An Overview of Privacy & Data Protection Laws around the

World from a Global Perspective

By: Temi Awofala

January 2009
Contents

• Definitions
• Privacy as a Cultural Issue
• The Legal Maze
• Privacy as Legal Issues – Europe, Russia, USA, Canada, Asia,
ROW
• EEA Requirements for Cross Border Transfers
• Key DP Terms and Definitions
• Conclusion
What is Privacy or Data Protection - Definitions

"The right to be left alone ... the most comprehensive of rights, and the
right most valued by civilized men.” Justice Louis Brandeis, U.S. Supreme Court, (Olmstead
vs U.S., 1928)

“The right of the individual to be protected against intrusion into his

personal life or affairs … by direct physical means or by publication of
information “ Calcutt Report on Privacy 1990

Data Protection: the administrative, technical and physical controls

one uses to protect the confidentiality and ensure the proper use of
personal information.
Privacy as a Cultural Issue

• Europe
• Personal privacy is a fundamental human right. Article 8 of the European
Convention for the Protection of Human Rights and Fundamental Freedoms
• Long history and culture of protecting individuals from government and private
intrusions into personal affairs.
• Most EU and EEA countries have had privacy laws for decades.
• United States
• Freedom from unreasonable government intrusion into personal affairs is a
fundamental Constitutional right. 4th Amendment to the United States
Constitution
• Relatively recent legislative focus on protecting individuals from private intrusions
into personal affairs.
• Sectoral legislative approach.
The Legal Maze

Go to the link below for an

interactive map of Data
Protection Laws around the
world

http://www.guardianedge.com/r
esources/data-protection.php
Data Protection as a Legal Issue - Europe

• EU Data Protection Directive of 1995 – 95/46/EC provided for a common framework

for data protection legislation.

• Data protection law protects the privacy of ‘Personal Data’.

• Mainly an EU Directive, however, numerous jurisdiction have comprehensive data

protection legislation, hence Organizations have to comply with numerous regulations
on international, national, state and provincial, and even local level.

• National EU Data Protection Laws

• Prohibit transfers to non-EU countries lacking “adequate” data protection
• Member States must abide by EU Commission adequacy determinations.

• Compliance with Data Protection legislation is enforced by local Data Protection

Authorities. Sanctions for non-compliance vary in each EEA member state
Privacy (Data Protection) as a Legal Issue - Russia

• In 2006, Russia adopted the Law on Personal Data, and the Law on Information which
replaced the 1995 Law of Information, Information Processing and Information Protection
• Adoption of the Law on Personal Data fulfills Russia’s obligation to transpose the Council of
Europe Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data into national law.
• The Law on Personal Data generally protects personal data from being collected and
processed illegally and without consent of data subject. However, the law is still far from ideal
since it gives wide exemptions to the government.
• The Law on Personal Data came into force in January 2007, but most of its provisions are still
inactive; for example, the law provides for the creation of a data protection authority, but none
is operational to date.
• There are now three key Russian Federation (RF) laws that contain provisions relating to
employees’ personal data; the Labor Code 3, the Law on Information; and the Law on
Personal Data.
Privacy as a Legal Issue – U.S.A

• The United States ("US") Constitution does not provide for an explicit right to privacy.
However, the US Supreme Court has ruled that several provisions of the Bill of Rights provide
for an implicit, limited constitutional right of privacy. The Supreme Court has also recognized a
right of anonymity and the right of political groups to prevent disclosure of their members'
names to government agencies. Some states have incorporated explicit privacy protections
into their state constitutions.
• The US federal government currently favors a so-called "sectoral" approach to data privacy,
relying on a combination of legislation and self-regulation, rather than relying on an
overarching data protection infrastructure.
• Privacy legislation tends to be adopted on an "as-needed" basis, with legislation arising when
certain market sectors and circumstances require.
• In South and Central America, many countries have incorporated the right of Habeas Data
(access to data) into their constitutions. Several countries have moved towards adopting data
protection laws to give force to this right. Legislation on data protection laws has been
approved in Chile, Argentina, Paraguay – most of these are based on the EU Directive model.
Privacy as a Legal Issue - U.S.A (contd)

Federal Legislation
• A patchwork of federal legislation covers the processing of some specific categories of personal data.
These include financial records, health information, credit reports, video rentals, cable television, children's
(under age thirteen) online activities, educational records, motor vehicle registrations and telemarketing.
• Fair Credit Reporting Act
• Gramm-Leach-Bliley Act
• rules implemented concerning financial privacy notices and the administrative, technical and
physical safeguarding of personal information, and it aggressively enforces against pretexting.
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Regulations.
• Enforcement of federal privacy legislation is a responsibility of various federal bodies, such as the Federal
Trade Commission and the Federal Communications Commission.

State Legislation
• California was the first state to implement state legislation to supplement federal data protection legislation.
Following the enactment of the California Data Protection Act, numerous states have implemented state
privacy legislation, which often provides for obligations to disclose security breaches.
Privacy as a Legal Issue - Canada

Federal legislation
• Canada has two overarching federal data protection laws, the Privacy Act 1983 ("PA") and the Personal
Information Protection and Electronic Documents Act ("PIPEDA").
• The Privacy Act 1980 marked Canada's first attempt to legislate in the area of data protection. However,
the rapid advances in information technology and the pressure to conform to European standards to
facilitate cross- continental trade meant that new legislation was soon required.
• The Canadian response was the Personal Information Protection and Electronic Documents Act, which
were implemented in three stages, from 1 January 2001 to 1 January 2004. The Act incorporates the
'Privacy Principles', a list of principles that were developed by the Canadian Standards Association.
• In 2002, the European Commission decided that the Canadian Personal Information Protection and
Electronic Documents Act did provide adequate safeguards for certain personal data to flow freely from the
EU to Canada, in line with Directive 95/46/EC.
• Enforcement of the PA and the PIPEDA is a responsibility of the Privacy Commissioner of Canada, who is
authorised to receive and investigate complaints.
Privacy as a Legal Issue – Canada (contd)

Provincial and territorial legislation

• The PIPEDA applies to the provincially regulated sector. However, the federal government can
exempt an organisation from the PIPEDA, if such organisation is established in a province that
provides for data protection legislation that is substantially similar to the PIPEDA. British
Columbia, Alberta and Quebec are currently the only provinces that have legislation that is
recognized by federal government as substantially similar to PIPEDA.

