January 31, 2022
For the fourth consecutive year, and complementing the publication of Gibson Dunn’s upcoming tenth annual U.S. Cybersecurity and Data Privacy Outlook and Review, we offer this separate International Outlook and Review. As every year, this Outlook and Review provides an overview of past and upcoming developments related to global privacy and cybersecurity laws.
2021 saw an increasing number of data protection bills and laws passed across numerous international jurisdictions. Notably, China, the UAE, Brazil, Russia and Switzerland, among others, passed new laws, amendments or implementing regulations paving the way for a new round of significant data privacy regimes. It is expected that international authorities will make full use of their new powers in order to apply and enforce their respective data protection legislation in the near future.
In the European Union (“EU”), there were a significant number of developments in the evolution of the data protection and cybersecurity landscape:
We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.
As we indicated in the 2021 International Outlook and Review, on 16 July 2020, the so-called Schrems II ruling of the Court of Justice of the EU (“CJEU”) struck down the EU-U.S. Privacy Shield, which numerous companies had relied upon to transfer personal data from the EU to the U.S. Despite this, the CJEU also ruled that the SCCs approved by the European Commission, another mechanism used by an even higher number of companies to transfer personal data outside of the EU, remained valid subject to certain caveats.
Further to the Schrems II ruling, organisations transferring personal data to a third country must verify, on a case-by-case basis, if there is anything in the law and practice of the third country which may impinge on the appropriate safeguards of the transfer tools (a “Risk Assessment”). If the law and practice of the third country do impinge the transfer tools safeguards, the organisations are required to implement supplementary measures to ensure an equivalent level of protection.
In this respect, the European Data Protection Board (“EDPB”) issued important new guidance on international transfers of personal data, namely:
In parallel, on 4 June 2021, the European Commission adopted new SCCs to cover data transfers among controllers and processors from the European Economic Area (“EEA”) to third countries not recognised by the European Commission as ensuring an adequate level of protection for personal data. These new set of SCCs replace the old SCCs adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC (“e-Privacy Directive”), and take into account the conclusions of the CJEU in Schrems II. Since 27 September 2021, it is no longer possible to execute the old SCCs and, as of 27 December 2022, existing contracts will need to have been replaced or amended to incorporate the new SCCs.
The EDPB also adopted the Guidelines 04/2021 on codes of conduct as tools for transfers, the Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, each for public consultation. The latter Guidelines aim to clarify the territorial scope of the GDPR and the provisions on international transfers, to assist controllers and processors to determine whether a particular data processing activity falls directly under the GDPR, or should be covered by a legal data transfer mechanism to provide adequate safeguards.
In light of these developments, several Member State supervisory authorities issued statements and guidance in relation to matters concerning international data transfers:
On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom, under the GDPR and the Law Enforcement Directive. These decisions will allow personal data to flow freely from the EU to the UK without the need for additional tools or authorisations. The adequacy findings include a ‘sunset clause’, which means that the decisions will automatically expire four years after their entry into force. It is likely that the decisions will only be renewed if the UK continues to ensure an adequate level of data protection of personal data.
On 17 December 2021, the European Commission also adopted the South Korea adequacy decision, making it possible for personal data to be transferred safely from the EU to the Republic of Korea. With this decision, the Commission guarantees that the South Korean legislation on data protection, combined with the additional safeguards implemented in the country, ensure an adequate level of protection for EU data subjects’ personal data.
As we indicated was likely in the 2021 International Outlook and Review, the e-Privacy Regulation, which was proposed by the European Commission in 2017 to update laws applicable to telecoms, digital and online data processing, was not adopted in 2021.
In 2021, the Council, the European Parliament and the European Commission initiated joint discussions for the adoption of the e-Privacy Regulation. Although the co-legislators failed to find common ground, the situation does not look as dim as in 2020 and 2021. Legislators and industry experts are confident that the final Regulation will be adopted in 2022 or 2023.
Relatedly, European e-privacy laws have continued to be the object of enforcement by EU data protection authorities. As explained further in Section I.E below, in 2021, the Luxemburg, French and Spanish supervisory authorities, among others, imposed significant fines on companies for e-privacy violations (e.g., setting of cookies, the use of online targeted advertising and the use of telemarketing, without consent).
As explained in past iterations of the International Outlook and Review, the Network and Information Security (“NIS”) Directive, the first piece of EU-wide legislation on cybersecurity, had the specific aim of achieving a high common level of cybersecurity across the Member States.
While the NIS Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult and resulted in a patchwork of national legislations across the EU. To respond to the growth of digitalisation and cyber-attacks, on 16 December 2020, the European Commission submitted the NIS2 Directive Proposal to replace the NIS Directive. The NIS2 Directive Proposal aims to strengthen the security requirements, address the security of supply chains, streamline reporting obligations and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. The NIS2 Directive Proposal will also have a broader scope of application, effectively requiring more entities and sectors to take the prescribed measures in relation to cybersecurity.
Further to the Council discussions, the European Parliament adopted its report on 28 October 2021, leading to interinstitutional negotiations with the European Commission. It is expected that the NIS2 Directive will be effectively adopted in 2022 or in 2023.
The EDPB also issued its Strategy 2021-2023, as well as its Work Program 2021/2022, notably announcing awaited Guidelines on, inter alia, legitimate interest, blockchain and the calculation of administrative fines.
In 2021, the GDPR and the e-Privacy Directive continued to be applied and enforced by EU Member State supervisory authorities. As explained in previous issues of our Outlook and Review, the GDPR put in place a one-stop shop mechanism to enable lead supervisory authorities of one Member State to adopt decisions and impose fines for EU-wide GDPR violations resulting from cross-border data processing activities.
On 15 June 2021, the CJEU generally upheld and confirmed the status of lead supervisory authorities as “sole interlocutors” of controllers and processors that process personal data cross-border within the EU. Other supervisory authorities cannot therefore initiate any action, administrative or in court, that runs in parallel to that of the lead supervisory authority, except in exceptional circumstances foreseen by the GDPR (e.g., in urgency procedures under Article 66).
The GDPR’s jurisdictional rules were also addressed in another matter before the supervisory authority in France. In 2016, the French data protection authority (“CNIL”) had initiated investigations against the EU operations of a U.S. tech company regarding particularly its data sharing activities with the U.S. parent company. Among the alleged grievances being investigated, the CNIL considered that such data sharing was undertaken without appropriate legal basis. However, one of the key procedural issues being disputed was to determine whether the CNIL still had jurisdiction over a case initiated prior to the GDPR, but which continued after the GDPR became applicable in 2018 and after the U.S. tech company set up an EU establishment in charge of its processing activities in the same year. The CNIL eventually held in 2021 that it did not have jurisdiction on this case and did not sanction the U.S. tech company.
On 16 July 2021, the Luxembourg CNPD imposed a record-breaking €746 million fine on an e-commerce and online services corporation and required the company to remedy the instances of non-compliance within six months, with a penalty of €746,000 per day of delay. According to the plaintiff, La Quadrature du Net, the company was processing personal data for targeted advertising purposes without a valid legal basis. The sanction has since been partially suspended by a local administrative court.
On 2 September 2021, the Irish Data Protection Commission (“DPC”) imposed a fine of €225 million on online messaging service provider for allegedly failing to meet its transparency obligations under the GDPR. Given that the company’s data processing activities were cross-border, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under the GDPR.
On 25 May 2021, the German Competition Authority (“Bundeskartellamt”) opened proceedings under Germany’s 2021 GWB Digitalization Act against Google Germany GmbH, Google Ireland Ltd., Dublin, Ireland, and Alphabet Inc., USA, reviewing Google’s data processing terms and cross-service data processing. Subsequently, on 30 December 2021, it took a decision determining that Google has a paramount significance for competition across markets which is a prerequisite for the further investigation under the new law. Of note, the German Bundeskartellamt is not a supervisory authority under the GDPR, but is an active enforcer in the digital economy – including at the interface to the processing of personal data under the GDPR.
