Posted: February 27th, 2023
Topic: Global laws & litigation, BCI (Brain-Computer Interface) technology
1) Select a country or a region from the privacy laws around the world: Indicate which laws are present in this area and the level of maturity of these laws insofar as they pertain to privacy and the protection of people
2) Imagine that you are a lawyer working for the consumer protection organization in the selected country or region. BCI technology is being rolled out extensively in this country or region and you are trying to use the existing laws to protect people from the risks associated with it. What arguments do you use?
3) Where are the gaps between existing regulation and this innovation?
APA Format, 600 words, Due Feb 20th
NOVEMBER 2021
Understanding the Data
Flows and Privacy Risks of
Brain-Computer Interfaces
PRIVACY AND THE
CONNECTED MIND
Authors
Jeremy Greenberg, Policy Counsel, Future of Privacy Forum
Katelyn Ringrose, Policy Fellow, Future of Privacy Forum
Sara Berger, Research Staff Member and Neuroscientist, IBM Research
Jamie VanDodick, AI Ethics Leader, Chief Privacy Office, IBM
Francesca Rossi, AI Ethics Global Leader, IBM
Joshua New, Technology Policy Executive and Senior Fellow, IBM Policy Lab
Acknowledgments
The Future of Privacy Forum would like to thank the following individuals for their advice
and expertise: Dr. Tamara Bonaci, Assistant Teaching Professor at the Khoury College of
Computer Sciences at Northeastern University; Dr. Laura Y. Cabrera, Dorothy Foehr and J.
Lloyd Huck Chair in Neuroethics, Associate Professor, Center for Neural Engineering, The
University of Pennsylvania State University; and Dr. Peter Reiner, Professor of Neuroethics at
the University of British Columbia.
Thank you to FPF Policy Interns: Samuel Adams, Noah Katz, and Hannah Schaller for their
contributions to this paper. An additional thank you to IBM legal counsel, Ron Leviner, and
IBM Racial and Social Justice Scholar, Alex Baria, for their contributions to the paper, and to
Guillermo Cecchi and Jeff Rogers from IBM for their suggestions.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 1
Executive Summary ______________________________________________ 2
Introduction ____________________________________________________ 4
Part I: BCIs are Devices That Can Both Record and Modulate an Individual’s
Brain Signals Through the Collection and Processing of Neurodata __________ 5
Part II: BCIs Provide Benefits and Present Risks in a Number of Sectors
Including Health, Gaming, Employment, Education, Smart Cities,
Neuromarketing, and the Military ____________________________________ 11
Part III: A Mix of Technical and Policy Solutions Can Mitigate Risks
__________ 26
Conclusion ____________________________________________________ 32
Endnotes _____________________________________________________ 33
TABLE OF CONTENTS
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 2
EXECUTIVE SUMMARY
This report provides an overview of the tech-
nology, benefits, privacy and ethical risks,
and proposed recommendations for promot-
ing privacy and mitigating risks associated with
brain-computer interfaces (BCIs). BCIs are com-
puter-based systems that directly record, process,
or analyze brain-specific neurodata and translate
these data into outputs that can be used as visu-
alizations or aggregates for interpretation and
reporting purposes and/or as commands to control
external interfaces, influence behaviors, or modu-
late neural activity. While neurodata can take many
forms, this report discusses “neurodata” as data
generated by the nervous system, which consists
of electrical activity between neurons or proxies of
this activity. Personal neurodata refers to neurodata
that is reasonably linkable to an individual.
BCI devices can be either invasive or non-invasive.
Invasive BCIs are installed directly into—or on top
of—the wearer’s brain through a surgical procedure.
Today, invasive BCIs are typically used in the health
context. Non-invasive BCIs rely on external elec-
trodes and other sensors or equipment connected to
or monitoring the body for collecting and modulating
neural signals. Consumer-facing BCIs use various
non-invasive methods, including headbands.
Some BCI implementations raise few, if any, pri-
vacy issues. For example, individuals using BCIs
to control computer cursors might not reveal any
more personal information than typical mouse us-
ers, provided BCI systems promptly discard cursor
data. However, some uses of BCI technologies raise
important questions about how laws, policies, and
technical controls can safeguard inferences about
individuals’ brain functions, intentions, moods, or
identity. These questions are increasingly urgent in
light of the many potential applications expanded
use of BCIs in:
› Healthcare – where BCIs could monitor
fatigue, diagnose medical conditions, stimulate
or modulate brain activity, and control
prosthetics and external devices.
› Gaming – where BCIs could augment existing
gaming platforms and offer players new ways
to play using devices that record and interpret
their neural signals.
› Employment and Industry – where BCIs could
monitor workers’ engagement to improve safety
during high-risk tasks, alert workers or supervi-
sors to dangerous situations, modulate workers’
brain activity to improve performance, and
provide tools to more efficiently complete tasks.
› Education – where BCIs could track student
attention, identify students’ unique needs, and
alert teachers and parents of student progress.
› Smart Cities – where BCIs could provide new
avenues of communication for construction
teams and safety workers and enable potential
new methods for connected vehicle control.
› Neuromarketing – where marketers
could incorporate the use of BCIs to intuit
consumers’ moods and to gauge product and
service interest.
› Military – where governments are researching
the potential of BCIs to help rehabilitate
soldiers’ injuries and enhance communication.
This report focuses on the current privacy impacts
of BCIs, as well as the data protection questions
raised by realistic, near-future use of BCIs. While the
potential uses of BCIs are numerous, BCIs cannot
at present or in the near future “read a person’s
complete thoughts,” serve as an accurate lie detec-
tor, or pump information directly into the brain. It is
important for stakeholders in this space to delineate
between the current and likely future uses and far-
off notions depicted by science fiction creators, so
that we can identify urgent concerns and prioritize
meaningful policy initiatives. We take seriously the
concerns raised by futuristic potential developments
and keep them in mind as we make recommenda-
tions, but in this paper we focus on the immediately
pressing need to address issues already faced and
likely to be faced in the upcoming decade.
Although the report primarily focuses on the privacy
concerns—including questions about the trans-
parency, control, security, and accuracy of data—
involving existing and emerging BCI capabilities,
these technologies also raise important technical
considerations and ethical implications, related
to, for example fairness, justice, human rights, and
personal dignity.1 These concerns are equally crit-
ical and complex, so this report highlights where
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 3
additional ethical and technical concerns emerge in
various use cases and applications of BCIs. Greater
in-depth discussion of areas beyond privacy war-
rant additional research and careful consideration,
and we hope to turn to those issues in future efforts.
To promote privacy and responsible use of BCIs,
stakeholders should adopt technical guardrails
including:
› Providing on/off controls when possible—
including hardware switches if practical;
› Providing users with granular controls on devices
and in companion apps for managing the collec-
tion, use, and sharing of personal neurodata;
› Providing heightened transparency and control
for BCIs that specifically send signals to the
brain, rather than merely receive neurodata;
› Designing, documenting, and disclosing
clear and accurate descriptions regarding the
accuracy of BCI-derived inferences;
› Operationalizing industry or research-based
best practices for security and privacy when
storing, sharing, and processing neurodata;
› Employing appropriate privacy enhancing
technologies;
› Encrypting personal neurodata in transit and
at rest; and
› Embracing appropriate protective and defensive
security measures to combat bad actors.
Stakeholders should also adopt policy safeguards
including:
› Ensuring that BCI-derived inferences are not
allowed for uses to influence decisions about
individuals that have legal effects, livelihood
effects, or similar significant impacts—e.g.
assessing the truthfulness of statements
in legal proceedings, inferring thoughts,
emotions or psychological state, or personality
attributes as part of hiring or school
admissions decisions, or assessing individuals’
eligibility for legal benefits;
› Employing sufficient transparency, notice,
terms of use, and consent frameworks to
empower users with a baseline of BCI literacy
around the collection, use, sharing, and
retention of their neurodata;
› Engaging IRBs and other independent review
mechanisms to identify and mitigate risks;
› Facilitating participatory and inclusive
community input prior to and during BCI
system design, development and rollout;
› Creating dynamic technical, policy, and
employee training standards to account for
the gaps in current regulation;
› Promoting an open and inclusive research
ecosystem by encouraging the adoption,
where possible, of open standards for
neurodata and the sharing of research data
under open licenses and with appropriate
safeguards in place. A similar open-skills
approach could also be considered for a
subset of direct-to-consumer BCIs; and
› Evaluating the adequacy of existing policy
frameworks for governing the unique risks of
neurotechnologies and identifying potential
gaps prior to new regulation.
Key Terminology
and Definitions
› Neurodata – Data generated by the
nervous system,2 which consists
of the electrical activities between
neurons or proxies of this activity.
› Personal Neurodata – Neurodata
that is reasonably linkable to an
individual.
› Neurotech/Neurotechnology –
Technology that collects, interprets,
infers or modifies neurodata.
› Brain-Computer Interface (BCI) –
Computer-based systems that
directly record, process, or analyze
brain-specific neurodata and
translate these data into outputs
that can be used as visualizations
or aggregates for interpretation
and reporting purposes and/or
as commands to control external
interfaces, influence behaviors, or
modulate neural activity.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 4
INTRODUCTION
Brain-computer interfaces (BCIs) are a prime
example of an emerging technology that is
advancing new areas of human-machine inter-
action. Today, BCIs are primarily used in the health-
care context for purposes including: rehabilitation,
diagnosis, symptom management, and accessibility.
While BCI technologies are not yet widely adopted
in the consumer space, there is a recent interest
and proliferation of new direct-to-consumer neuro-
technologies. The emergence of such technologies
across various sectors poses numerous benefits
and raises significant questions about user privacy.
When connected to the Internet,3 BCIs can be clas-
sified as a type of wearable or implanted instrument
within the Internet of Bodies, a network of devices
connected to, and generating information from, the
human body.4 Such communication has long been
supported by various interfaces, from the keyboard
and mouse to touchscreens, voice commands, and
gesture interactions. As computers become more
integrated into daily human experience, new ways
of commanding computer systems and experienc-
ing digital realities have gained in popularity, with
novel uses ranging from gaming to education.
While BCIs offer benefits from improving patient
health outcomes to providing more immersive and
customizable education, training, and entertain-
ment, the technologies raise many of the same risks
posed by digital home assistants, medical devices,
and wearables. New and heightened risks associ-
ated with privacy of thought also emerge, resulting
from recording, using, and sharing of a variety of
neural signals.5 According to a recent report, con-
sumers list privacy and security as major concerns
regarding neural interfaces, second only to product
safety.6 Sometimes, BCIs must always be on in order
to function properly—particularly in the health and
medical context. Always-on tech can collect more
information than users expect, particularly when
individuals are not provided sufficiently clear and
detailed notice prior to consent. This report explores
how BCIs fit into the broader scheme of next-gen-
eration interfaces, and suggests safeguards to
mitigate potential privacy and security risks.
