Data protection and privacy law continues to spread around the world. Over 90 countries now have data protection rules and 2014 has seen some material developments. Examples of some of these appear below.
The US Federal Trade Commission (FTC) has reached settlements with 14 companies which had falsely claimed to participate in the Safe Harbour programme. The FTC has been under pressure from the European Commission for some time to toughen up its enforcement of the US/EU Safe Harbour Programme. The Commission believes many US companies are claiming to comply with the Safe Harbour rules when they do not. It remains to be seen whether this burst of FTC energy will be sustained.
New data protection regulations received preliminary approval and are under negotiation. These could :
– expand the scope of the rules to include all organisations which process the data of EU citizens
– increase maximum fines to the greater of Euro 100M or 5% of global turnover
– give individuals the “right to be forgotten” by an organisation
– establish a single set of data protection rules for the whole of the EU
– enable companies to deal with a single EU-wide data protection authority rather than data protection authorities in each country.
The timetable is not yet clear and there will be a 2 year lead in time. It is estimated that EU operating companies will in aggregate save Euro 2 Billion in compliance costs through such a streamlined regime.
The Russian President has approved a tough new data protection regime which, unless amended, will come into effect in 2 years’ time. The new law requires any database that stores personal data on a Russian individual to be located in Russia. This will have challenging implications particularly for international on-line businesses capturing the personal data of Russian citizens. One sanction for breach will be the blocking of websites.
Singapore’s new data protection regime has come into full effect, aimed at strengthening “Singapore’s position as a trusted global data hub” according to the Chairman of the Singapore Personal Data Protection Commission. The new rules require notification to and consent of data subjects to the collection, storage and transfer of their personal data; the establishment of reasonably secure data storage arrangements; the appointment of data protection officers within organisations; rights of data subjects to see and correct personal data to and to the removal of data no longer needed; obligation to make available data protection policies on request.
Changes to the existing privacy regime came into effect in Australia after an 18 month lead in. The new law establishes a single list of 13 data protection principles, called the Australian Privacy Principles. The new regime substantially increases the level of privacy regulation, enforceability and sanctions.