within a defined deadline, and the motivation of refusals. Companies will welcome the fact that the rule for handling requests for access or deletion will be the same in all Member States. In the current regime, the time frames for responding to such requests are different, with some Member States requiring action within very short periods of time, and others allowing two months to respond.

–  Rights of the Data Subjects

Articles 14 through 20 would define the rights of the data subjects. In addition to the right of information, right of access, and right of rectification, which exist in the current regime, the Proposed Regulation introduces the “right to be forgotten” as part of the right to erasure. The right to be forgotten includes the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases.

Article 18 would introduce the data subject’s right to data portability, that is, to transfer data from one automated processing system to, and into, another, without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format. The right to object to the processing of personal data would be supplemented by a right not to be subject to measures based on profiling.

The “right to be forgotten” and the “right to portability” reflect the pressure of the current times, and respond to the needs of customers of social networks who have found, to their detriment, that the ease of use of a social network and the access to the service for no fee was tied to a price:  that their personal data could be used in forms or formats that they had not expected, and that the service provider would resist a user’s attempt to move to another service.

–  Obligations of Controllers and Processors

Articles 22 through 29 would define the obligations of the controllers and processors, as well as those of the joint controllers and the representatives of controllers that are established outside of the European Union. Article 22 addresses the accountability of the controllers. These would include for example, the obligation to keep documents, to implement data security measures, and to designate a data protection officer. Article 23 would set out the obligations of the controller to ensure data protection by design and by default.

Articles 24 and 25 address some of the issues raised by outsourcing, offshoring and cloud computing. While these provisions do not indicate whether outsourcers are joint data controllers, they acknowledge the fact that there may be more than one data controller. Under Article 24, joint data controllers would be required to determine their own responsibility for compliance with the Proposed Regulation. If they fail to do so, they would be held jointly responsible. Article 25 would require data controllers that are not established in the European Union and that direct data processing activities at EU residents, or monitor their behavior, to appoint a designated representative in the European Union.

–  Supervision of Data Controllers or Processors by Data Protection Authority

Article 28 would introduce the obligation for controllers and processors to maintain documentation of the processing operations under their responsibility, instead of a general notification to the data protection supervisory authority, as is currently the case under Articles 18 and 19 of Directive 95/46/EC. This provision reflects one of the new guiding principles in the EU Data Protection reform:  that of accountability. In exchange for removing the cumbersome requirement for notification of the data controllers’ personal data handling practices, the new framework require that data controllers be “accountable.” They must create their own structures, and document them thoroughly, must be prepared to respond to any inquiry from the Data Protection Authority and to promptly produce the set of rules with which they have committed to comply.

Article 28 identifies a long list of documents that would have to be created and maintained by data controllers and data processors. This information is somewhat similar to the information that is currently provided in notifications to the data protection authorities―for example, the categories of data and data subjects affected, or the categories of recipients. There are also new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data.

In the case of data controllers or data processors with operations in multiple countries, Article 51 would create the concept of the “main establishment.” The data protection supervisory authority of the country where the data processor or data controller has its “main establishment” would be competent for the supervision of the processing activities of that processor or controller in all Member States under the mutual assistance and cooperation provisions that are set forth in the Proposed Regulation.

–  Data Security

Articles 30 through 32 focus on the security of the personal data. In addition to the security requirements already found in Article 17 of Directive 95/46/EC and extending these obligations to the data processors, the Proposed Regulation introduces an obligation to provide notification of personal data breaches. In case of a breach of security, a data controller would be required to inform the supervisory authority within 24 hours, if feasible. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the data controller will be required to notify the data subjects, without undue delay, after it has notified the supervisory authority of the breach.

–  Data Protection Impact Assessment

Article 33 would require controllers and processors to carry out a data protection impact assessment if the proposed processing is likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities include: monitoring publicly accessible areas, use of the personal data of children, use of genetic data or biometric data, processing information on an individual’s sex life, the use of information regarding health or race, or an evaluation having the effect of profiling or predicting behaviors.