Because of the emerging-nature of BCIs, it is im-
portant to consider both current and future-facing
privacy and ethical risks based on technical capa-
bilities, use cases, and the current understanding of
neurodata. Along with identifying what neurodata
and personal neurodata are collected by BCIs and
what conclusions or inferences are drawn based on
this data, it is equally important to specify what BCIs
cannot achieve, especially given the current hype
cycle surrounding technologies that can easily
veer into unrealistic, sci-fi territory. At the moment,
BCIs cannot read an individual’s precise thoughts,
accurately determine whether someone is telling
the truth or lying, or directly pump knowledge or
skills into an individual’s brain or make someone
“smarter.” While these capabilities could exist in
the future and warrant discussion and debate, they
are far attenuated from current realities. This report
appreciates the importance of such discussions,
but seeks to focus on the current—and likely, near-
term—capabilities of BCIs discussed in this report.7
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 5
A. BCIs are Computer-Based Systems
that Record, Modulate—or Both Record
and Modulate—Electrical Brain Signals,
Which Can Be Translated Into Outputs
BCIs are computer-based systems that directly re-
cord, process, or analyze brain-specific neurodata
and translate these data into outputs that can be
used as visualizations or aggregates for interpreta-
tion and reporting purposes and/or as commands
to control external interfaces, influence behaviors,
or modulate neural activity. BCIs can be broadly
divided into three categories: 1) those that record
brain activity; 2) those that modulate brain activity;
and 3) those that do both, also called bi-directional
BCIs (BBCIs).8 BCIs that record brain activity are
more commonly used in the healthcare, gaming,
and military contexts. Modulating BCIs are typically
found in the healthcare context. For example, mod-
ulating BCIs are used to treat Parkinson’s disease
and other movement disorders by using deep
brain stimulation to treat the rigidity, slowness, and
resting tremors common in Parkinson’s patients.9
While BCIs technically refer to devices that directly
record or modulate the brain, other related neu-
rotechnologies indirectly record and modulate.
One of the most successful examples of indirect
stimulation is cochlear implants, which help re-
store hearing and suppress tinnitus by modifying
the information that is provided to a compromised
auditory system.10 BBCIs, which both record and
modulate, can be an especially useful rehabilita-
tion tool for spinal injuries or strokes.11
B. BCIs Can be Invasive or Non-Invasive
and Employ a Number of Techniques for
Collecting Neurodata and Modulating
Neural Signals
BCIs can be invasive or non-invasive.12 Invasive
BCIs are installed directly into—or on top of—the
wearer’s brain through a surgical procedure. To-
day, invasive BCIs are used in the health context.
For example, invasive clinical BCI implants have
been used to improve patients’ motor skills.13 Inva-
sive BCI implants can involve a number of different
types of implants. An electrode array called a Utah
array is installed into the brain and relies on a se-
ries of small metal spikes set within a small square
implant to collect or modulate brain signals. New
innovations like neural lace and neural dust are
meant to drape over or be inserted into multiple
areas within the brain.14
Utah array. Image courtesy Wikipedia.
Part I: BCIs are Devices that Can Both Record and Modulate an Individual’s
Brain Signals Through the Collection and Processing of Neurodata
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 6
Other prominent examples of invasive BCIs rely on
electrocorticography (ECoG), in which electrodes
are attached to the exposed surface of the brain to
measure electrical activity of the cerebral cortex.
ECoG is most widely used for helping medical
providers locate the area that is the center of epi-
leptic seizures. This detection helps facilitate more
targeted medical treatment but does not constitute
medical treatment itself.15
In April 2021, Neuralink—Elon Musk’s startup cen-
tered around creating a minimally invasive BCI—
released a video of a macaque monkey playing
a videogame using an invasive BCI.16 Explaining
Neuralink’s invasive BCI prototype, “in a lot of
ways,” Musk said, “it’s kind of like a Fitbit in your
skull, with tiny wires.”17 While the Neuralink de-
vice is still in the prototype stage, the technology
points to a possible future where invasive BCIs are
used for commercial purposes, such as gaming,
entertainment, education, and wellness. Today it
seems unlikely that consumers would be willing
to surgically implant a device into their brain for
commercial enjoyment, cognitive monitoring, edu-
cation, and other direct-to-consumer uses, but only
time will tell whether invasive BCIs for commercial
purposes will eventually become mainstream.
Unlike invasive BCIs, non-invasive BCIs do not require
surgery. Instead, non-invasive uses of BCI-technolo-
gy rely on external electrodes and other sensors for
collecting and modulating neural signals.
One of the most prominent examples of a non-in-
vasive BCI technology is an electroencephalogram
(EEG)—a method for recording electrical activity in
the brain, with electrodes placed on the surface of
the scalp to measure the activity of neurons in the
brain.18 EEG-based BCIs are common in the gam-
ing space in which collected brain signals are used
to control in-game characters and select in-game
items. Another noteworthy non-invasive meth-
od is near-infrared spectroscopy (fNIRS), which
measures proxies of brain activity via changes in
blood flow to certain regions, specifically changes
in oxygenated and deoxygenated hemoglobin
concentrations using near-infrared light.19 fNIRS is
especially prominent in wellness and medical BCIs,
such as those used to control prosthetic limbs.20
Other non-invasive techniques go beyond sim-
ply recording neurodata by also modulating the
brain, which is one reason the term “non-inva-
sive” is fairly contentious, with researchers and
scientists finding the line between invasive and
non-invasive uses of BCIs difficult to draw. For
example, can a device that modulates a brain in
a closed-loop fashion—meaning that neurodata
recorded by the BCI serves as an input in how
the BCI stimulates the user’s neural signals—ever
truly be non-invasive? What about a device that
is not implanted surgically, but still carries the
potential for stimulation? For instance, transcranial
direct current stimulation (tDCS)21 and transcranial
magnetic stimulation (TMS)22 are both used to
modulate neuroactivity in various areas, including
the frontal lobes. Researchers have proposed that
these forms of stimulation may increase memory,
and learning abilities; however, such claims are
still under review.23 Non-invasive neurotechnolo-
gies should not be equated to non-harmful tech-
nologies—just because a device is not directly
implanted to sit on or within the human brain does
not mean that device does not pose unique health
and other privacy and data use risks.24
An example of a non-invasive EEG-fitted BCI device.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 7
BCIs are generally characterized by four components: 25
› Signal Acquisition and Digitization: involves sensors (e.g. EEG, fMRI, etc.) measuring neural
signals. The device amplifies signals to levels that enable processing and sometimes filters
collected signals to remove unwanted data elements, such as noise and artifacts. These
signals are digitized and transferred to a computer.
› Feature Extraction: As part of signal processing, applicable signals are separated from
extraneous data elements, including artifacts and other undesirable elements.
› Feature Translation: Signals are transformed into usable outputs.
› Device Output: Translated signals can be used as visualizations for research or care, or they
can be used as directed instructions, including feedforward commands utilized to operate
external BCI components (e.g. external software or hardware like a robotic arm) or feedback
commands which may provide afferent (conducted inward) information to the user or may
directly modulate on-going neural signals.
An example of these components can be found in the following figure.
human body. For instance, an electromyography
(EMG) sensor is a neurotechnology that can be
worn non-invasively as a wristband26 or inserted
into the human body to indirectly record motor
neurons and their electrical activity in muscles.27
Today this method is typically used to diagnose
neuromuscular abnormalities, but future use cas-
es point to using EMG for detecting an individual’s
intent to move fingers and other appendages for
operating virtual keyboards and other devices.28
While the focus of this report is technologies that
record or influence neurodata from the brain,
neurodata is also found throughout the nervous
system (including from the spinal cord and periph-
eral nervous system) and thus similar but non-BCI
neurotechnologies are being developed that
capitalize on these downstream signals. Other
invasive and non-invasive techniques include
indirectly collecting neurosignals sent from the
brain with sensors placed on other parts of the
Brain
Signals
Signal Acquisition Digitized Signal Processing
Control
Signals
Feedback
Device
Command
EEG
ECoG
Single Unit
Feature
Extraction
Translation
Algorithm
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 8
A Timeline of Interfaces 29
1924First Human EEG Recorded
1968
1973
2005
1998
1982
1973
1969
2019
2018
2016
2012
1952 First Voice Interface
First Virtual Reality Headset
First Successful
Cochlear Implant
The Term “Brain-Computer
Interface” is Coined
First Computer Mouse is
Commercially Available
First Multi-Touch Touchscreen
First Invasive BCI That
Produces High-Quality Signals
First Person to Control an
Artificial Hand Using BCI
Paralysis Patients Control
Robotic Arms Using BCI
First BCI to Restore Sensation to
a Paralyzed Person
Signals from an Invasive BCI
are Accurately Decoded Into
Text with an Error Rate as
Low as 3% When Tested On
Vocabularies Up to 300 Words
BCI Provides Rudimentary
Vision to a Low-Vision Patient
2021 A Paralyzed Man Uses a BCI
to Type with His Thoughts
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 9
C. Recorded Neurodata Becomes Personal
Neurodata When It is Reasonably
Linkable to an Individual
Neurodata is data generated by the nervous
system, which consists of the electrical activities
between neurons or proxies of this activity. These
neurons help carry out tasks, such as comprehen-
sion, movement, and communication. Neurodata
can be both directly collected from the brain, or
indirectly collected from an individual’s spinal cord,
muscles, or peripheral nerve in the form of a down-
stream signal from brain activity or a preparatory
signal prior to brain activity.
At times, neurodata can be personally identifiable
when reasonably linkable to an individual or when
combined with other identifying data associated
with an individual, such as when part of a user
profile. Personal neurodata is neurodata that could
be reasonably linkable to a particular individual.30
The collection and processing of personal neuro-
data can produce information related to an indi-
vidual’s biology and cognitive state. Additionally,
the processing of personal neurodata can lead to
inferences about an individual’s moods, intentions,
and various physiological characteristics, such as
arousal. Machine learning (ML) sometimes plays a
role as a tool for helping determine if a neurodata
pattern matches a general identifier or particular
class or physiological state.
Although identifying individuals based solely on
their collected personal neurodata is likely a difficult
proposition, such identification has been shown to
be possible with relatively little data (less than 30
seconds-worth) within a lab setting,31 and some ex-
perts believe that such identification is feasible if not
today, then in the near-term.32 This possibility has
implications for definitions pertaining to biometric
data, as well as its permitted use. Personal neuroda-
ta can vary in levels of sensitivity, as certain personal
neurodata can reveal seemingly innocuous data
leading to few, if any, inferences about an individual;
health information associated with an individual; or
provide insight into an individual’s private feelings
or intentions. For example, a BCI might reveal what
object a gamer intends to select in a video game,33
which may or may not be innocuous; infer that a
truck driver is becoming less alert while driving,34
which could reveal an individual’s sleeping habits;
or it could reveal whether a patient is depressed,
information pertaining to their health.35
In the future, BCIs could progress into new arenas,
recording increasingly sensitive personal neuroda-
ta, leading to intimate inferences about individuals.
Those arenas include transcribing a wide-range of
a wearer’s thoughts into text, serving as an accu-
rate lie detector, and even implanting information
directly into the brain. These uses are still in the
early research phases and could be decades from
fruition, or perhaps never emerge.36
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 10
D. Both Invasive and Non-invasive BCIs
Pose Technical Challenges for Effectively
Recording Neurodata and Modulating
Neural Signals
Regardless of the technique used, recording and
processing brain signals to derive usable neu-
rodata is a technologically challenging process.