In addition, throughout 2021, several European Supervisory Authorities issued fines around €5-10 million, including for unlawful employee surveillance or marketing calls and lack of valid consent for the processing of personal data.
In the UK, the Information Commissioner’s Office (“ICO”) has continued to undertake efforts to enforce the UK GDPR and the Data Protection Act 2018. Notably, in 2021, it announced its provisional intent to fine Clearview AI, Inc. £17 million for its processing of biometric data scraped from the internet, and issued a provisional notice to stop further processing and delete the personal data of individuals in the UK. Throughout the year, the ICO also imposed fines of a lower amount to corporations and local businesses for their failure to apply data protection and e-privacy laws.
In addition to its enforcement action, the UK ICO also undertook efforts to complete its regulatory framework post-Brexit. The most important development relates to the publication of draft international data transfer agreement (“IDTA”) and guidance, which were subject to consultation and are intended to replace the EU’s legacy SCCs.
As we indicated in the 2021 International Outlook and Review, on 25 September 2020, the Swiss Parliament adopted the revised version of the Federal Act on Data Protection 1992 (“Revised FADP”). In anticipation of its upcoming entry into law in the second half of 2022, on 5 March 2021, the Federal Data Protection and Information Commissioner (“FDPIC”) published guidance on how the private sector and federal authorities needed to adapt their processing activities to comply with the new provisions of the Revised FADP. In particular, the guidance covers the right to data portability, codes of conduct, records of processing activities and cross-border transfers and extended requirements around providing information on data processing and transparency under the Revised FADP.
On 23 June 2021, the Swiss Federal Council also released a draft revised Ordinance on the Federal Data Protection Act for public consultation following the adoption of the Revised FADP. In particular, the Council highlighted that the revisions to the Ordinance include minimum data security requirements, the modalities of the duty to inform data subjects, the right of access, data breach notification requirements, and exceptions to the obligation to keep a record of data processing activities for companies with fewer than 250 employees. Furthermore, the draft Ordinance specifies the criteria which the Council must take into account in its assessment of the adequacy of transfers of personal data to third countries, and includes a draft list of 34 countries which are considered to provide an adequate level of protection.
With regard to data transfers, the FDPIC published a guide on 18 June 2021 to allow companies to review the admissibility of data transfers to third countries in accordance with the Federal Act on Data Protection 1992. The guide provides a flowchart detailing the actions required by organisations to ensure data transfers are made in compliance with the Act and, notably, elaborates on the legal requirement that apply to transfers to third countries that do not appear on the FDPIC list of adequate countries.
Furthermore, on 27 August 2021, the FDPIC announced that the new SCCs adopted by the European Commission on 4 June 2021 for data transfers to third countries were also valid under Swiss law. The FDPIC recalled that the Commission’s SCCs may be used by data exporters, provided that the necessary adaptations and amendments be made for use under Swiss data protection law (i.e., replacing references to the EU with references to Switzerland). In addition, in line with the timeline in the EU, the FDPIC confirmed that the European Commission’s old SCCs could still be entered into until 27 September 2021 and existing agreements entered into under the old SCCs may still be used during a transitional period until 31 December 2022.
As we indicated in the 2021 International Outlook and Review, Russia undertook a number of legislative modifications in 2021 to enhance and complete its data protection regime, notably in terms of increasing applicable fines.
In the same vein, Russia adopted a new federal law in 2021 ‘On Amendments to the Code of Administrative Offenses’, which increased the amounts of administrative fines prescribed in the Code of Administrative Offenses against the Federal Law On Personal Data. The amendments do not touch upon the highest fines for breaching the data localisation requirement, but do increase the administrative fines for repeated offenses (i.e., offences that occur within one year from the date the previous violation was enforced). Recidivism concerning the localisation requirement may lead to fines between RUB 6,000,000 and 18,000, 000 (approximately USD 80,000 to 240,000) on companies, and responsible managers may face fines between RUB 500,000 and 800,000 (approximately USD 6,600 to 10,500).
In addition, the Russian Federal Service for the Supervision of Communications, Information Technology and Mass Communications (“Roskomnadzor”) and the Russian Parliament (“Duma”) have continued to undertake efforts to protect Russian consumers and citizens. First, on 29 March 2021, the Ministry of Digital Development published draft amendments to the Federal Law of 27 July 2006 No. 152-FZ on Personal Data in order to require telecom operators to obtain the consent of subscribers prior to the sale of their personal data for telemarketing purposes.
On 1 July 2021, the Roskomnadzor also announced that it had launched an online service allowing companies to obtain and record consent to the processing of personal data collected directly from the data subject. The Roskomnadzor claims that the template service will enable operators to meet the consent requirements following the entry into force of the amendments to the Federal Law on Personal Data in March 2021. Furthermore, the Roskomnadzor noted that the template may be customised to the specific activities of the operator, and that data subjects may record their preferences as to how their personal data may be processed and further distributed to third parties.
Finally, on 10 November 2021, the Duma registered a bill on ‘Amendments to Article 14.8 of the Code of the Russian Federation on Administrative Offences’ in order to prohibit companies from forcing consumers to provide personal data in cases where such data is not necessary to complete the transaction and is not provided for by legislation.
In 2021, the Turkish data protection authority (“KVKK”) proceeded with its significant activity in providing guidance on the application of the Turkish Data Protection Act. Notably, on 20 October 2021, it issued guidance on the right to be forgotten (“RTBF”) in respect of search engines. The guidance follows up on the KVKK Board Decision 2020/481 regarding the requests of individuals to remove names, surnames and the results of searches made through search engines from the index, and it aims to clarify issues relating to the exercise of the RTBF. Among other points, it indicates that the individuals may exercise the RTBF either by making a request to the data controller (search engine) or by complaining to the KVKK.
Finally, throughout 2021, the KVKK continued with its enforcement of the Turkish Data Protection Act. For example, on 21 June 2021, it imposed a fine of TRY 800,000 (approx. €77,390) on an e-commerce site for data security and breach notification failures under the Turkish Data Protection Act. In particular, the KVKK noted that the investigation was triggered by a complaint that access to the information of third-party companies was provided through the customer service panel on the e-commerce site. On 3 September 2021, the KVKK published a summary of review of a decision concerning an online messaging service provider, in which it imposed a fine of TRY 1,950,000 (approx. €195,000) for allegedly failing to take necessary technical and administrative measures to ensure data security pursuant to the Act.
As explained in the 2021 International Outlook and Review, the Australian government is currently undertaking a wholesale review of the Privacy Act 1988 with a view to implementing significant reforms to the country’s privacy regime. In October 2021, the Attorney-General’s Department released a discussion paper considering the items raised in the issues paper published in October 2020 (and referred to in the 2021 International Outlook and Review) and has sought further feedback on the proposed reforms. Submissions on the discussion paper closed on 10 January 2022, and those submissions will now form the basis of a final report to be submitted to government.
The discussion paper proposes wide-ranging reforms which would align Australia’s privacy regime more closely to global equivalents, such as the GDPR, in order to reflect recent developments in the digital economy, including to expand the definition of personal information, impose stricter anonymisation requirements on organisations subject to the laws, increase maximum civil penalties for non-compliance, strengthen the rights of individuals to object to the collection and use of disclosure of their information or require its erasure and to modify the framework for international data transfers.
This review has been conducted concurrently with a public consultation process on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (“Online Privacy Bill”), which was released on 25 October 2021. The Online Privacy Bill proposes to establish a binding privacy code for social media platforms, data brokerage services and large online platforms, expand the enforcement options available to the regulator and significantly broaden the extra-territorial reach of the Privacy Act 1988 to apply to acts performed outside Australia by foreign organisations carrying on business in Australia. Submissions on the Online Privacy Bill closed on 6 December 2021 and those submissions will inform further development of the Online Privacy Bill before its introduction to Parliament in 2022.