• Provincial legislation often provides for sector specific data protection requirements. Most
provinces have legislation dealing with consumer credit reporting. Alberta, Saskatchewan,
Manitoba and Ontario provide for legislation regulating the collection, use and disclosure of
health data by health care providers and other health care organisations.
Privacy as a Legal Issue – Asia

Australia
• In 1988, the Privacy Act was passed in Australia. The Privacy Act contains eleven "Information Privacy
Principles" that apply to Commonwealth and governmental agencies.
• In 2001, the Privacy Amendment (Private Sector) Act 2000 came into force. It added ten National Privacy
Principles that apply to the private sector and all health service providers.
• The Privacy Act is enforced by the Federal Privacy Commissioner. The main penalty for a violation of the
Privacy Act is a fine. However, under circumstances, imprisonment can also be used.

Japan
• In 2003, the legislature of Japan passed the Law on the Protection of Personal Information ("LPPI").
• In 2005, several additional obligations that apply to the commercial sector came into effect.
• The LPPI exempts companies that process personal data of less than 5,000 natural persons. However, this
number includes all personal data processed by the company group of a group company located in Japan,
and this number also includes the personal data of all employees of the company group. As a result, in
practice only small and medium sized companies are exempt from the LPPI.
• The competent minister has the authority to collect reports, advise, instruct or give orders to data
controllers. If the data controller violates the LPPI and disregards the minister's direct orders, the data
controller may be subject to fines or imprisonment.
Privacy as a Legal Issue – Rest of the World

Middle East and Africa

• There are a few laws providing privacy protection in the Middle East and Africa.
• In the Middle East, Israel in 1981and Dubai International Financial Centre (DIFC) in
2007 adopted comprehensive data protection laws, which ensures the protection of
all personal information
• There is little advancement toward privacy laws in Africa. Only South Africa is
currently reviewing a bill which may provide for data protection.
EEA requirements for cross-border transfers of personal data

• EEA data transfer provisions apply to any transfer of personal data from an EEA member state
to a country outside of the EEA (a "Third Country").
• Pursuant to the Directive, a cross-border transfer of a substantial amount of personal data from
an EEA member state to a country outside of the EEA is, in practice, only allowed if:
• the data subjects have given their unambiguous consent for the data transfer;
• the European Commission has determined that the country to which personal data
will be exported provides for "adequate" data protection legislation - Adequacy
Determinations: Canada, Hungary, Switzerland, Argentina, Guernsey; or EU / U.S. Safe
Harbor Agreement;
• "adequate safeguards" are put in place to protect the personal data, EU Model
Contracts or Binding Corporate Rules*

* Schlumberger has chosen to make use of BCRs to facilitate its intra-group transfers of personal data, by
incorporating BCRs in its Data Privacy & Protection Standard. The SLB BCR application was submitted to
the Dutch DPA in December 2008, and is currently awaiting confirmation that the Dutch DPA will be SLB’s
Lead Authority.
Key Terms
Data Protection Principles

Personal Data must be:

• Processed lawfully and fairly
• Obtained and processed for one or more lawful purposes
• Adequate relevant and not excessive
• Accurate and kept up to data
• Kept no longer than necessary
• Processed in accordance with the rights of data subjects
• Protected by adequate security
• Not be transferred unless adequately protected
Personal Data

Personal data is defined as any information relating to an identified or identifiable natural

person (data subject): an identifiable person is one who can be identified, directly or indirectly
from such information. Examples of personal data may be: name, address, date of birth or age,
e-mail address, registration number, marital status, salary, tax and social security number,
data on absenteeism, customer profiles, recordings of telephone calls, video images,
photographs, CV’s, unique website visitor information, access record of buildings or
information systems, consumer purchase information, etc.

Object data (e.g. type of [Company] products), statistical and aggregated data and data on
legal persons (companies etc.) do not qualify as personal data unless extended by local DP
rules.
Sensitive Personal Data

Special conditions for processing data concerning:

• Racial or ethnic origin
• Political opinions
• Religious beliefs or beliefs of a similar nature
• Membership of a trade union
• Physical or mental health or condition
• Sexual life
• Commission or alleged commission of an offence
• Criminal proceedings, including disposal / sentencing
What is Processing

Processing is anything or operations that can be performed with data:

• Obtaining, recording, storing
• Organising, altering, adapting
• Retrieving, consulting, using
• Disclosing, disseminating, sharing
• Combining, aligning, sorting, blocking
• Archiving, erasing, destroying
• Anonymising
Conclusion

Organization must comply with numerous Data Privacy regulations on

international, national, state and provincial, and even local level.
However, remember that all privacy legal and regulatory regimes are
based on the same or similar principles!
Privacy Principles Data Protection Principles
Notice Data Integrity
Respect Access and Correction
Necessity Cross Border Tranfers/Disclosure
to 3rd Parties
Choice Security , Relevance and
Retention
Enforcement