Wired BCIs—typically associated with the clinical
and medical context—include complex wiring that
involves a prolonged preparation time before use,
while wires limit user movements.37
Wireless BCIs avoid some of the hardware chal-
lenges of wired BCIs, but present new challenges
associated with battery life—especially in the case
of health-related BCIs that are intended to be on
and active for extended sessions—and device
weight, comfort, and practicality.38 Other hard-
ware challenges include the need for commercial
non-invasive headsets to record small neural sig-
nals through a physical barrier of hair, skin, flesh,
and bone, all of which can interfere with the signals
and add noise to the data. Meanwhile, invasive
BCIs require expensive, high-risk surgery.39
Once signals are collected, the device must
process and separate actionable nerve impulses
from those that are created by passive activities,
including artifacts derived from the wearer’s mus-
cle movements, eye blinking, and electrical activity
from the heart. Sometimes this extra data is used
in conjunction with BCIs for various purposes, but
these artifacts often have to be removed for neu-
rodata to be usable. Most neurodata derived via
BCIs is noisy (especially in the case of non-invasive
applications) and creating computer systems that
can classify and remove noise is a complex and
cumbersome undertaking.
After actionable signals are gathered and sorted,
ML40 algorithmic models can be applied for clas-
sifying neurodata. This typically involves a calibra-
tion and training process in which a user performs
a number of operations so that the algorithm can
understand the user’s unique neural data that
represent their patterns when performing various
actions. Using ML systems presents its own set
of preliminary challenges such as: whether these
ML systems can classify data better than chance,
whether a particular system is appropriate to
achieve a desired outcome, or whether the system
does in fact accurately conform to a user’s neural
signature, in addition to any ethical and legal risks.
This process of identifying and processing an accu-
rate and meaningful neural signature is something
that researchers are still attempting to master.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 11
This section surveys BCI adoption across sev-
en key sectors: health and wellness; gaming;
education; employment; smart cities; neuro-
marketing; and the military. These sectors repre-
sent areas where consumer BCI technologies are
quickly evolving, and where unique privacy con-
cerns are most salient.41 However, if the past is pro-
logue, individuals and societies will find new and
unexpected uses of technologies as they evolve
and adapt inside and outside of these sectors.
Each sectoral use of BCI technologies examined
below is accompanied by specific benefits and
risks and an analysis of some of the existing laws,
policies, and best practices currently in place that
might safeguard neurodata within a particular
sector. It is worth noting; however, that many of the
benefits, risks, and challenges discussed overlap
across a variety of uses and sectors outside BCIs
and neurotechnologies, such as genetics, biomet-
rics, and AI. While neurodata and BCIs may not be
explicitly mentioned in current law, existing regula-
tions may still be held to apply, even if policymakers
did not contemplate the novel privacy issues asso-
ciated with neurotechnologies. Conversely, new
law may be motivated by the failure of existing law
to contemplate novel privacy issues, such as the
Genetic Information Nondiscrimination Act (GINA)
arising out of a sense that contemporaneous
Part II: BCIs Provide Benefits and Present Risks in a Number of
Sectors Including Health, Gaming, Employment, Education, Smart
Cities, Neuromarketing, and the Military
health law—such as HIPAA—did not sufficiently
contemplate or protect against issues prompted
by genomic technologies.42 Similar regulations
have since been created at state and local levels
in response to increasing usage of biometric data
and associated risks.43
Regulators might recognize a similar need in con-
nection with neurodata, leading to new laws and
standards. But in the absence of amended and
new regulations, developers must consider current
regulations, standards, and frameworks that might
apply to this evolving field or serve as a foundation
for future regulation, guidance, or decision-making
around BCIs. Neurotechnology-specific frame-
works include: the OECD Recommendation on
Responsible Innovation in Neurotechnology44 and
the FDA’s recent guidance on BCIs for Patients
with Paralysis or Amputation.45 Legal frameworks
of note include constitutional and fundamental
rights protection of the right to respect for private
life and confidentiality in some jurisdictions around
the world,46 the protection of personality rights in
Civil Codes in jurisdictions as varied as Germany,
Quebec and, most recently, China,47 the EU’s draft
legal framework on AI,48 as well as comprehensive
data protection laws, such as the California Privacy
Rights Act (CPRA),49 the European General Data
Protection Regulation (GDPR),50 to name a few.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 12
Although these legal frameworks do not pertain to
neurotechnology specifically, given BCI’s integra-
tion with AI and neurodata’s overlap with biometric
data conceptualization, some of this guidance may
be relevant or transferable in the future.
Additionally, there are numerous international
brain initiatives that are working together to not
only better understand the ethical issues and risks
associated with BCI technologies and other neu-
roscience applications, but also publish general
guidance, best practices, and key research ques-
tions regarding these topics.51
A. Health BCIs Diagnose Medical
Conditions, Modulate Brain Activity for
Cognitive Disorder Management, and
Promote Accessibility
Today, health BCIs can improve health diagnosis,
rehabilitation, and accessibility. Current break-
throughs in diagnosis include quantifying fatigue,
identifying depression, and measuring stress.52 Di-
agnostic BCIs can also be especially helpful when
patient responses are unavailable, such as when
patients experience disorders of consciousness,
including locked-in syndrome, whereby individuals
are fully conscious but unable to move, speak, or
explain how they are feeling.53 Current research
efforts focus on BCIs that diagnose condition pro-
gression, such as glaucoma.54
While diagnosis typically involves recording brain
activity, health BCIs are also used to modulate pa-
tients’ brains and nervous systems. Brain modula-
tion is used in numerous ways, including stimulation
for modulating and disrupting seizures for epilepsy
patients.55 Recent advances in health BCI modula-
tion include a vision restoration study to bypass the
eye and the optic nerve to feed images directly to
the brain–resulting in low-resolution vision.56
Other than diagnosis and stimulation, BCIs can pro-
vide increased accessibility. A new generation of
prosthetic limbs rely on BCIs. These neuroprosthet-
ics, or artificial limbs, move in response to thought
stimuli, including the creation of BCI-powered
automatic wheelchairs.57 A non-invasive mind-con-
trolled wheelchair, developed by researchers at
Switzerland’s Federal Institute of Lausanne, can
follow simple directions derived from a BCI and
can assess the area around the wheelchair to nav-
igate its surroundings safely.58 Users of neurotech
wheelchairs think of moving their left or right arm
to direct their wheelchair in their chosen direction.
Recent advancements involve users not needing
to think of specific words like “table” in order to
direct their chair to a nearby object; instead, they
can think of associated activities like eating.59 An-
other noteworthy example occurred in 2019 when
scientists implanted a BCI into the brain of a patient
who was left with minimal movement of his arms
and hands after a surfing accident.60 The invasive
electrodes allowed the patient to control both
left and right robot appendages to perform daily
tasks, such as eating.61 Similarly, BCIs act as tools
for providing haptic feedback or haptic sensory
replacement within prosthetics and exoskeletons
for purposes of patient rehabilitation, regaining
sensation, and an increased ability for patients to
perform previously inaccessible tasks.62
There are also efforts to connect BCIs with smart
devices and IoT (internet of things), which could aid
individuals with neurological disorders or motor
impairments in doing activities of daily living or
interacting with various appliances and devices,
enabling improved or sustained quality of life
through increased accessibility within their home
environment.63
As mentioned previously, BCIs are also starting
to emerge in the commercial wellness space as
a method personal tracking and improving cogni-
tive abilities (such as attention or meditation) and
mental and physical health (such as sleep quality
or fatigue). This is a developing space with open
questions about the efficacy of BCIs as wellness
devices still up for debate.64 Many of these well-
ness BCIs overlap with the gaming and toy space.
The NeuroSky Mindwave Mobile 2: Brainwave
Starter Kit provides the user with information about
their brain’s electrical impulses when relaxing and
when listening to music.65 The product includes an
EEG-fitted headband and connects to companion
apps via Bluetooth.66 The device also provides
training games purported to help improve medita-
tion, attention, and enhance the user’s learning ef-
fectiveness.67 Further, the device includes tools for
players to create their own brain-training games.68
1. Health BCI Risks Include: Security Breaches,
Infringement on Mental Privacy, and
Accuracy Concerns
Security breaches represent some of the most
prominent risks in the health and wellness BCI
space. Some of these security risks are presaged
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 13
by earlier breaches of medical implantable devic-
es. In 2017, half a million pacemakers69 were re-
called because they were vulnerable to hacking.70
Just as pacemakers could be breached, BCIs are
vulnerable to cyber risks, including breaches,71
resulting in potentially severe physical harm to
the patient. In such cases, BCIs run the risk of en-
countering interference—whether by bad actors
or error—that might result in failed communication
around high-stakes medical decisions. Recent-
ly, researchers showed that hackers, through
imperceptible noise variations of an EEG signal,
could force BCIs to spell out certain words that do
not align with what the wearer is thinking.72 The
consequence of this security vulnerability could
range from user frustration to severe misdiag-
nosis. Moreover, breaches of BCIs raise physical
concerns around the sanctity of sensitive health
information that could be captured in a hack.
An equally important risk among health-related
BCIs includes sufficient and verifiable accuracy for
the recording and interpreting of brain signals. High
reliability of medical BCIs is especially important be-
cause inaccurate interpretation or modulation of a
patient’s brain could result in serious consequenc-
es, or even death. Patients relying on modulating
BCIs to help mitigate cognitive disorders, such as
epilepsy, could suffer grave health consequences
should the BCI fail to work as intended. Addition-
ally, patients experiencing locked-in syndrome—
who might be minimally conscious—require BCIs
to accurately convey a patient’s wishes; concerns
are particularly acute when patients rely on BCIs
to communicate crucial information, such as their
choices regarding treatment or even end of life
decisions.73 Accuracy is also crucial in the accessi-
bility context, as prosthetic limbs, wheelchairs, and
other devices controlled via BCIs must operate
correctly and safely according to users’ intentions.
Privacy risks regarding BCI accessibility devices
come from the inferences drawn from conscious
or unconscious intentions of an individual. The
capacity of neural networks that underpin many
of these devices to associate certain thoughts
with directives means that subconscious or caus-
ally-connected intentions may be defined and in-
terpreted by BCIs on a wider scale, leading to new
mental privacy risks. For example, a BCI controlled
wheelchair and its underlying neural network might
not only deduce that the user is thinking about
food, therefore directing the chair to move toward
the table, but also draw other conclusions about
the individual’s biology and preferences, such as
whether or not an individual is hungry or thirsty
and at what times. These additional inferences
capture new information about an individual’s
thoughts, intentions, or interests, many of which
are related to an individual’s specific biology and
unique preferences.
Privacy risks are magnified when these new
inferences are combined with other personal
information about an individual to make decisions
that impact their lives and could interfere with the
autonomy afforded to individuals through the use
of these accessibility BCIs. Organizations collect-
ing and processing these brain signals, leading
to granular inferences tied to an individual, could
have incentive to repurpose this data for adver-
tising or other non-medical purposes, exposing
potentially sensitive biological information to third
parties while running counter to individual notions
of privacy. Additionally, the sharing of patient data
associated with BCI use could potentially disclose
an individual’s previously unknown medical con-
dition to employers, private companies, public
entities, or governments.