In addition to the ongoing review of the Privacy Act 1988 and the Online Privacy Bill, the US and Australian governments signed an agreement on 15 December 2021 to facilitate access to electronic data for investigations authorised by the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018. This agreement allows authorities from each country to access certain data directly from providers operating in the others’ jurisdiction to mitigate, detect and investigate serious crimes, including ransomware attacks and terrorism, as well as crimes that sabotage critical infrastructure over the internet. The agreement will undergo parliamentary and congressional review procedures in 2022 and is intended to replace the mutual legal assistance mechanism currently used to access data from such providers, which relevant authorities perceive as too slow and awkward to fulfil its intended purpose.
On 20 August 2021, the Standing Committee of China’s National People’s Congress passed the Personal Information Protection Law (“PIPL”), which took effect on 1 November 2021. The PIPL applies to “personal information processing entities (‘PIPEs’)”, defined as “an organisation or individual that independently determines the purposes and means for processing of personal information”. The PIPL defines “personal information” broadly as “various types of electronic or otherwise recorded information relating to an identified or identifiable natural person”, excluding anonymised information, and defines “processing” as “the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information” (PIPL Article 4).
The PIPL shares many similarities with the EU’s GDPR, including its extraterritorial reach, restrictions on data transfer, compliance obligations and sanctions for non-compliance, amongst others. The PIPL raises some concerns for companies that conduct business in China, even where such companies’ data processing activities take place outside of China, and the consequences for failing to comply could potentially include monetary penalties and companies being placed on a government blacklist.
The PIPL applies to cross-border transmission of personal information and applies extraterritorially. Where PIPEs transmit personal information to entities outside China, they must inform the data subjects of the transfer, obtain their specific consent to the transfer and ensure that the data recipients satisfy standards of personal information protection similar to those in the PIPL. The PIPL applies to organisations operating in China, as well as to foreign organisations and individuals processing personal information outside China in any one of the following circumstances: (1) the organisation collects and processes personal data for the purpose of providing products or services to natural persons in China; (2) the data will be used in analysing and evaluating the behaviour of natural persons in China; or (3) under other unspecified “circumstances stipulated by laws and administrative regulations”. This is an important similarity between the PIPL and GDPR, as the GDPR’s data protection obligations apply to non-EU data controllers and processors that track, analyse and handle data from visitors within the EU. Similarly, under the PIPL, a foreign receiving party must comply with the PIPL’s standard of personal information protection if it handles personal information from natural persons located in China.
The PIPL gives the Chinese government broad authority in processing personal information. State organisations may process personal information to fulfil statutory duties, but may not process the data in a way that exceeds the scope necessary to fulfil these statutory duties. Personal information processed by state organisations must be stored within China.
The PIPL establishes guiding principles on protection of personal information. According to the PIPL, processing of personal information should have a “clear and reasonable purpose” and should be directly related to that purpose. The PIPL requires that the collection of personal information be minimised and not excessive, and that PIPEs ensure the security of personal information. To that end, the PIPL imposes a number of compliance obligations on PIPEs, including requiring PIPEs to establish policies and procedures on personal information protection, implement technological solutions to ensure data security and carry out risk assessments prior to engaging in certain processing activities.
The PIPL adopts a risk-based approach, imposing heightened compliance obligations in specified high-risk scenarios. For instance, PIPEs whose processing volume exceeds a yet-to-be-specified threshold must designate a personal information protection officer responsible for supervising the processing of personal data. PIPEs operating “internet platforms” that have a “very large” number of users must engage an external, independent entity to monitor compliance with personal information protection obligations, and regularly publish “social responsibility reports” on the status of their personal information protection efforts. The law mandates additional protections for “sensitive personal information”, broadly defined as personal information that, once disclosed or used in an illegal manner, could infringe on the personal dignity of natural persons or harm persons or property. “Sensitive personal information” includes biometrics, religious information, special status, medical information, financial account, location information and personal information of minors under the age of 14. When processing “sensitive personal information”, according to the PIPL, PIPEs must only use information necessary to achieve the specified purpose of the collection, adopt strict protective measures and obtain the data subjects’ specific consent.
The PIPL creates legal rights for data subjects. According to the new law, PIPEs may process personal information only after obtaining fully informed consent in a voluntary and explicit statement, although the law does not provide additional details regarding the required format of this consent. The law also sets forth certain situations where obtaining consent is unnecessary, including where necessary to fulfil statutory duties and responsibilities or statutory obligations, or when handling personal information within a reasonable scope to implement news reporting, public opinion supervision and other such activities for the public interest. Where consent is required, PIPEs should obtain a new consent where it changes the purpose or method of personal information processing after the initial collection. The law also requires PIPEs to provide a convenient way for individuals to withdraw their consent, and mandates that PIPEs keep the personal information only for the shortest period of time necessary to achieve the original purpose of the collection. If PIPEs use computer algorithms to engage in “automated decision making” based on individuals’ data, the PIPEs are required to be transparent and fair in the decision making, and are prohibited from using automated decision making to engaging in “unreasonably discriminatory” pricing practices. “Automated decision-making” is defined as the activity of using computer programs to automatically analyse or assess personal behaviours, habits, interests, hobbies, financial, health, credit or other status, and make decisions based thereupon. When individuals’ rights are significantly impacted by PIPEs’ automated decision making, individuals can demand PIPEs to explain the decision making and decline automated decision making.
The PIPL creates penalties for organisations that fail to fulfil their obligations to protect personal information. These penalties include disgorgement of profits and provisional suspension or termination of electronic applications used by PIPEs to conduct the unlawful collection or processing. Companies and individuals may be subject to a fine of not more than 1 million RMB (approximately $154,378.20) where they fail to remediate conduct found to be in violation of the PIPL, with responsible individuals subject to fines of 10,000 to 100,000 RMB (approximately $1,544 to $15,438). Companies and responsible individuals face particularly stringent penalties where the violations are “grave”, a term left undefined in the statute. In these cases, the PIPL allows for fines of up to 50 million RMB (approximately $7,719,027) or 5% of annual revenue, although the PIPL does not specify which parameter serves as the upper limit for the fines. Authorities may also suspend the offending business activities, stop all business activities entirely or cancel all administrative or business licenses. Individuals responsible for “grave” violations may be fined between 100,000 and 1 million RMB (approximately $15,438 to $154,383), and may also be prohibited from holding certain job titles, including Director, Supervisor, high-level Manager or Personal Information Protection Officer, for a period of time. In contrast, fines for severe violations of the GDPR can be up to €20 million (approximately $23,486,300) or up to 4% of the undertaking’s total global turnover of the preceding fiscal year (whichever is higher).
For more details regarding potential issues for companies operating in China and the impact of the PIPL, please see our client alert here.
On 29 October 2021, the Cyberspace Administration of China requested public comments on the draft Measures for Data Export Security Evaluation until 28 November 2021. The draft underscores the need to standardise data exports under the PIPL, Cybersecurity Law and Data Security Law. Under the draft, PIPEs transferring data which meets one of the following requirements outside of China are required to submit a report through the provincial Cyberspace Administration: (1) personal information and important data are generated by operators of critical information infrastructure; (2) outbound data contains important data; (3) personal information processors who have processed personal information of one million people; (4) personal information processors who have processed personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad; or (5) other situations required by the Cyberspace Administration.
Following the United States’ proposal of the Cyber Incident Notification Act of 2021 and the EU’s adoption of Directive (EU) 2016/1148 on Security of Network and Information Systems in 2016, China introduced rules to protect the country from cyber-attacks on critical information systems. China’s Regulations on the Security Protection of Critical Information Infrastructure (the “Regulations”) took effect on 1 September 2021.
The Regulations are a key feature of China’s Cybersecurity Law, which was implemented on 1 June 2017. The Regulations protect the security of critical information infrastructure (“CII”) and expand on the Cybersecurity Law by imposing additional compliance obligations. Article 31 of the Cybersecurity Law delegates further authority to the State Council to formulate specific security protection measures for CII. By enacting the Regulations, the State Council has broadened the definition of CII, clarified which authorities are responsible for CII protection, outlined the duties of CII operators and third parties in relation to testing / monitoring CII and established penalties for non-compliance.