–  Data Protection Officer

Articles 35 through 37 would require the appointment of a data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations that require regular and systematic monitoring. Under the current data protection regime, several EU Member States, such as Germany, require organizations to hire a Data Protection Officer, who is responsible for the company’s compliance with the national data protection. Article 36 identifies the roles and responsibilities of the data protection officer and Article 37 defines the core tasks of the data protection officer.

–  Crossborder Data Transfers

Articles 40 through 45 would define the conditions of, and restrictions to, data transfers to third countries or international organizations, including onward transfers. For transfers to third countries that have not been deemed to provide “adequate protection,” Article 42 would require that the data controller or data processor adduce appropriate safeguards, such as through standard data protection clauses, binding corporate rules, or contractual clauses. It should be noted, in particular, that:

  • Standard data protection clauses may also be adopted by a supervisory authority and be declared generally valid by the Commission;
  • Binding corporate rules are specifically introduced (currently they are only accepted in about 17 Member States);
  • The use of contractual clauses is subject to prior authorization by supervisory authorities.

Binding corporate rules would take a prominent place in the Proposed Regulation. Their required content is outlined in Article 43. Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of the proposed transfer.

–  European Data Protection Board

The “European Data Protection Board” would be the new name for the “Article 29 Working Party.” Like its predecessor, the new Board will consist of the European Data Protection Supervisor and the heads of the supervisory authority of each Member State. Articles 65 and 66 clarify the independence of the European Data Protection Board and describe its role and responsibilities.

–  Remedies and Sanctions

Articles 73 through 79 would address remedies, liability, and sanctions. Article 73 would grant data subjects the right to lodge a complaint with a supervisory authority (which is similar to the right under Article 28 of Directive 95/46/EC). It also would allow consumer organizations and similar associations to file complaints on behalf of a data subject or, in case of a personal data breach, on their own behalf.

Article 75 would grant individuals a private right of action. It would grant individuals the right to seek a judicial remedy against a controller or processor in a court of the Member State where the defendant is established or where the data subject is residing. Articles 78 and 79 would require Member States to lay down rules on penalties, to sanction infringements of the Proposed Regulation, and to ensure their implementation. In addition, each supervisory authority must sanction administrative offenses and impose fines.

The Proposed Regulation introduces significant sanctions for violation of the law. Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global annual turnover of an enterprise. This is much more than the penalties currently in place throughout the European Union. Apart from a few cases, the level of fines that have been assessed against companies that violated a country’s data protection laws has been low. The Proposed Regulation signals an intent to pursue more aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure compliance with the law.


The terms of the Proposed Regulation are not really a surprise. For several months, Viviane Reding, Vice-President of the European Commission, and other representatives of the European Union have provided numerous descriptions of their vision for the new regime, including through a draft of the documents published in December 2011, which differs slightly from the January 25, 2012 version. It is nevertheless exciting to see, at long last, the materialization of these descriptions, outlines, and wish lists.

Altogether, if the current provisions subsist in the final draft, the new Regulation will increase the rights of the individuals and the powers of the supervisory authorities. While the Regulation would create additional obligations and accountability requirements for organizations, the adoption of a single rule throughout the European Union would help simplify the information governance, procedures, record keeping, and other requirements for companies.

Finally, it should also be remembered that Directive 95/46/EC has been a significant driving force in the adoption of data protection laws throughout the world. In addition to the 30 members of the European Economic Area, numerous other countries, such as Switzerland, Peru, Uruguay, Morocco, Tunisia, or the Dubai Emirate (in the Dubai International Financial District) have adopted data protection laws that follow closely the terms of Directive 95/46/EC. It remains to be seen what effect the adoption of the Regulation will have on the data protection laws of these other countries.

Posted in Europe, International
Comments Off on Proposed EU Data Protection Regulation – January 25, 2012 Draft: What US Companies Need to Know

Peru Adopts New Data Protection Law

Posted by fgilbert on July 6th, 2011

On July 2, 2011, Peru adopted its first “Law on the Protection of Personal Data.” The law was published in the country’s official gazette of July 3, 2011 as Law No. 29733. Inspired from the Spanish data protection law and the APEC Privacy Framework, this new law is intended to bring Peru to a level of data protection that would be satisfactory to the European Union member states and other countries that have adopted similar data protection regimes.