2. Some Health BCIs are Subject to Common
Rule Requirements, FCC Oversight, or
International Frameworks
Some of the advancements in health BCIs involve
human subject research, which in certain cases is
governed by a complex regulatory framework. U.S.
researchers whose projects are federally funded
are typically required to obtain subjects’ informed
consent for data collection based on approval from
a Common Rule-based Institutional Review Board
(IRB) prior to undertaking studies.74 In other instanc-
es, such as some research involving open fMRI or
other open neurodata, studies might not require
IRB approval when the data in question involves
secondary data use of de-identified samples.
In addition, wireless IoT BCI devices are likely
subject to Federal Communications Commission
(FCC) oversight because of their designation as
connected wearables.75 However, given the lack
of regulations around consumer wellness technol-
ogies, devices marketed outside of the physician
regulated context—such as brain training games
and meditation-aiding devices like Muse76—may
lack strict oversight. For example, the Health In-
surance Portability and Accountability Act (HIPAA)
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 14
regulates covered entities—such as physicians
and health insurers—that collect, use, process,
and share health information, but does not usually
apply to wellness device companies.
In Europe, the GDPR is the applicable framework
to any processing of personal data for the pur-
poses of scientific research, including where the
research relies on special categories of personal
data, such as data related to health and biometric
data processed for identification. There are sev-
eral lawful grounds for processing under Article
6(1) that would allow the necessary processing
of personal data for BCI research, as well as sev-
eral permissions under Article 9(2) for the use of
sensitive personal data. In some situations, this
could allow data controllers to conduct this type
of research even without individual consent for the
processing of the data,77 specifically when sensi-
tive data is necessary for public health purposes
or for research in the public interest;78 however,
there are many complexities surrounding this sort
of processing, with the European Data Protection
Board (EDPB) expected to adopt Guidelines on
processing of personal data for scientific research
purposes in the following months. Given the com-
plexities surrounding human subject research and
privacy, health researchers and other stakeholders
seeking to develop or adopt BCIs, will need to
understand and verify how the product fits into the
shifting regulatory landscape.
The EU’s recent proposed draft AI regulation79
covers all AI systems, including those relying on
biometric data—and is likely to be relevant for fu-
ture regulation of personal neurodata, significantly
altering the regulatory landscape around BCIs and
neurotech. It specifically focuses on AI systems
that pose high risks to the “health, safety and fun-
damental rights” of individuals. BCIs that might be
considered “high risk” AI systems under the pro-
posed regulation, could trigger requirements prior
to entering the market such as going through a
conformity assessment, adoption of adequate risk
assessment, security guarantees, and adequate
notice to the user, among others.80 If considered
a “low risk” system, organizations would have to
fulfil transparency requirements.81 The full scope
and impact of the EU’s AI regulation on the de-
velopment and use of BCIs remains subject to the
ongoing legislative process.
B. Gaming BCIs Often Augment Existing
Platforms and Controls and Offer
Players New Ways to Play Through
Recording Neurodata
Gaming is one of the most prominent consumer
applications of BCI technology. In turn, advances
in gaming may serve as a dry run for innovations
in other sectors with a more immediate impact on
human wellbeing.
Today, most BCI gaming experiences involve
outfitting existing devices and platforms with neu-
rotechnology. Gaming and entertainment-focused
BCIs were originally created for people with motor
disabilities—and still offer accessible experiences
for that community today—but are now increasing-
ly targeted to the broader population.82 The most
common integration of BCI technology in gaming
involves the player wearing an external device—
often a headband, cap, or plastic arm touching
the player’s forehead—fitted with a non-invasive
neurotechnology, such as EEG. These devices
attempt to record the player’s electrical impulses,
collecting and interpreting the player’s brain sig-
nals during play.
An example of an EEG recording.83
One of the earliest examples of EEGs in gaming is
NeuroSky’s 2007 game The Adventures of Neuro-
Boy.84 With the use of a Bluetooth and EEG-fitted
headset, called MindSet, the game claims to mea-
sure the player’s concentration and stress during
play and provide this information to the player.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 15
Through concentration of thought, the player is
able to move objects in the game, but NeuroBoy
still relies on mouse and keyboard commands for
much of the gameplay.85
Since the advent of games like The Adventures of
NeuroBoy, BCIs in gaming have evolved to where
recording neural signals is now a primary driver for
gameplay, rather than working in tandem with tradi-
tional controls. However, the immersive experienc-
es offered by most of the current applications of
BCI gaming remain limited. Generally, players can
only complete a discrete set of actions with their
thought patterns. Star Wars Force Trainer II comes
with a non-invasive EEG wearable, and the game
claims that players can use their thoughts, or “the
force,” to control a levitating holographic image of
an x-wing.86 EEG wearable games like Star Wars
Force Trainer II cannot accurately detect when the
player is thinking about specific directions such
as “up” or “down” but rather assigns these move-
ments to an arbitrary set of brain signal patterns,
which inform the player’s neural signature.
Games involving BCIs are not limited to single-play-
er experiences, but have applications pointing to
a future of multiplayer and social games. Cornell
University researchers developed BrainNet, the
first multi-person non-invasive brain-to-brain inter-
face (BBI).87 In BrainNet, three participants, outfit-
ted with external EEG and TMS caps, play a game
similar to Tetris.88 Two of the players can see the
entire game screen, while the third can only see the
block at the top of the screen. The two players who
can see the entire screen “send” neurodata to the
third player about how they should rotate the block
to complete a row. The third player “receives” the
neurodata and then sends a command via nerve
impulse to the game, indicating whether or not to
rotate the block. While not yet widely available,
this type of collaborative gameplay increases the
potential for a more interactive BCI gaming experi-
ence. Moreover, BBI interfaces could unlock a new
method for completing collaborative tasks and
communicating outside the realm of gaming.
Other innovations in BCI gaming involve augment-
ing platforms with BCI technology. This form of aug-
mentation is most common today in the extended
reality (XR) gaming space. Extended reality is the
umbrella term used to describe augmented real-
ity (AR), virtual reality (VR), and mixed reality (MR)
technology.89 Today, when BCIs are integrated into
XR technology, it is typically through the use of a
headset called a head-mounted display (HMD). In
the BCI context, HMDs are fitted with electrodes
which non-invasively collect neurodata needed for
gameplay without the use of cumbersome technol-
ogy or dozens of EEG electrodes.90 Companies like
Neurable are developing their own HMDs outfitted
with EEG electrodes and software compatible with
other HMDs outfitted with the EEG electrodes.91 In
Neurable’s first demo, Awakening, the player as-
sumes the role of a psychokinetically-gifted child
who must escape from a government prison.92
Through recording the player’s electrical brain
impulses, the BCI HMD lets the player choose be-
tween a host of objects to escape from prison and
advance through the game.93
The future of BCI gaming may provide fully-immer-
sive experiences where the player can initiate a
diverse set of in-game actions with their conscious
thoughts. Here, the player’s neurodata would be
collected and combined with other biometric or
physiological information derived from their ges-
tures,94 eye movements,95 facial expressions,96
breathing,97 and heartbeat.98 OpenBCI99 is cur-
rently developing Galea, a software and hardware
platform that uses existing HMDs, most notably the
Valve Index. The device collects neurodata along
with data from the wearer’s heart, skin, muscles, and
eyes through a number of sensors with the initial
goal of providing developers the tools to explore
further integrating this data into future projects.100
Other future advances in BCI gaming will prioritize
social interaction with other players. Immersive
games will continuously record and process neu-
rodata and other physiological data to respond and
adjust in real time—or after the fact during a later
experience—to a player’s expressed mood and skill
level.101 Some game developers predict that immer-
sive gaming BCIs will be able to modulate players’
brains to alter moods during gameplay as well as
providing “better than real visuals” in games.102
1. Gaming BCI Risks Include the Involuntary
Collection of Neurodata, Which Could Lead
to Granular User Profiles that Result in
Decisions Potentially Impacting and Limiting
the User Experience
Key privacy risks associated with BCI gaming are
less about user identifiability, but rather manifest
from the inferences about a user’s psychology and
preferences and how organizations might make
decisions based on these inferences. These risks
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 16
are especially prevalent when augmenting existing
gaming platforms, particularly VR, with BCI and
neurotechnology sensors. In VR, data is collected
about the immersive digital world in which a user
is interacting. When combining a user’s real-time
neurodata with the content a user is currently ex-
periencing in VR, a profile can be built about an
individual in which inferences can be drawn about
a user’s responses to the virtual content they are
being served.
Brittan Heller has coined the term “biometric psy-
chography,” which describes the notion of com-
bining collected biometric or biological data with
information about the virtual stimuli encountered
by the user to produce inferences about the user’s
psychology.103 For instance, changes in recorded
neurodata throughout a user’s play session could
lead to conclusions about whether particular
content excites, arouses, induces fear, or psycho-
logically impacts a user. Further, when neurodata
can be combined with other biological data which
produces inferences about a user’s psychology,
including changes in pupil size, timing and direc-
tion of eye gaze, changes in skin temperature,
and changes in heartbeat, increasingly detailed
profiles reflecting a user’s psychological response
to content can be inferred.
Unlike other biological indicators, neurodata could
provide potentially heightened sensitive details
about an individual’s psychology collected directly
from the brain in real time to gain insight into a
user’s intent or neurological reactions. In turn, AI
and machine learning models can be trained on a
user’s brain signals—in combination with other bi-
ological changes in response to content—allowing
organizations to associate user-specific changes in
neural signals to certain physiological states, such
as arousal. Moreover, changes in brain signals
might be even more involuntary than something
like eye gaze, which a user has the option of con-
trolling, unlike their electrical neurosignals.
Risks are magnified when decisions that impact
the user are influenced by company or third-party
deduced neurodata inferences. Decisions could
include: which content to serve to a user, which
ads a user might view during BCI gaming, and oth-
er activities across the Internet based on a user’s
involuntary brain signal responses. Beyond ads,
there are genuine concerns that one’s neurodata
could be used to expose vulnerabilities that could
be exploited by nefarious actors who purposefully
target digital spaces that cater to children (e.g.,
human trafficking).104
Today, content recommendations are seen across
gaming, streaming, and other online services.
Currently, the service of content is based on a
voluntary action by the user, such as listening to
a particular song or viewing a particular video,
visiting a certain website, or “liking” a post on
social media. In the case of BCI gaming, content
may one day be served based on involuntary
neurological responses of the user. Therefore, the
types of content—including ads—served to users
can be determined not only by their voluntary en-
tertainment consumption, but further determined
by involuntary inferences resulting in increasingly
granular profiles about individuals. Additionally,
content served to users based on increasingly
granular profiles including their brain signals could
be shared with third parties for advertising or other
purposes, further tailoring the experience users
have across the Internet—sometimes without user
knowledge or consideration of user wishes.
Another concern about inferences resulting from
the collection of neurodata is whether or not these
inferences are accurate, especially given the na-
scent and limited utility of non-invasive BCIs today.