The Cybersecurity Law defines CII as infrastructure from important industries, including public communication and information services, energy, transportation, water conservancy, finance, public services, e-government and other critical information infrastructure which may endanger national security, national welfare, people’s livelihoods or the public interest if data is disabled, damaged or leaked. The Regulations not only define CII as those industries identified in Article 31 of the Cybersecurity Law, but also national defence and technology industries. This includes:
The Regulations impose obligations on CII operators (“CIIOs”), including, but not limited to: (1) establishing a security management department; (2) conducting background checks on key personnel with the assistance of police and national security agencies; (3) conducting an annual risk audit and assessing security risks; (4) reporting cyber incidents or threats to relevant authorities (including the Cyberspace Administration and the State Council); (5) conducting cybersecurity reviews when the network products and services a CIIO purchases may influence national security; and (6) reporting any corporate activity that may impact cyber security, including mergers or dissolutions (Regulations Articles 15, 19, 21).
The Regulations prohibit any entity or individual from illegally invading, interfering with or destroying CII and carrying out loophole detection or permeability tests on CII (Regulations Article 5). Additionally, no entity or individual may carry out vulnerability monitoring, penetration testing or other such activities on CII that may influence or endanger the security of CII, unless such entity or individual has received approval from the national cyberspace and informatisation department, the State Council public security department or the relevant protection work department or operator (Regulations Article 31). If an entity or individual chooses to carry out such activities on basic telecommunications networks, it must report such activity in advance to the State Council department in charge of telecommunications (Regulations Article 31).
Under the Regulations, companies may face monetary fines of up to RMB 1 million (USD 155,000) for serious violations, and key individuals may face fines up to RMB 100,000 (US 15,000) (Regulations Articles 39, 40, 41, 42 and 43).
The Regulations will impact network operators as more network operators may be deemed CIIOs and more compliance obligations will likely be imposed by competent industry regulators. Network operators in critical industries should remain alert to their industry regulators and ensure their compliance programs align with the Regulations and the Cybersecurity Law. Global clients that operate in China in the identified industries and sectors should be aware of these requirements and alert to the prospect that they may be designed as CIIOs. Further, firms in the business of carrying out vulnerability monitoring or penetration testing on businesses in China operating in the industries outlined above should be conscious of the prospect that their clients could be considered CIIOs, and should ensure that they are seeking assurances from their clients that they are not CIIOs before undertaking this work. Alternatively, these firms should be prepared for the need to seek approval for this work from the national cyberspace and informatisation department, the State Council public security department or the relevant protection work department or operator.
Chinese authorities announced the Internet Information Service Algorithmic Recommendation Management Provisions, which will come into force on 1 March 2022. These regulations apply to technology such as personalised recommendations, search filters and any algorithms that provide content to users. These regulations cover various services, such as social media platforms and entertainment streaming. The regulations not only apply to the PIPL, but also the Cybersecurity Law, Data Security Law and the Internet Information Services Management Rules for the purpose of promoting national security and public interests.
As indicated in both the 2020 and 2021 International Outlook and Review, the Personal Data Protection Bill 2019 (“PDP Bill”) was introduced in Indian Parliament on 11 December 2019 and subsequently referred to a Joint Parliamentary Committee (“JPC”) for consideration. On 16 December 2021, after a prolonged review period, the JPC tabled its report and suggested amendments to the PDP Bill, which has not yet been enacted. The resulting report and amendments were primarily informed by the stated need to balance data-driven innovation while catering to national security demands. Some of the key recommendations include:
The JPC recommended that a 24-month transitional period should apply for implementation of the PDP Bill to allow relevant parties to update their policies, infrastructure and processes. The JPC’s report and amendments to the PDP Bill will be reviewed by the Parliament before being enacted. Until the PDP Bill is enacted, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 continue to govern data protection in India.
As identified in the 2021 International Outlook and Review, a draft of the Personal Data Protection Act (“PDP Bill”) was submitted to the Indonesian House of Representatives on 24 January 2020. The PDP Bill consolidates the rules related to personal data protection in Indonesia and is anticipated to establish data sovereignty and security as the keystone of Indonesia’s data protection regime.
On 1 September 2020, the Ministry of Communication and Information Technology of Indonesia (“Kominfo”) issued a statement claiming that the PDP Bill would be completed by mid-November 2020. However, as of the date of this review, the Indonesian House of Representatives is still yet to pass the PDP Bill due to ongoing debate over the position, form and independence of the authority slated to oversee its regulation and enforcement. Despite this, the expectation is that the PDP Bill will be enacted in the first quarter of 2022.
The Personal Data (Privacy) Ordinance (“PDPO”), passed in 1995, is one of Asia’s longest standing data protection laws. The PDPO was amended in 2021 to combat doxxing acts which intrude on personal data privacy.
The Personal Data (Privacy) (Amendment) Bill 2021 (“PDPO Bill”) came into effect on 8 October 2021 after the Hong Kong legislature passed the legislation on 29 September 2021. The PDPO Bill criminalises doxxing acts, including imprisonment for five years and fines up to HK$1 million. In addition, the PDPO Bill empowers the Office of the Privacy Commissioner for Personal Data to persecute individuals for doxxing incidents and perform related criminal investigations.
As explained in the 2021 International Outlook and Review, the Parliament of Japan adopted a bill on 5 June 2020 to amend the currently applicable general data protection law, the Act on the Protection of Personal Information (“APPI”). The APPI will take force on 1 April 2022, while transitional measures for companies that share data with third parties took effect on 1 October 2021.
On 26 October 2021, the Personal Information Protection Commission of Japan, the European Commission and other relevant authorities conducted the first review of the EU-Japan mutual adequacy arrangement effective in 2019. The Commissions will publish separate reports to conclude the review process.
In 2021, the Standing Committees on Innovation and e-Policy and Legal Affairs in Mongolia opened discussions on a Draft Law on the Protection of Personal Information, which details data subject rights, requirements and responsibilities for data processors and controllers, and requirements for overseas data transfers.
The New Zealand Privacy Act 2020 (“NZ Privacy Act”) came into force on 1 December 2020, repealing and replacing an existing 1993 act. In implementing the new act, the New Zealand government sought to modernise the privacy regime in New Zealand and reflect global trends in international privacy standards and the digital economy. While the NZ Privacy Act remains less onerous than international equivalents, such as the GDPR, it nonetheless introduces significant reforms to the privacy regime in the country, such as mandatory data breach reporting, broader investigative and enforcement powers for the regulator and new criminal offences and penalties, including fines of up to NZ$10,000. Pursuant to the changes, the NZ Privacy Act applies extraterritorially to overseas organisations carrying on business in New Zealand and which hold information about New Zealand individuals.
Despite these recent reforms, the Office of the Privacy Commissioner of New Zealand recommended in 2021 that “further changes are desirable” in response to fast-changing technologies. The proposed changes include the introduction of a right of personal information portability and a right to be forgotten, protection against the risk of re-identification from de-identified information, limitation of harm caused by automated decision making algorithms, increased civil penalties for non-compliance and expanded powers of the regulator to require compliance reporting by organisations subject to the NZ Privacy Act.
On 4 February 2021, the National Privacy Commission of the Philippines (“NPC”) announced the approval of a substitute bill to amend the Data Privacy Act of 2012 (“PDPA”). The proposed bill seeks to implement wide-ranging reforms to the Philippines privacy regime, including to redefine “sensitive personal information” to include biometric and genetic data, clarify the extra-territorial application of the PDPA (including in circumstances where an organisation offers goods or services, or monitors the behaviour of individuals within the Philippines or where it has a link with the country), render performance of a contract as a lawful basis for processing of personal information, allow controllers outside of the Philippines to authorise processors within the Philippines to notify the Commissioner of a data breach, widen the enforcement powers of the regulator and modify the criminal penalties for non-compliance.
