On behalf of DLA Piper’s Global Data Protection team, we would like to wish you a happy International Data Protection Day 2022. We hope that the year has started off well and you will have a safe and healthy year ahead.
Data Protection Laws of the World
To celebrate International Data Protection Day, we are delighted to launch our annual update to the Data Protection Laws of the World guide. In this eleventh edition of the guide, we now provide an overview of privacy and data protection laws in over 100 different jurisdictions. Fully refreshed and updated for 2022 we have new jurisdictional entries that now includes Sri Lanka and the Abu Dhabi Global Market Free Zone who launched their new data protection regime last year.
Looking back on 2021, the privacy and data protection landscape continues to evolve at pace.
In Europe we saw the UK finally conclude Brexit and establishment of a separate data protection regime in the UK which will be governed by the UK GDPR. After some uncertainty, data transfers between the two trading areas will now be supported by mutual adequacy decisions.
Data transfers to other countries remain a challenge. Although the EU finalised new standard contractual clauses for data transfers between EU and non-EU countries, the European Data Protection Board guidance on the requirement to conduct supporting risk assessments creates a big challenge for global organisations who are routinely transferring data around the world. We
In the United States, a number of new state-level privacy laws were passed (including in California, Colorado and Virginia), and a Presidential Executive Order was issued encouraging the FTC to focus on the increasingly relevant intersection between privacy and competition law, in the context of an economy where most of the world’s largest accumulators of personal data are based.
In Asia Pacific, China’s Personal Information Protection Law (PIPL) came into force. This consolidates obligations on processing of personal information at a national law level, but still leaves to be determined in the future through subsequent regulations and guidelines.
New data protection laws were also enacted in a number of key jurisdictions including Canada, UAE-Dubai (Federal), Saudi Arabia and South Africa (where POPIA finally came into full effect following a 12-month grace period). However we also saw delays in the implementation of laws in number of countries – including Thailand, India and Egypt, in each case due to the focus on the ongoing public health crisis.
In addition to privacy law developments, there were a number of significant enforcement actions globally. We saw two record-breaking fines from the Luxembourg and Irish data protection authorities (EUR746 million and EUR225m respectively). Both are subject to ongoing appeals. Enforcement shows no signs of slowing down this year—in the first week of January 2022, the French data protection authority, the CNIL, announced fines of 150 million euros against Google and 90 million euros against Facebook.
Finally, we see Cybersecurity as continuing to be a significant risk area for organisations. A number of major vulnerabilities were reported in 2021, including the Apache Log4j vulnerability which has been described by numerous experts as one of the most significant security vulnerabilities in decades, given widespread across devices, web servers and systems worldwide. 2021 was also the year where ransomware attacks made the headlines with a number of high profie supply chain-focused attacks.
Our Tools and Resources
To help manage privacy compliance we have developed a range of tools and resources.
“Transfer” is DLA Piper’s pioneering data transfer methodology – a legal technology solution built to make it easy for privacy professionals to manage the international transfers of data. Using a 5-step process, companies can determine risk levels for transferring personal data across jurisdictions on a country-by-country basis – bringing simplicity and consistency to the requirement to impact assess global data transfers following recent changes in EU / UK privacy law.
Transfer brings simplicity and assurance to the transfer impact assessment process, through a clear methodology, aligned to the legal requirements and enriched by a catalogue of country content. Transfer has been designed with flexibility and assurance in mind. It works equally well whether you’re a multinational transferring data across a global network, or a smaller organisation managing one-off transfers. And with modular content, you can take the components that suit your needs. Whether you are looking for a standardized assessment tool, deep country content, or a configured solution. Thanks to our update service, no matter how the regulatory landscape changes, you can enjoy the peace of mind of knowing you’ll always be covered with Transfer.
iOS / Android downloadable tool to help you quickly navigate around the UK and EU GDPR through fully indexed text and linked content.
European Data Breach Survey 2022
Data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion (USD1.2 / GBP0.9 billion) in fines since 28 January 2021. This figure is taken from our latest annual General Data Protection Regulation (GDPR) Fines and Data Breach Survey of the 27 European Union Member states plus the UK, Norway, Iceland and Liechtenstein. This is nearly a sevenfold increase on last year’s total. The highest GDPR fine to date is the one imposed by the Luxembourg National Commission for Data Protection (CNDP) for EUR746 million on a US online based retailer, the biggest fine so far for non-compliance with the GDPR. This is more than 14 times higher than the previous largest GDPR fine (EUR50 million) imposed by France’s CNIL on Google.
Helping clients – our other tools
Privacy Scorebox – an online questionnaire process that helps you understand your organisation’s level of data protection maturity
Privacy Matters blog – regular legal updates service to keep you connected with latest developments in privacy law – subscribe to receive posts on regulatory change and case law.
EU Cookies Guide – a desktop guide to the law on cookies across Europe
Wishing you well
We hope that this year we may be able to meet in person, professionally and for social events. If you have any questions or would like to talk to one of the team, please get in touch at DataPrivacy@dlapiper.com.
With very best wishes from everyone in the DLA Piper global data protection team.