When the inferences about a user’s psychology
are especially accurate, providers run the risk of
serving content so reflective of a user’s interests
that it could promote severely addictive gameplay
or desensitization to various forms of entertain-
ment or interaction, and other potentially unhealthy
habits. When these inferences are inaccurate, pro-
viders run the risk of turning off certain users from
enjoying content and serving them content and
ads that do not comport with, or at times offend,
their interests. Whether these inferences are accu-
rate or not, increasingly granular profiles dictating
which content to serve, or not serve, a user could
result in enhancing the division and filter bubbles
found online today. Moreover, if these inaccurate
inferences are sold to third parties for non-adver-
tising or non-gaming purposes, there could be op-
portunities for impermissible discrimination across
a wide variety of other domains.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 17
2. Some BCI Gaming Applications are Regulated
by Children’s Privacy Regulations or General
Biometrics Laws
A regulation that could uniquely impact BCI gaming
in the United States is the Children’s Online Priva-
cy Protection Act (COPPA). Many games, including
some of the games described above, are directed
to children under the age of 13 and as such the
personal information collected is covered by the
Children’s Online Privacy Protection Act (COPPA).105
COPPA applies to “operators’’ of online services
directed to children under 13 or those who have
actual knowledge that they are collecting, using,
or disclosing personal information from children
under 13. COPPA provides parents and guardians
with a number of rights over their children’s per-
sonal information, including access to the child’s
information and deletion rights over the data. The
law places a number of requirements on organiza-
tions such as posting a clear privacy policy on their
website, providing direct notice to parents, obtain-
ing parental consent before collecting information
from children under 13, and enacting reasonable
security to protect the child’s information.
While biometric information, including neurodata,
is not explicitly covered under COPPA, children’s
neurodata, if used to identify a particular child,
could be swept into the law as a “persistent identi-
fier,” which is covered under COPPA. Additionally,
the Federal Trade Commission (FTC) is currently
considering amending COPPA to include biometric
data.106 It is yet to be seen whether biometric data
will be swept into a new iteration of COPPA, and
whether the definition of biometrics would cover
neurodata. Regardless of whether neurodata will
be specifically covered under COPPA, developers
should be aware that BCI games and other toys
that connect to the Internet that collect children’s
other personal information, such as name, ad-
dress, image, or audio recording could potentially
fall under COPPA.
Other potentially applicable laws in this space
are certain state biometric laws, which provide
a number of rights to individuals over their data
and place requirements on companies collecting
biometric data, including but not limited to: prohi-
bitions on collecting, processing, using, or sharing
biometric information without prior opt-in consent;
data security requirements that meet industry stan-
dards; and (in the case of the Illinois law) the ability
for individuals to bring private rights of action for
violation of the law. However, none of these laws
explicitly cover neurodata. Some state biometric
laws define biometrics narrowly and are less likely
to be interpreted to cover neurodata as written to-
day. For instance, the Illinois Biometric Information
Privacy Act (BIPA) defines a biometric identifier as
being limited to: “a retina or iris scan, fingerprint,
voiceprint, or scan of hand or face geometry.”107
Other state biometric laws such as the Washington
law (WASH. REV. CODE § 19.35.010) define biomet-
ric identifiers more broadly as “data generated by
automatic measurements of an individual’s biologi-
cal characteristics, such as a fingerprint, voiceprint,
eye retinas, irises, or other unique biological
patterns or characteristics that are used to identify
a specific individual.”108 State biometric laws with
broader definitions of biometric identifiers, like that
in Washington state, could cover personal neuro-
data if it is used as an identifier.
Additionally, comprehensive privacy laws, such as
the EU’s General Data Protection Regulation (GD-
PR)109 and the California Privacy Rights Act (CPRA)110
could cover personal neurodata with their broader
definitions of biometric data. However, current laws
that could cover personal neurodata are framed in
terms of the ability to identify an individual based
on biometric data. Concepts such as “biometric
psychography” and accompanying inferences may
not be interpreted as covered under these laws.
C. Employment and Training BCIs Can
Monitor Employee Engagement During
High-Risk Tasks, Report Employee
Cognitive Data to Employers, Modulate
Employees’ Neural Signals to Improve
Their Abilities, and Provide New Tools to
Efficiently Complete Tasks
One of the most prominent uses of BCIs in the
employment and industry context is measuring
engagement during high-risk tasks. Engage-
ment-measuring technology is marketed for jobs
where attention is crucial for performance and pre-
vention of physical harms, such as those in sports or
transportation. One noteworthy engagement-mea-
suring BCI is Life, developed by Smartcap,111 which
features an EEG headband that fits inside hardhats,
trucker caps, and other headgear that notifies
truckers and employers when they are drowsy or
inattentive while driving.112 Life and similar technol-
ogies are intended to combat the estimated 70% of
trucking accidents caused by fatigue.113
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 18
Other engagement-measuring BCIs combine
neurodata with other biometrics to measure and
encourage employee engagement. AttentivU is
a pair of glasses fitted with both EEG electrodes
measuring neurodata and sensors for tracking eye
movements.114 The technology combines these
data streams to draw conclusions about the wear-
er’s fatigue, engagement, and cognitive load. The
device indicates to the wearer when their attention
level changes through audio feedback and a con-
nected vibrating scarf.
Other BCIs in the employment context are used
to collect information related to workers’ moods.115
In some Chinese factories, state-owned compa-
nies, and various transport contexts, workers are
required to wear BCI headsets that collect neuro-
data to measure not only their attention, but also
sudden negative mood changes like acute anxiety,
rage, or pronounced distress.116 Similarly, one
could imagine a sort of “HR dashboard”117 in which
employee engagement or moods are accessed by
management who could use this data for purposes
such as gauging efficiency, managing workloads,
worker happiness levels, or use this data to make
employee hiring, firing, or promotion decisions.
Additional research efforts are underway for the
development of BCIs as lie detectors.118 While
much of this research is occurring in the law en-
forcement, government, and military space, these
technologies may have implications in the private
sector, especially for employees who work on con-
fidential projects.
Modulating BCIs in the employment space are tout-
ed as a tool for improving workers’ performance
and ability to multitask in fast-paced environments
through the use of transcranial direct current stim-
ulation (tDCS), developed by companies such as
Caputron.119 tDCS involves a headset fitted with
electrodes inside sponge inserts that conduct
electricity from the wearer’s scalp.120 While the use
of tDCS is not yet widespread in the employment
context, some early tests show that the technology
could enhance multi-tasking efficiency by approx-
imately 30%.121
Some forecasts suggest BCIs will be used for job
training by requiring invasive BCI technologies,
which are directly installed into the user’s brain.122
Elon Musk’s Neuralink company promotes the
aspirational goal of installing “neural lace,” con-
sisting of many tiny electrodes, into the brain.123
A tissue-like lace overlay that drapes over parts
of an individual’s brain would have numerous ad-
vantages over devices that only pick up signals in
certain regions. Such an overlay could yield a more
fulsome representation of the wearer’s thoughts.
Further, invasive implants could avoid some of the
safety pitfalls of non-invasive devices that have the
potential to break blood vessels or injure tissues.
However, invasive implants necessarily involve
surgery, which comes with its own set of risks.
One of Musk’s goals is to make Neuralink users,
whether they use the neural lace technologies
or another variety of BCI, “smarter” by improving
memory and aiding decision-making, crucial during
a high-pressure or time-sensitive task. While these
innovations appear far from fruition, Neuralink is
currently testing neural lace technology on ani-
mals, and is planning to conduct its first human
tests in 2021.124 Additionally, early work has shown
that certain BCIs might enhance episodic memo-
ry—the ability to recall and reexperience memories
from the past.125
Other non-invasive neurotechnologies show prom-
ise in enhancing employee abilities. Companies
like Facebook are looking to integrate non-invasive
EMG wristbands into emerging technologies, such
as virtual or augmented reality, which can collect a
user’s motor neurons to capture a user’s intent to
move their fingers or other appendages.126
Additionally, researchers developed an invasive
BCI that allows users to type by thinking about
writing specific letters.127 While this technology is
far from mass market—and given its invasive na-
ture might be best suited to provide accessibility to
patients with paralysis—such technological break-
throughs could have widespread impact on the
employment landscape. This could result in users
performing tasks such as typing with their minds
at a faster rate than the dexterity of their hands
would typically allow. Such devices might one day
change how workers send emails, code programs,
or communicate with colleagues.
1. Employment BCI Risks Include: Eroding Worker
Privacy While Chilling Behavior, Making
Impactful Decisions About an Employee Based
on Inaccurate Science, A Lack of Employee
Control Over Their Neurodata, Workers
Questioning Their Identity; and More
BCIs that monitor employee engagement during
high-risk activities might effectively promote safety
and save lives. However, such technologies could
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 19
compromise employee privacy and autonomy.
An employee who is knowingly being monitored
might increasingly distrust their employer, lose
morale, or chill their behavior—including union
organizing.128 On the other hand, some might view
the collection of a limited neurodata set for safety
purposes as less privacy-invasive129 than other
technologies like in-vehicle cameras.130 However,
even if the collection and analysis of neurodata
is less privacy-intrusive (a claim very much up for
debate), employees might have equal or greater
feelings of being surveilled given the nascence,
opacity, and complexity of a technology recording
data from their brain.
Privacy questions also emerge around whether
the employee, employer, both, or neither ultimately
should have control over employee neurodata. This
is further complicated when an employer institutes
a bring your own device (BYOD) policy, in which
case the employee might own their own device,
but the employer might have control—in full or in
part—of the employee’s associated neurodata.
Comprehensive privacy laws, such as the CPRA,
provide a number of rights to individuals as con-
sumers over their personal data—such as the right
to access, correct, delete, or export their personal
information—but do not currently extend these
same rights to employees. However, the CPRA will
be extending its protections to employees begin-
ning in 2023. A lack of employee control over their
data could further erode employee trust, reduce
autonomy, and open the door for recorded neu-
rodata to be used for purposes unrelated to their
employment, such as building advertising profiles.
Their data might also be used for purposes which
could inadvertently violate worker privacy involv-
ing health data (e.g. influence insurance coverage)
or litigation (e.g. workman’s compensation).
Relatedly, many risks stem from the ability—or lack
thereof—of employees to consent, or not, to being
monitored or having their brains modulated. Even
in situations where employers will only monitor or
modulate employees’ neurodata upon obtaining
express consent, inherent power imbalances be-
tween employers and employees create a dynamic
where employees could be less willing to refuse
to consent, or opt out, of monitoring for fear of
retaliation, losing out on a promotion, or reducing
chances for a raise. There is also the concern of
fairness between employees based on their choice
to use the technology or not, since a disparity in in-
formation and engagement by employees who opt
in vs. those who opt out could make it more difficult
to equitably judge performance between workers.
Risks around employee monitoring are further
heightened when employers make decisions
about employees based on this data. Decisions
based on the collection of employee neurodata
could include disciplinary measures, hiring and
firing decisions, and other potentially adverse
actions. Concerns are exacerbated as experts
have questioned the accuracy of some emotion
detection131 technology using neurodata or other
biometric inputs,132 meaning that employees could
be unjustly punished or inappropriately rewarded,
based on inaccurate and unproven science. Ad-
ditionally, emotion detection is gaining traction in
the US in contexts such as job recruitment,133 which
could include the collection and analysis of neuro-
data in the near future.
Employees who use stimulating BCIs to enhance
cognitive and work performance might question
their own identity and psychology.134 Studies have
shown that the emotional or behavioral changes
in patients might cause them question whether
their psychological state is attributable to the BCI
or themselves.135 Workers questioning their identity
could reduce or confuse their sense of agency, their
capacity to make decisions, and their identity as hu-
man beings both in and outside of the workplace.136
2. Workplace Monitoring, Collective Bargaining,
and Employee Privacy Laws Apply to BCI Use
in Some Employment Contexts
Workplace monitoring laws place limitations on
some types of BCI-based employee monitoring.