As explained in the 2021 International Outlook and Review, data protection in Singapore is currently governed by the Personal Data Protection Act 2012 (“Singapore PDPA”).
The initial phase of the Personal Data Protection (Amendment) Act 2020 (No. 40 of 2020) (“Singapore PDPA Amendments”) took effect on 1 February 2021. On 1 February 2021, the Singapore PDPA Amendments’ requirement for mandatory notification to the Personal Data Protection Commission (“PDPC”) for data breaches came into force. This requires organisations to notify the PDPC no later than three calendar days after the organisation determines that a data breach is notifiable if either of the following occurs: (1) a data breach that results in or is likely to result in significant harm to the data subject or (2) a data breach of a significant scale (i.e. which involves more than 500 affected data subjects). The PDPC also made follow-up amendments on 1 October 2021 to clarify these situations.
On 25 November 2021, the PDPC announced its collaboration with the Singapore Police Force and Cyber Security Agency of Singapore to develop a handbook on the Singapore PDPA, Cybersecurity Act 2018 (No. 9 of 2018) and Computer Misuse Act (Cap. 50A).
On 9 December 2021, Singapore and the United Kingdom published a Digital Economy Agreement (“DEA”). The DEA aims to facilitate cross-border data flows while upholding data protection standards. Furthermore, both countries have committed that neither will introduce unjustified data localisation requirements, giving businesses in the United Kingdom a guarantee that they will not have to pay for data storage and processing in Singapore. The DEA will require both countries to maintain their data protection frameworks.
As explained in the 2021 International Outlook and Review, data protection in South Korea is currently governed by the Personal Information Protection Act (“PIPA”).
As noted above, on 17 December 2021, the PIPC and the European Commissioner for Justice formally announced an adequacy agreement between South Korea and the European Union for transfers of personal data. This adequacy agreement promotes the transfer of personal data between South Korea and the European Union without additional mechanisms or authorisations for data transfers.
Sri Lanka’s official gazette published the Regulation of Processing of Personal Data (2021) on 25 November 2021 to be considered by the Parliament of Sri Lanka.
As noted in both the 2020 and 2021 International Outlook and Review, the Personal Data Protection Act 2019 (“Thailand PDPA”), which is the first consolidated data protection law in Thailand, was originally expected to come into full effect on 27 May 2020. However, in May 2020, and then again in May 2021, the government of Thailand approved a Royal Decree to postpone the application of the Thailand PDPA until 31 May 2021 and, subsequently, 31 May 2022, citing the negative effects of the COVID-19 pandemic and the requirement for further legislative work as the primary reasons for doing so.
Reference must be made to the fact that the Thailand PDPA is largely modelled upon the GDPR, containing many similar provisions, although they differ in areas such as anonymisation. Moreover, the Thailand PDPA provides for the creation of a 16-member Personal Data Protection Committee (“PDPC”), which is yet to be fully established. As such, the MDES is currently acting as the supervisory authority for any data protection–related issues within Thailand. Once created, the PDPC is expected to adopt notices and regulations to clarify and guide data controllers and other stakeholders on how to prepare for and remain compliant with the requirements under the Thailand PDPA once it is passed.
As explained in the 2021 International Outlook and Review, the data protection framework in Vietnam is fragmented, and relevant provisions can be found in numerous laws. In February 2020, however, a draft personal data protection decree (“Draft PDPD”) was released, which sets out principles of data protection, including purpose limitation, data security, data subject rights and the regulation of cross-border data transfers. Moreover, the Draft PDPD contains provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, the creation of a data protection authority and the introduction of penalties for non-compliance, ranging between VDN 50 million to VDN 100 million.
From February to April 2021, the Ministry of Public Security sought public comments on the Draft PDPD with a view to the final decree coming into effect on 1 December 2021. As of the date of this publication, the Draft PDPD remains unissued, with little clarity over the timing of the parliamentary process required for it to come into effect.
On 15 October 2021, the Data Protection Act entered into effect, more than three years after it was passed by the National Assembly on 12 July 2018. The Act’s transition period is 12 months from the date of commencement and will automatically end on 15 October 2022, meaning that data controllers, including companies and organisations, must take compliance measures until that date. The Act requires data controllers and processors to respect in their processing: the lawfulness and fairness of processing, imposes limitations with respect to the purpose of processing, personal data retention and minimisation, in addition to other protections concerning the relevance and adequacy, integrity and confidentiality of personal data collected by entities. Further, the Act provides for data subject rights, including the right to be informed, the right to access, the right to be given reasons if the access is denied, the right to object and revoke consent and the right to raise a challenge for purposes of deletion and amendment, in addition to setting out restrictions of matters such as direct marketing, sensitive data and data transfers. The Act creates the Information and Data Protection Commission, which will be responsible to protect the personal rights of individuals with regard to their personal data, and to ensure the effective application and enforcement of the Act. Unlike the GDPR, the Act also provides for significant potential prison terms ranging from three to 12 years for certain violations.
In 2021, the Ministry of ICT, Innovation and Youth Affairs launched a public consultation on three draft data protection regulations, which remained open until 11 May 2021:
In January 2021, the Office of the Data Protection Commissioner published a guidance note on access to personal data during the Coronavirus pandemic. According to the guidance, the access and processing of personal data of individuals in response to the pandemic is subject to the Data Protection Act No. 24 of 2019. The key principles emphasised by the guidance include the processing of personal data in an accountable manner, the maintenance of the integrity and confidentiality of data and the responsibility for the implementation of a protection and safeguarding personal data mechanism.
The National Information Technology Development Agency (“NITDA”) announced in a press release on 12 November 2021 its collaboration with the Federal Competition and Consumer Protection Commission (“FCCPC”) in order to combat data privacy abuse by money lending operators. The partnership is anticipated to provide a more robust and concerted regulatory approach while ensuring that Nigerians get necessary reprieve from the illegal use of their personal data for money lending operations, including through joint investigations, enforcement and possible prosecution for non-compliance.
In this regard, NITDA announced, on 17 August 2021, that it had fined Soko Loans Lending Company Limited NGN 10 million (approx. €20,700) for various violations of the Nigeria Data Protection Regulation, 2019 (“NDPR”), marking the first fine issued under the NDPR. NITDA outlined that the fine followed an investigation into a series of complaints against Soko Loans for unauthorised disclosures, failure to protect customers’ personal data and defamation of character, as well as failure to carry out the necessary due diligence required by the NDPR. Soko Loans grants its customers uncollateralised loans and requires them to download its mobile application on their phone and activate a direct debit in the company’s favour. The app gains access to the borrowing customer’s phone contacts. Following the complainant customers’ failures to meet loan repayment obligations, the company unilaterally sent privacy invading messages to their contacts (who were neither were parties to the loan transaction nor consented to the processing of their data). In addition, NITDA found that Soko Loans embedded trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis. NITDA therefore found that Soko Loan and its entities violated multiple provisions of the NDPR.
In addition to a financial penalty, NITDA compelled Soko Loans to suspend the issuance of privacy-invading messages to any Nigerian until the company and its entities show full compliance with the NDPR, paid for the conduct of a Data Protection Impact Assessment by a NITDA appointed DPCO, and were placed on mandatory Information Technology and Data Protection supervision for nine months.
Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy (the “Law”) came into effect upon its publication in the Rwanda Official Gazette on 15 October 2021. The Law establishes provisions relating to the processing of personal data, including the rights of the data subject such as the right to object to the processing of personal data, to personal data portability, to the erasure of personal data and to rectification of incorrect personal information.
The Law also provides for the duties and powers of the supervisory authority relating to the protection of personal data and privacy, stipulates the obligations and registration requirements of data controllers and processors, and includes provisions regarding the sharing, transfer and retention of personal data. Moreover, the Law provides for the consequences and sanctions of non-compliance, including fines ranging from RWF 2,000,000 (approx. €1,500) to RWF 5,000,000 (approx. €4,243) or, in the case of a corporate body or legal entity, 1% of their global turnover in the preceding financial year.