Scope of the Law

The law applies to personal data that are held or intended to be held in personal data banks for processing within the country. The important criterion for determining whether the law applies is:  where the processing occurs.

The law regulates personal data held in electronic or other form. “Personal Data” is defined as any information about a natural person that identifies, or allows identifying, the person through reasonable means. The law distinguishes “personal data” and “sensitive data.” The definition of “sensitive data” covers traditional items such as data relating to race or ethnicity, health and sexual life, political opinion, religious or philosophical beliefs, and union membership as well as items less frequently found in similar laws:  biometric data and income.

Like many other countries, Peru excludes from the scope of the data protection law data that are held for personal purposes, or in connection with family life, as well as data that are held by public administrations but only to the extent that the data are used for criminal investigation or enforcement, public safety or national defense.

Data Protection Authority

The law establishes a national data protection authority, the Autoridad Nacional de Protección de Datos Personales, which is overseen by the Ministry of Justice. Among other things, the Autoridad manages the country’s national register of personal data protection. It has extensive powers, which are generally similar to those of the other data protection supervisory authorities in other countries.

Eight Principles

Title I of the law identifies eight “guiding principles”:

  • Legality – The processing of personal data must be conducted in accordance with the law. The use of fraudulent, unfair, or illegal means for collecting personal data is prohibited.
  • Consent – The processing of personal data requires the prior informed, explicit consent of the individual (with exceptions).
  • Finality – Personal data may be collected only for a specified, explicit, and lawful purpose.
  • Proportionality – The data collected must be adequate, relevant, and not excessive in view of the purpose for which they are collected.
  • Quality – The data must be accurate, current, and appropriate for the purpose for which they are collected. They must be retained only as long as necessary to fulfill the purpose of the processing.
  • Security – Appropriate technical, organizational, and contractual measures must be taken to ensure the security of the personal data.
  • Enforcement – There must be appropriate administrative and judicial measures to allow individuals to claim and enforce their rights.
  • Restriction to Crossborder Transfers – The transfer of personal data across borders requires that the recipient ensure an adequate level of protection for personal data, or at least a level of protection comparable to those that are set forth in the relevant international standards.

Rights of Individuals

Like many other laws, the Peruvian Data Protection Law grants to individuals numerous rights, including the right to information, right of access, right of correction, right of opposition, right not to be subject to a decision based solely on automated processing of personal data.

In addition, the law grants data subjects the “right to protection,” which allows data subject to appeal to the Autoridad Nacional de Protección de Datos Personales, the country’s data protection authority in case of a violation of their rights, or to the judiciary, in the case of an action in Habeas Data. The law also provides for a “right to compensation”, which provides for the compensation of individuals by the entity that is responsible for the data, in the event of a violation of the law. The amount of the compensation is not specified in the law.

Registration Requirement

The law establishes a registration requirement, which is similar to that which is in force in the European Union. The National Authority for Data Protection will be responsible for managing and keeping the National Register of Data Protection.

Enforcement and Sanctions

The Autoridad Nacional de Protección de Datos Personales, is the primary organ vested with the power to enforce the law. The law distinguishes three categories of violations:  minor, serious, and very serious.

Acting in contravention to the guiding principles, breaching confidentiality obligations, preventing individuals from exercising their rights constitute serious offenses. Creating databases without complying with the required formalities, providing false or incomplete documents, failure to comply with the registration requirements constitute very serious offenses.

The penalties are set in “tax units” or unidad impositiva tributaria. (UIT) The fines range from .5 tax units for minor offenses to 100 UIT for the most serious offenses. The UIT is a standard measure used in Peru for calculating tax payments and fines. One UIT is PEN3,600, i.e., approximately US$ 1,300. There is annual cap; it is equal to 10% of the gross annual income received by the organization.

Next Steps

It will take time before the law is fully implemented. First, the national data protection supervisory authority must be established. Then regulations must be drafted to fully explain the processes and procedures that are expected from the covered entities.

Text of the Law

The full text of the law (in Spanish) can be found at:

Posted in International
Comments Off on Peru Adopts New Data Protection Law