The Electronic Communications Privacy Act (ECPA)
prevents employers from monitoring employees’
personal phone calls but allows them to monitor
“workplace communications,” especially when
those conversations take place on company
devices like company-owned computers and
telephones.137 Existing anti-discrimination mea-
sures, including the Americans with Disabilities Act
(ADA),138 may restrain employers who would use
the results of a BCI that reveals a disability in hiring
or firing decisions.
U.S. law grants employers broad leeway in defining
workplace privacy policies for at-will employees.
By contrast, unionized employees, which comprise
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 20
roughly 11% of the total American workforce, often
stipulate enhanced workplace privacy protections
as part of collective bargaining agreements.139
The types of protections vary depending on the
circumstances, but they typically limit the use of
workplace monitoring systems known as “man-
agement by algorithm,” which are new forms of
monitoring and surveillance using data generated
by workers—potentially including neurodata—that
could exacerbate discrimination and systemic
inequality.140 The GDPR recognizes the inherent
power imbalances between employee and em-
ployer for activities such as employee monitoring
by noting that consent can only serve as a lawful
basis for processing employee personal data un-
der exceptional circumstances.141
The use of BCIs as lie detectors in the employment
space remains limited, but there are federal laws
that specifically protect employee privacy in a nar-
row manner. The Employee Polygraph Protection
Act protects potential employees (absent some
exceptions) from hiring or firing practices on the
basis of a lie detector result.142
Other regulations of note include state microchip
laws, which generally prohibit employers or organi-
zations from requiring employees to be implanted
with microchips.143 Today employers are not requir-
ing or offering that employees install invasive BCIs
or other neurotech into their brains, but there are
non-neurotech examples of employees who have
the option of being “chipped” by employers.144 Or-
ganizations engaged in employee tracking should
be cognizant of these microchip laws and should
consider how a future, invasive BCI would be cov-
ered under these legal regimes.
D. BCIs in Education Record Neurodata
to Help Inform Individualized Learning
Models and Provide Real-Time Feedback
to Students and Teachers on Student
Engagement and Progress
Proponents of BCIs in education argue that BCIs
can help students in both K-12 and higher education
learn, retain information, pay attention, increase
empathy, and improve academic achievement.145
Recent developments in educational BCIs are cited
as helping optimize students’ workload and curricu-
lum difficulty in response to individual needs.146 It is
widely recognized that learning is optimized when
educational materials map to a student’s cognitive
strengths.147 Digital learning environments imple-
menting BCI technology would gather neurodata
from students using EEG, and estimate the difficulty
of workload based on a student’s brainwaves.148
The tools can then adapt the difficulty of assign-
ments in real time to maximize learning. One of the
celebrated elements of customized learning occurs
when the material meets the “Goldilocks test,”
which measures task achievement as neither too
easy nor too difficult, but just right.149
Addressing a different aspect of learning, some
education technology companies are developing
BCIs that measure students’ classroom attention
levels. For example, BrainCo, Inc. is developing
BCI technology that involves students wearing
EEG-fitted headbands in class.150 The students’
neurodata is gathered and displayed on a teach-
er’s dashboard which is said to provide insight into
student attention levels. Student metrics may also
be shared with students’ parents, keeping them up-
to-date on their children’s performance in class.151
1. Educational BCI Risks Include: Making
Decisions About Students’ Cognitive Abilities
Based on Inaccurate Inferences, Chilling
Student Speech, and Perpetuating Injustice
A major risk in the education field arises from in-
accurate or incomplete neurodata used to make
inferences about students’ cognitive abilities.152
In many ways these concerns mirror those found
in the employment space. Measuring a student’s
brain signals to gauge attention levels or ability
to grasp certain material using inaccurate and
not well-understood data, and then using this
information for making important decisions about
a student’s engagement, achievement level, or
academic potential could result in miscategorizing
a student as either a strong or struggling student.
Neurodata can be unreliable or inaccurate for a
number of reasons such as: poorly fitting devices;
devices not containing enough sensors; sullying
the quality of a dataset from facial or body move-
ments; or faulty, not well understood, and not well
tested underlying science. This could put students
at risk for incorrect penalties for inattentiveness
or other perceived behaviors. Further, requiring
students to wear EEG headsets might “chill” a
student’s speech (or thoughts) if they feel they
are being surveilled, as previous studies on the
effects of being monitored have shown. Moreover,
feelings of being surveilled could reduce student
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 21
and parent trust in the school and the educational
system as a whole.
This chilling of speech could be doubly true for
students with a perceived history of acting out in
school, students who are particularly vulnerable,
have learning differences such as ADHD,153 strug-
gle with mental health, or come from communities
heavily surveilled by law enforcement or others.
This could be especially true when BCIs are used
exclusively or disproportionately among certain
subgroups of students or in disciplinary settings,
such as detention.154 The Health Advanced Re-
search Projects Agency (HARPA),155 has looked
into surveilling students’ social media activity. This
sort of school safety measure in combination with
neurodata could lead to further limiting students’
need to appropriately “vent” online, or drawing
inaccurate conclusions related to the content
posted online by students. While educational BCIs
are sometimes touted as leveling the playing field
for students, disproportionate use of BCIs, or BCIs
used among certain groups of students could
increase rather than relieve injustice. Moreover,
the tracking of student’s cognitive processes and
taking action based on this tracking could lead to
further stigmatization of learning differences or
mental health concerns.156
2. Federal, State, and Local Student Data Laws
Typically Place Requirements on Schools and
Neurotech Companies Collecting, Using, and
Sharing Personal Neurodata, While Granting
Rights to Students and Parents
While BCIs may introduce unprecedented collec-
tion and sharing of neurodata in the education
context, there are dozens of privacy regulations
that touch on education privacy at the local, federal,
and international level. Currently, all 50 states and
Washington, DC have introduced student privacy
legislation, each with its own requirements.157 Not all
of this legislation would have bearing on BCIs, how-
ever, schools, teachers, and BCI companies should
be cognizant of the applicable laws and provisions
in each state where the technology is used. In ad-
dition, stakeholders should be aware of school and
district-specific policies and best practices govern-
ing student data as well as the concerns of parents
and school boards. Developers and purveyors of
BCI technologies should proactively and transpar-
ently communicate their practices to engage and
empower parents and community leaders.
At the federal level, there are a variety of privacy
regulations that specifically impact education. One
of the most relevant is the Family Educational Rights
and Privacy Act (FERPA),158 which protects education
records at all schools that receive federal funding.159
Education records contain information directly relat-
ed to an individual student and are maintained by
an educational agency or institution or by a party
acting for the agency or institution. In certain con-
texts, a student’s personal neurodata could be part
of an education record falling under the protection
of FERPA—which includes biometric records.160
Parents and guardians hold a number of rights over
their children’s data (students themselves hold these
rights when over the age of 17), while restrictions are
placed on school officials maintaining education
records.161 For example, school officials might not be
permitted to disclose personal neurodata collected
from students to third parties without express con-
sent from parents and guardians.
E. Research Efforts are Underway for
Integrating BCIs Into Smart Cities
and Communities for Enhanced
Communication for Construction and
Public Safety and for New Methods of
Control for Connected Vehicles
One of the more future-facing sectors for BCIs is the
smart cities and smart communities162 space where
researchers look to integrate BCIs into smart vehi-
cles and urban planning and construction design.
In the US today, technological mapping of public
and private spaces is becoming ubiquitous, and
a number of emerging technologies have already
entered the smart city arena.163 For example, sen-
sors and other technologies are increasingly inte-
grated in: transportation including smart cars and
bike share services; utilities including smart power
grids and smart water meters; telecommunications
including public broadband; government services
including gunshot detectors and parking monitor-
ing; and environmental monitoring including smart
trash cans and environmental sensors.164 In the
future, neurotechnologies could serve as another
set of sensors—in this case collecting neurodata—
for aiding city and transportation efficiency, public
safety, and energy monitoring.
BCI research is increasingly focused on integration
into smart cities and communities for enhanced
communication promoting efficiency and safety.
For example, Neurable165 and Trimble,166 recently
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 22
announced that they are utilizing BCIs alongside
technologies like GPS to provide training and
safety services for the transportation, architecture,
engineering, and construction industries.167 Such
technologies could provide voice-free and hands-
free communication interaction between construc-
tion workers and engineers, while also providing
analytics for tracking training efficiency and worker
and citizen safety.168 Firefighters, paramedics, and
other public protection workers could benefit from
this technology, and could operate as members of
an integrated team if able to directly collaborate
with one another via BCI.169 One could imagine fire-
fighters operating in conjunction, and with greater
safety, if they could communicate in real time with-
out the need for a voice interface, or in the case
of voice and other communication outages. Similar
research into BCIs as communication devices is
prevalent in the military context with projects such
as Silent Talk, allowing soldiers to communicate via
neural signals without the need for verbal speech.170
Other BCI research focuses on transportation. As
early as 2014, researchers proposed a prototype
for a Bluetooth-enabled BCI that could control
a smart car.171 Research and prototypes involving
BCIs for connected vehicles is still in the early
phases.172 But as the connected vehicle landscape
expands, BCIs and other neurotechnology could
be increasingly integrated into connected vehicles
for purposes such as vehicle control or monitoring
drivers’ attention levels behind the wheel. Recent
innovations include Hyundai’s Mr. Brain project,
which is designed to measure a driver’s attention
through collecting brainwaves using an earpiece
sensor.173 The device can be connected to a com-
panion smartphone app that notifies the driver
when they are losing their concentration.174
Moreover, research into BCI-controlled drones is
currently underway.175 The ability to control smart
cars, drones, or other vehicles could promote ac-
cessibility to those who lack the motor functions to
control vehicles today and could promote safety
by monitoring driver fatigue levels and warning
drivers when they are drowsy behind the wheel.
1. Privacy Risks of BCIs in the Smart Cities
and Communities Space Include Increased
Surveillance, Public Safety Concerns, and
Exacerbating the Digital Divide
Near-term BCI innovations in smart cities will likely
augment existing sensors, potentially heightening
existing privacy concerns in the smart cities con-
text. A major flashpoint in the privacy debate today
relates to both public and private surveillance of
communities, especially those that have been
historically surveilled and over policed. Advocates
have pinpointed technologies such as facial rec-
ognition, license plate readers, cell site simulators,
and drones as more privacy invasive than tradi-
tional surveillance technologies such as cameras
or wiretaps with the power to locate a vehicle,
device, or person among a crowd of many with the
potential to gather associated metadata, personal
information, or content of communications. Privacy
risks are magnified when these technologies are
deployed in historically surveilled communities by
reducing individual privacy rights, chilling speech,
eroding public trust, and perpetuating systemic
inequalities related to race, social status, gender,
national origin, and other sensitive attributes.
Integrating neurotechnology sensors into commu-
nity architecture, vehicles, and the public square
could lead to the collection, storage, and sharing
of neurodata by law enforcement for surveillance
purposes. Combining neurodata with other person-
al information could lead to even more invasive sur-
veillance than individuals are currently experiencing.