The Law provides for a two-year transitional period before its application to data controllers or data processors who are already in operation. The National Cyber Security Authority (“NCSA”) has been designated as the supervisory authority in charge of enforcement of the Law.
On 10 December 2021, the NCSA issued a notice on the Personal Data Law detailing that the Personal Data Law requires all those who wish to process personal data to register with the NCSA as a data controller or data processor.
On 14 December 2021, the NCSA also published a notice clarifying that consent of the data subject is a key foundation to the lawful collection and processing of personal data and may be made in oral, written or electronic format.
The enforcement powers of the supervisory authority of South Africa (the “Information Regulator”) under the Protection of Personal Information Act, 2013 (“POPIA”) came into effect on 1 July 2021, following the conclusion of a 12-month transitional grace period.
In 2021, the Information Regulator issued a set of notices and rules for guidance on different sections of POPIA. Notably:
Finally, on 1 June 2021, the President assented to the Cybercrimes Act 19, 2020, which intends to criminalise the disclosure of harmful data messages, regulate relevant government authorities’ powers to investigate cybercrimes, provide for the establishment of a designated Point of Contact and impose obligations to report cybercrimes. The President has not yet proclaimed the commencement date of this new legislation.
Other developments in 2021 in data protection and cybersecurity regulation in Africa include:
On 2 November 2021, the PDPO issued a press release announcing that it required data collectors, processors and controllers to register on its website before the end of the grace period of 31 December 2021 and that it will begin enforcement measures for those that do not in January 2022.
On 6 January 2022, the Government of Israel published a Bill amending and updating Israel’s Protection of Privacy Law, 5741-1981 (“PPL”). The Deputy Prime Minister and the Minister of Justice announced that the Bill aims to protect citizens and adapt the PPL’s provisions and enforcement to the current digital era. The most noteworthy amendments, summarised by Israel’s Privacy Protection Authority (“PPA”), include the expansion of PPA’s substantive investigation and enforcement powers, including the imposition of administrative sanctions in an amount up to 3.2 million NIS ($1 million), the adaptation of definitions in the law to technological and social developments, and the reduction of bureaucratic burdens through a significant reduction in the obligation to register databases. The Bill would be effective six months after its approval by the parliament.
Before the introduction of the Bill, a ransomware attack on sensitive data of more than 290,000 Israeli medical patients and members of an LGBTQ+ website was reported. An Iranian-based hacking group targeted host program CyberServe and, on 2 November 2021, released the data, demanding a ransom of $1 million that the company refused. Israel’s National Cyber Directorate had previously warned CyberServe on multiple occasions that its systems were not secure. The ransomware attack was followed by a press release of the U.S. Department of the Treasury on 14 November 2021, announcing that it established a partnership with Israel to combat ransomware.
On the enforcement side, on 23 May 2021, the PPA announced that, following a serious information security incident that resulted in the disclosure of sensitive personal information from the databases of the Hod Hasharon Municipality, it had determined that the Hod Hasharon Municipality had violated the Privacy Protection Law and regulations under it. The PPA’s investigation concluded that sensitive personal information, including documents, email correspondence and complaints from residents (including names and ID numbers and information about employees using municipal systems) contained in the municipality’s database, was accessible to unauthorised persons, and that the municipality did not take appropriate measures to assure that access to the database was carried out by authorised users. Additionally, according to the PPA’s findings, the municipality had not conducted an assessment to identify security risks in its systems at the required time and did not correct the findings of a previous assessment, as required by the Protection of Privacy (Data Security) Regulations, 5777 – 2017. In light of this, the PPA gave the municipality instructions to correct the deficiencies discovered and fined it NIS 10,000 (approx. €2,530) for failing to register databases required to be registered under the provisions of the PPL.
In his efforts to support the global fight against COVID-19, Israel’s Prime Minister Benjamin Netanyahu announced an agreement between the Israeli Ministry of Health (“MoH”) and Pfizer for an expedited supply of COVID-19 vaccines to Israel, under which Israel agreed to share with Pfizer “statistical data that would help develop strategies for defeating the coronavirus”. In order to address privacy and transparency concerns, the MoH published a partially redacted version of its Real-World Epidemiological Evidence Collaboration Agreement with Pfizer. The agreement provides that the MoH will share “aggregate de-identified data” and jointly analyse such data with Pfizer. In particular, the MoH is required to provide “data transfers” that include, “at a minimum”, weekly counts of confirmed COVID-19 cases, hospitalisations, severe or critical cases, ventilator use, deaths, symptomatic cases, vaccines given “by age and other demographic subgroups” and COVID-19 cases by age groups “and other demographic factors”. The MoH undertook to provide such data “solely in a form rendered anonymised by the MoH in accordance with Regulatory Requirements” so that the data could not reasonably be used to re-identify the identity of an individual.
In late 2021, the UAE issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the “Data Protection Law”), alongside a law establishing the new UAE Data Office with the mandate to ensure the full protection of personal data, monitor the application of the Data Protection Law and issue necessary guidelines and instructions for its implementation (Federal Decree Law No. 44/2021 on Establishing the UAE Data Office).
According to the announcement of the Cabinet of UAE, the Data Protection Law relevantly:
The Data Protection Law became effective on 2 January 2022. Executive regulations are due to be issued within six months of the date of issuance of the Data Protection Law (i.e. by 20 March 2022). UAE companies will then have six months from the issuance of those executive regulations to comply with the Data Protection Law (although that period may be extended by the Cabinet).
On 14 February 2021, following public consultation conducted in 2020, the Abu Dhabi Global Market (“ADGM”) announced that it had enacted the Data Protection Regulations 2021, which replaced the Data Protection Regulations 2015. In its announcement, ADGM endorsed the EU’s GDPR for its robust data protection provisions and outlined that the new Regulations intend to be proportionate and business friendly, without undermining the key ambition of achieving a high standard of protection for personal data. Acknowledging that the adoption of the new Regulations will result in additional responsibilities for data controllers and data processors, ADGM proposed a transitional grace period of 12 months for current establishments and six months for new establishments, starting from 14 February 2021. The Office of Data Protection (“ODP”) has been established to monitor the compliance with the new Regulations. The ODP has also published several guidance notes and templates to support ADGM entities and authorities in compliance with the Regulations.
Other developments in 2021 in data protection and cybersecurity regulation in the Middle East include:
As we indicated in the 2021 International Outlook and Review, the biggest data protection development in Brazil in 2020 was the entry into force of Law No. 13.709 of 14 August 2018 and the General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (“LGPD”), on 18 September 2020.
During 2021, the Brazilian data protection authority (“ANPD”) adopted and published a series of guidance and FAQs regarding the LGPD. In particular:
Finally, while the ANPD assumed its enforcement and fining powers, other Brazilian authorities have applied and enforced rules that concerned the protection of personal data in their territories. For example, on 14 June 2021, the Brazilian Federal Department of Consumer Protection of the National Consumer Secretariat (“SENACON”) announced that it had fined Banco Cetelem S.A. with BRL 4,000,000 (approx. €653,200) for financial fraud that included the contracting of payroll loans with the improper use of personal data of elderly consumers. In addition, on 13 July 2021, the Protection and Consumer Defence Foundation of the State of Mato Grosso (“Procon-MT”) fined the pharmacies Droga Raia S.A and Drogasil S.A BRL 572,680.71 (approx. €94,210) for the irregular receipt of authorisation from customers for the processing and use of their data.
There have also been significant developments in the adoption and enforcement of cybersecurity and data privacy laws in other Central and South American jurisdictions in 2021. We have set out highlights in key countries below:
As can be seen, 2021 was an eventful year in the field of data protection and privacy worldwide. In addition to the recently adopted laws and regulations on data privacy adopted by China, UAE, Brazil and Mexico, international lawmakers put a special focus on the regulatory treatment of key issues such as data localisation and transfers (e.g., in the EU, Russia and India).