Other concerns emerge around public safety. Early
prototypes of vehicles controlled fully, or in part,
by an individual’s brain signals cannot be operated
with the same precision as vehicles controlled with
steering wheels, controllers, or other haptics. It is
unlikely that vehicles controlled solely by the mind
will enter the market in the near future, but new
public safety questions will emerge around vehi-
cles controlled by BCIs.
Concerns related to the exacerbated digital inequi-
ty could also be prevalent in the smart cities space.
Communities that are already more connected and
have adopted smart city technology will be more
likely to have the infrastructure in place and re-
sources available to implement BCIs in public. On
the other hand, communities that lack these same
technological investments are less likely to be
early adopters and could fall further behind, only
increasing the digital divide at national (wealthy vs.
low-income neighborhoods and communities) and
international (global north vs. global south) levels.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 23
2. BCIs in Smart Cities Are Starting to be
Governed176 by a Mix of Legal Frameworks
While companies developing smart cities technol-
ogy are responsible for complying with privacy,
security, and other related regulations, ultimately it
is often up to local governments to regulate emerg-
ing technology integrated into modern, connected
communities. Local laws, ordinances, and frame-
works contain their own idiosyncrasies, often vary
between localities, cities, and states, and sometimes
are written to align with the particular values of their
communities. However, it is important to recognize
that local ordinances and regulations are sometimes
subject to preemption by state or federal regulation.
On the international level, laws governing smart cit-
ies technology could contain vast differences, often
highly dependent on differing cultures and gov-
ernment systems. For example, cultures that place
a greater emphasis on individual freedom might
codify individual rights and obligations on emerging
technologies differently than communities that place
a greater emphasis on collective wellbeing. Smart
city infrastructure and associated emerging gover-
nance are already complicated at the baseline, and
the potential integration of BCIs into this space will
only make technical and regulatory considerations
more complex. As such, it remains to be seen how
the BCI smart city landscape will unfold and what the
ultimate privacy implications will be.
F. Neuromarketing Involves Recording
Neurodata to Gain Insight Into
Individuals’ Reactions, Preferences,
and Motivations When Encountering
a Product or Service
Neuromarketing generally refers to collecting physi-
ological and neural signals for the purposes of learn-
ing about individuals’ reactions, mood, preferences,
and motivations when purchasing or using a product
or service.177 Neuromarketers typically use two brain
scanning methods—functional magnetic resonance
imaging (fMRI) and EEG.178 fMRI offers researchers
deeper and potentially more accurate insights into
how consumers make decisions based on various
stimuli than the more accessible and less expensive
EEG methods.179 In one well-publicized study using
fMRI scanning, participants were asked to drink unla-
beled soft drinks.180 Absent brand cues, participants
displayed little preference for either Coca-Cola or
Pepsi; however, when given brand cues around
which beverage they were drinking, participants
displayed heightened brain activity in areas correlat-
ed with recall and memory.181 These tests revealed
positive feelings like nostalgia when it came to the
participant’s preferred drink.182 Understanding why
individuals choose the products and services that
they do poses untold benefits for advertisers.183
Where fMRI is too inaccessible or expensive, neuro-
marketers turn to less accurate, but more accessible,
portable, and less expensive EEG methods.184
Often in tandem with fMRI or EEG technology, neu-
romarketing researchers gather information from
sources other than direct neural signals. Alterna-
tive tracking methods include: eye tracking, pupil
dilation, skin conductivity, and facial expression
coding as a way to quantify attention, arousal, and
psychology. When neurodata is combined with
these other inputs, the advertising profiles tied to
individuals will become increasingly granular and
more attractive to advertisers, third parties, and
other stakeholders in the advertising technology
ecosystem looking to share, sell, and place more
impactful behavioral ads to these individuals
across the Internet.
1. Neuromarketing Risks Include the Repurposing
of Personal Neurodata for Advertising, Promoting
Addicting or Unhealthy Behaviors, and
Inadequate Consent When Collecting or Sharing
Involuntary Neurodata Due to Poor Transparency
The adoption of BCIs across numerous sectors
could pose unprecedented privacy risks within the
ad tech ecosystem. While granular user profiles for
advertising purposes exist today, adding neuroda-
ta would further animate already detailed profiles,
revealing more details about a particular individual
and inferences about their preferences. Many BCIs
across various sectors, by their very nature, collect
personal neurodata. Organizations collecting and
retaining personal neurodata—and other related
information—for various purposes could be incen-
tivized by advertiser dollars to share or sell this
data for advertising.
Further, the use of neurotechnologies in marketing
could provide stakeholders insight into new and
sensitive inferences about an individual’s sexual
preferences, arousal, health, and other especially
sensitive details. Not only could this offend individ-
uals’ notions of privacy, and erode user trust, but
could incentivize the further collection of especially
sensitive information encouraging the creation of
increasingly granular, and sensitive, profiles sought
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 24
after by advertisers for delivering more impactful
behavioral ads. If taken too far, granular and accu-
rate profiles could lead to serving advertising con-
tent which encourages addictive activities related
to content consumption, gameplay, gambling, or
promoting unhealthy habits. Granular profiles built
from inaccurate biometric data collection can also
lead to inaccurate conclusions about individuals
and can falsely target advertising content to them.
Additionally, the privacy risks and associated con-
sequences could extend well beyond frustration or
annoyance when advertising profiles are shared
or sold to third parties for purposes other than
advertising. One could imagine a scenario where
impactful decisions could be made about individ-
uals based on advertising profiles, such as health
care premiums determined in part by a users’ pref-
erences for a “healthy” or “unhealthy” diet based
on both buying decisions and how their neurons
react to certain food.
Moreover, mood and eye tracking software—as it
exists today—can collect involuntary responses of
a user in reaction to stimuli. Involuntary responses
could be especially valuable to advertisers because
they could reveal unfiltered user preferences ripe
for impactful behavioral advertising. The tracking
of involuntary responses makes user transparency
and control especially difficult because it is often
happening without user awareness. The current
widespread model of companies’ terms of service
and privacy policies stating information such as:
“we will be collecting data from this device and
software to understand more about you,” would
well miss the mark of providing transparency to us-
ers. Organizations engaged in tracking involuntary
brain signals and other biometric or physiological
measurements from users might rethink current
consent protocols, as well as transparency and ex-
plainability models, for providing both an accurate
and clearly understood snapshot of what data is
being collected from users and for what purposes.
2. Neuromarketing is Potentially Governed
by Comprehensive Privacy Laws, FTC
Enforcement Authority, and Neuromarketing-
Specific Codes of Ethics
State laws such as the CPRA provide a number
of rights to consumers, including rights of access,
information, deletion, portability, and right to opt
out of “selling” personal information, while placing
new obligations on businesses. Personal neuro-
data is not specifically mentioned in the law, but
such information could be classified as “biometric
information”—covered and broadly defined under
CPRA. The CPRA offers a specific opt out of
“cross contextual behavioral advertising” (aka
advertising targeted to an individual based on
their behavior online).
In addition to comprehensive privacy laws, the Fed-
eral Trade Commission (FTC) has authority to inves-
tigate, under Section 6 of the FTC Act, and authority
to enforce penalties on the basis of deceptive and
unfair trade practices—including those related to
advertising—under Section 5 of the Act.185
Other than laws and agency enforcement, volun-
tary self-regulatory initiatives could also inform this
space. The Neuromarketing Science & Business
Association’s (NMSBA’s) Code of Ethics enshrines
commitments around integrity; consent (including
requiring informed consent from parents when
studies involve children); transparency; and pri-
vacy.186 These ethics codes could act as tools to
educate and guide organizations wading into this
emerging and unique sector of advertising. Addi-
tionally, the United Nations Convention on Rights
of the Child has called for the specific prohibition
of certain forms of advertising to children, including
neuromarketing, signaling that some policymakers
view neuromarketing as creating heightened risks
for vulnerable populations, such as children.187
G. Military BCIs include Restorative
Devices, Communications Tools,
Vehicle and Weapon Control,
Deception Detection, and More
Today, military use of BCIs is largely non-invasive
and focused on the creation of restorative devices
for injured service members.188 However, the U.S.
and China have explored the viability of BCIs as
next-generation weaponry. In the U.S., Defense
Advanced Research Projects Agency (DARPA) re-
cently announced $104 million in funding to support
its Next-Generation Nonsurgical Neurotechnology
(N3) program, which provides funding for research-
ers to develop high-performance brain-computer
interfaces for military service members.189 These
devices are intended to be non-invasive, allowing
“super-warriors” to control drones and other vehi-
cles with their brain signals during complex military
operations.190 Other military research includes BCIs
for communication between military personnel,
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 25
such as Silent Talk, in which personnel communi-
cate via neural signals without the need for verbal
speech or gestures.191
Much of the research in the military space is in-
formed by breakthroughs from other sectors. No-
tably, DARPA recently awarded a number of grants
to BCI researchers,192 including a project from the
University at Buffalo in which neurodata is collect-
ed from videogamers during gameplay in hopes of
using this data to train future advanced AI robots
for military use.193 The military has expanded its re-
search into deception detection using BCIs, taking
a page from law enforcement and other defense
offices’ use of polygraph research.194
Innovations in invasive BCIs in the civilian arena
adopted for military use could lead to massive
breakthroughs with implications for both modern
warfare and society at large. For instance, DARPA’s
Restoring Active Memory (RAM) program aims to
help with memory recall and formation for service
members suffering brain injury through the use of an
invasive BCI.195 RAM involves similar technology and
methods as invasive BCIs that have proved effective
for stroke, Alzheimer’s, and head injury patients.196
1. Risks Associated with Military BCIs Include
Hacking, Reduction in Battlefield Teamwork,
and Physical and Mental Harm
Use of BCIs on the battlefield leads to risks such as
disruption of service or interception of signals by
adversaries.197 Like other technologies deployed
by the government and military, BCIs could become
the latest system that could be compromised by
hackers. BCIs that collect and record brain signals
could open the door for enemies to gain access to
communications, strategy, and secrets. More trou-
bling is the possibility of hackers gaining control
over modulating BCIs and physically and mentally
harming military personnel.
Additional risks relate to an erosion of teamwork
and comradery between soldiers on the battlefield
and in training when using BCIs for communica-
tion.198 While it is possible that communication
between soldiers using BCIs could increase bond-
ing and trust, encouraging soldiers connecting to
one another through a new and currently limited
technology could also erode cohesion, comradery,
and a group dynamic important for encouraging
cooperation between military personnel.
Other concerns are more future-facing. While
BCIs are not currently being deployed for torture
or pacification, developers in his space would be
wise to consider the ethical implications of using
BCIs for these purposes. Controversy and ethical
concerns around the military’s use of torture have
existed for decades, and BCIs could offer another
avenue for a military organization to engage in
these activities. Additionally, weapons that target
neurodata and nervous systems may proliferate,
such as uncharacterized directional phenomena
in the form of vibration, pressure, and sound such
as those experienced by U.S. military personnel in
Havana, Cuba.199 Time will tell whether BCIs are
used for these purposes and whether they will be
more or less humane than current methods.
2. Some Military Use of BCIs is Governed by
Military Ethics, International Treaties, and U.S.