2022 promises to be an equally active year from a legal and enforcement perspective, as regulators worldwide commence to make use of new legal tools and apply their respective national laws. We will continue to monitor the events in this space, and cover them in our monthly updates and in the Outlook and Review of 2023.
 See, e.g., the French CNIL published guidance on the implementation of the SCCs, two Q&As on the content and the consequences of the Schrems II ruling, as well as a methodology to help controllers identify and process data transfers outside of the EU. German authorities released revised recommendations and updated guidance on international data transfers. The UK ICO launched a public consultation on its draft international data transfer agreement that would replace the current SCCs to take into account the Schrems II ruling.
 See http://www.raadvst-consetat.be/Arresten/251000/300/251378.pdf#xml=http://www.raadvst-consetat.be/apps/dtsearch/getpdf.asp?DocId=42765&Index=c%3a%5csoftware%5cdtsearch%5cindex%5carrets%5fnl%5c&HitCount=10&hits=28+29+2c+6b+de+17a+1de+505+150c+1884+&11111202021318.
 Relatedly, some Member States have continued to update their e-privacy legislation under the e-Privacy Directive. For example, in Germany, the Data Protection and Privacy in Telecommunications and Telemedia Act was enacted effective 1 December 2021, and contains comprehensive data protection regulations in the e-privacy field.
 See, e.g. Lower-Saxony Supervisory Authority https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-verhangt-bussgeld-uber-10-4-millionen-euro-gegen-notebooksbilliger-de-196019.html.
 See, e.g. Spanish AEPD https://www.aepd.es/es/documento/ps-00059-2020.pdf and Italian Garante https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9570980.
 See, e.g. Norwegian Datatilsynet https://www.datatilsynet.no/en/regulations-and-tools/regulations/avgjorelser-fra-datatilsynet/2021/gebyr-til-grindr/ and Spanish AEPD https://edpb.europa.eu/news/national-news/2021/spanish-data-protection-authority-aepd-imposes-fine-6000000-eur-caixabank_en.
 See https://www.edoeb.admin.ch/dam/edoeb/en/dokumente/2021/Anleitung für die Prüfung von Datenübermittlungen mit Auslandbezug EN.pdf.download.pdf/Anleitung für die Prüfung von Datenübermittlungen mit Auslandbezug EN.pdf.
 See https://iapp.org/news/a/level-up-russia-enhances-the-protection-of-personal-data/#:~:text=Russia%20amends%20data%20protection%20law%20to%20increase%20personal%20data%20subjects’%20rights,-schedule%20May%2013&text=Beginning%20March%2027%2C%202021%2C%20Russia,period%20for%20data%2Drelated%20breaches.
 See https://kvkk.gov.tr/Icerik/6981/2021-427.
 An unofficial English translation of the newly enacted PIPL is available at <https://digichina.stanford.edu/news/translation-personal-information-protection-law-peoples-republic-china-effective-nov-1-2021> and the Mandarin version of the PIPL is available at <http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml>.
 An unofficial English translation of the Internet Information Service Algorithmic Recommendation Management Provisions is available at <https://digichina.stanford.edu/work/translation-internet-information-service-algorithmic-recommendation-management-provisions-effective-march-1-2022/>.
 Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/24039/siaran-pers-no-15hmkominfo012020-tentang-presiden-serahkan-naskah-ruu-pdp-ke-dpr-ri/0/siaran_pers; the PDP Bill (in Indonesian) is available athttps://web.kominfo.go.id/sites/default/files/users/4752/Rancangan%20UU%20PDP%20Final%20%28Setneg%20061219%29.pdf.
 Press release (in Indonesian) available athttps://www.kominfo.go.id/content/detail/29084/siaran-pers-no-104hmkominfo092020-tentang-pemerintah-apresiasi-pandangan-fraksi-terhadap-ruu-pdp/0/siaran_pers.
 The PDPC’s updated advisory guidelines are available at https://www.pdpc.gov.sg/Guidelines-and-Consultation/2020/03/Advisory-Guidelines-on-Key-Concepts-in-the-Personal-Data-Protection-Act and <https://www.pdpc.gov.sg/Guidelines-and-Consultation/2020/02/Advisory-Guidelines-on-the-Personal-Data-Protection-Act-for-Selected-Topics>.
 The handbook on the Singapore PDPA, Cybersecurity Act 2018 (No. 9 of 2018), and Computer Misuse Act (Cap. 50A) is available at <https://www.csa.gov.sg/News/Publications/overview-of-legislations>.
 More information on the Digital Economy Agreement between Singapore and the United Kingdom is available at <https://www.gov.uk/government/publications/uk-singapore-digital-economy-agreement-agreement-in-principle-explainer/uk-singapore-digital-economy-agreement-agreement-in-principle-explainer>.
 See Act No. 32 of 2018 Data Protection Act (12 July 2018), available athttps://www.bocra.org.bw/sites/default/files/documents/32%20Act%2010-08-2018-Data%20Protection.pdf and Data Protection Act (Commencement Date) Order, 2021 (15 October 2021).
 See Republic of Kenya, Office of the Data Protection Commissioner, “Guidance Note on access to personal date during Covid-19 pandemic” (January 2021), available at https://ict.go.ke/wp-content/uploads/2021/01/Draft-Data-Request-Review-Framework-Jan-2021.pdf.
 The FCCPC is empowered to administer and enforce provisions of every Nigerian law with respect to competition and protection of consumers under Section 17(a) of the Federal Competition and Consumer Protection Act, 2019.
 See “NITDA Collaborates With The Federal Competition And Consumer Commission (FCCPC) To Tackle Data Abuse By Money Lending Operations”, Press Release (12 November 2021), available athttps://nitda.gov.ng/nitda-collaborates-with-the-federal-competition-and-consumer-commission-fccpc-to-tackle-data-abuse-by-money-lending-operations/.
 See “NITDA Sanctions SokoLoan For Privacy Invasion”, Press Release (17 August 2021), available athttps://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/.
 See Law No. 058/2021 Law relating to the protection of personal data and privacy (15 October 2021), available at https://www.minijust.gov.rw/fileadmin/user_upload/Minijust/Publications/Official_Gazette/_2021_Official_Gazettes/October/OG_Special_of_15.10.2021_Amakuru_bwite.pdf.
 See “Rwanda passes new Law protecting personal data”, Press Release (21 October 2021), available at https://www.minict.gov.rw/fileadmin/user_upload/minict_user_upload/Documents/Press_Release/211021_PRESS_RELEASE_Rwanda_s_New_Data_Protection_Law_ENGLISH.pdf.
 See National Cyber Security Authority, “The Significance of Rwanda’s Personal Data Protection and Privacy Law” (10 December 2021), available at https://cyber.gov.rw/updates/article/the-significance-of-rwandas-personal-data-protection-and-privacy-law-1/.
 See National Cyber Security Authority, “Consent, Ownership and Lawful Data Processing” (14 December 2021), available at https://cyber.gov.rw/updates/article/consent-ownership-and-lawful-data-processing-1/.
 See Information Regulator (South Africa), “Guidance Note on Processing of Special Personal Information” (June 2021), available at https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-Processing-SpecialPersonalInformation-20210628.pdf.
 See Information Regulator (South Africa), “Guidance Note On Exemptions From The Conditions For Lawful Processing Of Personal Information In Terms Of Section 37 And 38 Of The Protection Of Personal Information Act 4 Of 2013, 2021” (June 2021), available at https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-LawfulProcessing-202106.pdf.
 See Information Regulator (South Africa), “Rules of procedure relating to the manner in which a complaint must be submitted and handled by the Regulator, 2021” (October 2021), available at https://www.justice.gov.za/inforeg/legal/20211012-InfoReg-RulesOfProcedure-HandlingPOPIAcomplaints.pdf.
 See Act No. 19 of 2020 Cybercrimes Act, 2020 (1 June 2021), available at https://www.gov.za/sites/default/files/gcis_document/202106/44651gon324.pdf.
 See “Togo : l’Assemblée nationale ratifie la convention de Malabo et actualise le fonctionnement de la CNDH” (in French) (14 July 2021), available at https://togomedia24.com/2021/07/01/togo-lassemblee-nationale-ratifie/.
 See “Requirement to register with Personal Data Protection Office”, Press Release (2 November 2021), available at https://www.linkedin.com/posts/personal-data-protection-office-pdpo_press-release-on-requirement-to-register-activity-6863366852064628736-wJc_.
 Bill (in Hebrew), available at https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:1510391d-592a-3272-bd12-d559164b70e2#pageNum=1.
 An unofficial translation of the Protection of Privacy Law, 5741 – 1981 is available at https://www.gov.il/BlobFolder/legalinfo/legislation/en/ProtectionofPrivacyLaw57411981unofficialtranslatio.pdf.
 Press Release (in Hebrew), available at https://www.gov.il/he/departments/news/amendments_privacy_protection_act.
 See “Iranian Hacking Group Leaks Patient and LGBTQ Info” (4 November 2021), available at https://www.infosecurity-magazine.com/news/iranian-hacking-group-leaks/.
 See “U.S. Department of the Treasury Announces Partnership with Israel to Combat Ransomware”, Press Release (14 November 2021), available at https://home.treasury.gov/news/press-releases/jy0479.
 Announcement (in Hebrew), available at https://www.gov.il/he/departments/news/privacy_hod_hasharon_city.
 See “Israel to Share Vaccination Data With Pfizer as Part of Secret Deal” (10 January 2021), available at https://www.haaretz.com/israel-news/.premium-israel-to-share-covid-vaccine-data-with-pfizer-but-agreement-remains-secret-1.9438504, and a partially redacted version of the Real-World Epidemiological Evidence Collaboration Agreement, available at https://govextra.gov.il/media/30806/11221-moh-pfizer-collaboration-agreement-redacted.pdf.
 See “UAE adopts largest legislative reform in its history”, Media Release, available at https://uaecabinet.ae/en/details/news/uae-adopts-largest-legislative-reform-in-its-history.
 The Data Protection Laws of UAE are available at https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws.
 See “ADGM enacts its new Data Protection Regulations 2021”, Media Release (14 February 2021), available at https://www.adgm.com/media/announcements/adgm-enacts-its-new-data-protection-regulations-2021.
 See the dedicated website of the Office of Data Protection, available at https://www.adgm.com/operating-in-adgm/office-of-data-protection/overview.
 The Data Protection Guidance 2021, templates and assessments are available at https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance.
 Prime Minister’s announcement (in Arabic), available at http://www.pm.gov.jo/content/1640846700/%D9%85%D8%AC%D9%84%D8%B3-%D8%A7%D9%84%D9%88%D8%B2%D8%B1%D8%A7%D8%A1-%D9%8A%D9%82%D8%B1%D9%91-%D9%85%D8%B4%D8%B1%D9%88%D8%B9-%D9%82%D8%A7%D9%86%D9%88%D9%86-%D8%AD%D9%85%D8%A7%D9%8A%D8%A9-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D9%91%D9%8E%D8%A9.html, and Ministry’s announcement (in Arabic), available at https://modee.gov.jo/Ar/NewsDetails/%D9%82%D8%A7%D9%86%D9%88%D9%86_%D8%AD%D9%85%D8%A7%D9%8A%D8%A9_%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA_%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D9%91%D9%8E%D8%A9_%D9%84%D8%B3%D9%86%D8%A9_2021%D9%85.
 The text of the draft law (in Arabic) is available at http://www.lob.jo/?v=1.14&url=ar/DraftDetails?DraftID:10254,AddComment:0,PageIndex:1&DraftTitle:%D9%82%D8%A7%D9%86%D9%88%D9%86-%D8%AD%D9%85%D8%A7%D9%8A%D8%A9-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-%D8%A7%D9%84%D8%B4%D8%AE%D8%B5%D9%8A%D8%A9-/–%D8%AA%D9%85-%D8%AA%D9%85%D8%AF%D9%8A%D8%AF-%D9%85%D8%AF%D8%A9-%D9%86%D8%B4%D8%B1%D9%87-%D8%B9%D9%84%D9%89-%D8%A7%D9%84%D9%85%D9%88%D9%82%D8%B9-%D8%A7%D8%B1%D8%A8%D8%B9-%D8%A7%D9%8A%D8%A7%D9%85-%D8%B9%D9%85%D9%84-%D8%A7%D8%B6%D8%A7%D9%81%D9%8A%D8%A9.
 The Consultation Draft of the Personal Data Protection Bill 2021 (25 August 2021) is available at https://moitt.gov.pk/SiteImage/Misc/files/25821%20DPA%20Bill%20Consultation%20Draft_docx.pdf.
 See the announcement of the Qatar Financial Centre (QFC) Authority “Consultation on proposed changes to QFC Data Protections Regulations & Rules”, available at https://www.linkedin.com/feed/update/urn:li:activity:6833700338965512192/, and the Consultation Paper “QFCA CP No. 1 of 2021 Proposed Changes to QFC Data Protection Regulations and Rules”, available at https://qfcra-en.thomsonreuters.com/rulebook/qfca-cp-no-1-2021-proposed-changes-qfc-data-protection-regulations-and-rules.
 See “MOTC Releases Guidelines on Personal Data Privacy Protection Law”, Media Release (31 January 2021), available at https://www.motc.gov.qa/en/news-events/news/motc-releases-guidelines-personal-data-privacy-protection-law.
 See Personal Data Protection Law, implemented by Royal Decree M/19 of 17 September 2021 approving Resolution No. 98 (in Arabic) (14 September 2021), available at https://ncar.gov.sa/Documents/Details?Id=waEbJasbk9cJVNdJ%2B31GUA%3D%3D.
 See “The Communications Commission announces the entry into force of the Regulatory Framework for Cyber Security for Service Providers in the Communications, Information Technology and Postal Sector”, Press Release (29 May 2021), available at https://www.citc.gov.sa/ar/mediacenter/pressreleases/Pages/20210529.aspx, and the Commission’s portal on cybersecurity regulations, available at https://www.citc.gov.sa/ar/RulesandSystems/CyberSecurity/Pages/default.aspx.
 See https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-23021 and https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-41021.
The following Gibson Dunn lawyers assisted in the preparation of this article: Alejandro Guerrero in Brussels; Ahmed Baladi, Vera Lukic, Clémence Pugnet, and Lena Bionducci in Paris; Connell O’Neil, Nicholas Hay, and Jocelyn Shih in Hong Kong; Kai Gesing in Munich; and Alex Southwell, Ryan Bergsieker, and Cassandra Gaedt-Sheckter in the United States.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
James A. Cox – London (+44 (0) 20 7071 4250, email@example.com)
Patrick Doris – London (+44 (0) 20 7071 4276, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33 180, email@example.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Penny Madden – London (+44 (0) 20 7071 4226, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Alejandro Guerrero – Brussels (+32 2 554 7218, email@example.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Sarah Wazen – London (+44 (0) 20 7071 4203, email@example.com)
Kelly Austin – Hong Kong (+852 2214 3788, firstname.lastname@example.org)
Connell O’Neill – Hong Kong (+852 2214 3812, email@example.com)
Jai S. Pathak – Singapore (+65 6507 3683, firstname.lastname@example.org)
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Matthew Benjamin – New York (+1 212-351-4079, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, email@example.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, firstname.lastname@example.org)
Kristin A. Linsley – San Francisco (+1 415-393-8395, email@example.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, firstname.lastname@example.org)
Karl G. Nelson – Dallas (+1 214-698-3203, email@example.com)
Ashley Rogers – Dallas (+1 214-698-3316, firstname.lastname@example.org)
Deborah L. Stein – Los Angeles (+1 213-229-7164, email@example.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, firstname.lastname@example.org)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, email@example.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, firstname.lastname@example.org)
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.