Constitutional Law
While BCIs in the military are still nascent, there
are existing military ethics guidelines200—and
international treaties such as the Geneva Conven-
tion201—that could prohibit future use of invasive
BCIs on subjects without consent.202 However, it
is important to note that to our knowledge, today
there are no military regulations limiting the use of
non-invasive transcranial stimulation in particular
for torture, pacification, or interrogation.203
Military BCIs might also be governed by U.S. consti-
tutional law depending on their use. BCIs used for
purposes such as deception detection could violate
the Fifth Amendment’s “guarantee against self-in-
crimination” because collecting a soldier’s thoughts
might not constitute a permissible physical piece of
evidence.204 Moreover, BCIs used for this purpose
could run up against the Fourth Amendment as
an unreasonable search and seizure.205 However,
others argue that Fourth and Fifth Amendment pro-
tections might not apply to neurodata collected by
BCIs because of a history of real-time collection of
medical data being admissible as evidence in the
court of law and the third-party-doctrine resulting
in users forfeiting their expectation of privacy over
data shared with a company.206 Various interna-
tional treaties might also govern BCIs used for
interrogation. If it is determined that a BCI is used
in conjunction with a “toxic chemical”—defined as
a chemical that can cause “temporary incapaci-
tation”—this could be in violation of the Chemical
Weapons Convention (CWC).207
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 26
Responsible use of BCIs and associated neuro-
data is paramount in the health and wellness
area, as well as the consumer and military
contexts. A diverse and inclusive list of interna-
tional stakeholders spanning end-users, directly
and indirectly impacted communities, interested or
invested industries and marketplaces, academia,
and governments, and others must commit to
articulate a vision for how technology, law, and
policy can shape these services in a way that is
beneficial to all with sufficient privacy protections.
The challenges in meeting this goal are significant.
While BCIs have shown demonstrable benefits for
healthcare for a number of years, the technology—
especially in the consumer market—is in its infancy.
With a scant number of exceptions—most notably
BBI technology—breakthroughs in health services
have informed BCI use in the consumer market.
Open questions emerge around how moving this
technology into the consumer space evolves the
privacy and ethical risks seen today in the health
context. Moreover, because the uses of this tech-
nology are often especially future-facing—even as
compared to other emerging technologies—there is
no way to comprehensively and accurately predict
the specific risks that will emerge in the decades
to come. Allowing these technologies to evolve ab-
sent strong accountability and enforcement frame-
works will result in substantial risks. The guidelines,
frameworks, and regulations cited throughout this
work—including GDPR, CPRA, OECD Guidelines,
and the proposed EU AI framework—could serve
as a foundation for future rules governing BCIs. But
regulation must be cognizant of the need to provide
a structure for future technological advances and
uses, as well as new risks. Moreover, in addition
to laws, the proposition that existing human rights
conceptualizations need to be updated to reflect
these concerns is gaining momentum in some
neuroscience spaces—this is an idea around which
further discussion is warranted (see the call-out
box below on neurorights). The grand challenge
of promoting strong privacy protections for BCIs
will require a mix of technical and non-technical
solutions. While not comprehensive or definitive,
the following suggestions provide a starting point.
Part III: A Mix of Technical and Policy Solutions Can Mitigate Risks
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 27
Case Study: Neurorights in Chile
On October 25, 2021, the Chilean government approved a constitutional reform208 to protect “the
mental integrity of neurotechnologies.”209
Chile is also considering a neuroprotection bill,210 based on five fundamental human rights-based
principles: the right to personal identity, free will, mental privacy, equitable access to technologies
that augment human capacities, and the right to protection against bias and discrimination.211 The bill
would likely limit the use of neurotechnologies and associated neurodata to clinical and health re-
search and therapy, meaning that many of the consumer-focused use cases described in this report
would likely be prohibited. The bill also provides a number of noteworthy rights and requirements
including: obtaining express, opt-in consent from the user when engaging with neurotechnology;
providing notice of possible physical, cognitive, or emotional effects of the treatment; retaining neu-
rodata for only the time necessary to carry out the purpose for which the neurodata was collected;
and requiring the state to promote equitable access of neurotechnologies in the public interest.
Perhaps most noteworthy, the bill calls for the collection, storage, treatment, and dissemination
of neurodata to be treated as an organ under Chilean organ transplant law.212 This treatment of
data as an organ could create practical consequences, while significantly limiting both medical
and non-medical use of neurotechnologies and neurodata including: prohibiting the selling of
personal neurodata to neuromarketers and researchers; prohibiting the collection of neurodata
from patients 18-years-old and younger; and prohibiting patients from receiving neurotechnolo-
gy-related treatment who do not have full use of their mental faculties and do not have a positive
physical fitness report.
Philosopher Abel Wajnerman Paz argues that analogizing neurodata with organ transplants is not
a logical fit because neurodata, unlike an organ, contains no organic material, is produced by oth-
ers outside human bodies, and requires “elaborate construction by clinicians and researchers.”213
Dr. Paz provides an alternative avenue for regulating neurotechnologies suggesting instead regu-
lating neurodata as intellectual property. Dr. Paz argues that this could enable the data subject to
financially benefit from sharing their neurodata and may lead to creating large data repositories
needed for Parkinson’s and Alzheimer’s research.214
A. Technical Solutions Include: Providing
On/Off and App Controls to Users;
End-to-End Encryption of Neurodata,
Privacy Enhancing Technologies,
and More
1. Developers Should Provide On/Off Controls
Where Possible and Provide Granular Controls
on BCI Devices and Companion Apps
The notion of on/off controls for tracking technol-
ogies as a form of privacy protection is not new;
however, the need for some BCIs to be “always
on,” or on for extended periods, especially in the
health context, complicates the debate around
such devices. In the consumer context, an “always
on” default is typically not essential for the device
to function properly. In these cases users should
have a clear and definite way to control when BCIs
are on or off with a hard on/off switch on the de-
vice, or through on/off controls readily accessible
through a companion app. As with other devices,
there are considerable privacy risks when a BCI is
always gathering data or when it can be turned on
unintentionally, collecting data without the user’s
knowledge.215 These risks are magnified when
BCIs record personal neurodata that could be
combined with other information overtime to draw
vast and sensitive inferences about the personal
lives of users.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 28
In addition to on/off controls, BCI companies
developing and deploying BCIs should provide
granular controls to users for managing their neu-
rodata, and other associated personal information.
Many consumer BCI devices rely on companion
mobile apps, which should provide user controls.
While companies and device manufacturers ulti-
mately have the best understanding and expertise
regarding what data is necessary to operate BCIs,
user controls are crucial safeguards to ensure that
individuals can manage data collection, deletion,
use, and sharing.
2. Developers Should Utilize Best Practices for
Privacy and Security to Store and Process
Neurodata and Use Privacy Enhancing
Technologies Where Appropriate
Regardless of whether neurodata is stored and
processed on a BCI device, by a companion app,
or on a server operated by the BCI provider, de-
velopers should seek to maximize privacy and
security. Developers should rely on storage and
computing services that can meet appropriate se-
curity standards commensurate with the sensitivity
of the neurodata. Developers should also look to
privacy enhancing technologies as a way of max-
imizing the utility of neurodata, while minimizing
privacy risks. Techniques could include differential
privacy, in accordance with principles of data mini-
mization and privacy by design. When appropriate,
they should use de-identification methods like Pri-
vacy Preserving Data Mining (PPDM) and Privacy
Preserving Data Publishing (PPDP) for stored and
shared data.216 Additionally, developers should
ensure sensitive personal neurodata is encrypt-
ed when in transit and at rest. These techniques
could be especially useful in the BCI space, as the
neurodata collected by BCIs could be ripe for data
driven research in the medical field. These tech-
niques are often promoted as a way to maximize
the utility of data for research, while minimizing
user identifiability.
Researchers should also stay abreast and im-
plement appropriate security safeguards. Poor
cybersecurity can leave systems vulnerable to
hacking, data breaches, and other malicious ac-
tivities, endangering user safety. Device hacking
is especially dangerous as many BCIs are used
for critical health management regimens. Not only
could a bad actor access personal neurodata and
other collected personal information, but more
alarmingly control how a device modulates, or fails
to modulate, a patient’s brain, resulting in physical
or psychological harm. Given how quickly the
technology, capabilities, and threats in this space
are evolving, cybersecurity professionals should
take time to consider appropriate, practical, and
tailored solutions. A good starting place could be
the National Institute of Standards and Technolo-
gy (NIST) Cybersecurity Framework—a dynamic
resource consisting of standards, guidelines, and
best practices built to adapt to a particular technol-
ogy, use case, and context.217
B. Policy Solutions Include: Rethinking
Transparency and Control; IRBs and
Ethical Review Boards; Multi-Stakeholder
Engagement; and Standards Setting and
Other Agreements.
1. Given the Novelty of BCIs, Along with the
Complexity of Recording and Modulating
Neurodata, Organizations should Rethink
Traditional Transparency and Control Models
The novelty and complexity of BCIs warrants an
emphasis on transparency and control beyond
most other emerging technologies. Transparency
and control frameworks might have to be re-
thought in the neurotechnology field. Consumer,
government, and health-focused BCIs can vary sig-
nificantly in their technological capabilities, sophis-
tication, machine learning techniques, purposes,
and user-bases, often presenting differing privacy
risks. These differences often warrant different
levels and methods of transparency necessary
for consumers, patients, and lawmakers to under-
stand device capabilities, data flows, data storage,
and who controls and has access to the data, while
encouraging informed consent. For example, a
non-invasive EEG-based device that only records
neurodata along with an individual’s eye move-
ments, muscle movements, and heartbeat—does
not have the same risks as a health device that
records and modulates a patient’s brain using an
invasive BCI. Despite these significant differences,
BCIs as a whole are often incorrectly framed and
lumped together by the popular media as “mind
reading technologies from the future” that can
capture and understand the innermost thoughts
and workings of the human mind.
Developers and regulators should think creatively
about how to promote the transparency necessary
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 29
for meaningful user control. Privacy policies, terms
of service, and other similar documents, while
required by law, are often not effective means of
providing transparency on their own. Even when
these privacy policies are accurate in describing
consumer rights and data governance, they might
still lack transparency in that they are difficult to
understand, vague, and fail to show the complete
picture of what is happening with consumer data. In
the absence of strong enforcement and without a
commitment to trust, transparency, and explainabil-
ity, privacy policies are likely neither agile enough
to keep pace with quickly evolving technology nor
adequately accessible to end-users.
Furthermore, although there are attempts to make
user controls more flexible, more research is need-
ed on how to best enable user control in ways that
are more fluid, nuanced, and longitudinal. BCIs that
operate in conjunction with companion apps could
provide pop-up notice with the option for users to
access more detailed information in a layered ap-
proach before consenting to device recording or
modulating or other terms. BCI developers might
want to also consider using audio and visual cues
understandable to users, indicating when a device
is recording or modulating. In the future, develop-
ers might take advantage of this particular technol-
ogy by sending a particular signal to a user’s brain
indicating some sort of activity. In this scenario, the
user can respond to this signal with a particular
thought pattern providing or denying consent.
2. When Appropriate, BCI Providers Should
Engage IRBs or Independent Review Boards,
as well as Multi-Stakeholder Engagement
Before and During Roll Out of New BCI
Products or Services
In some circumstances, BCI providers might be
required to complete IRB review before gathering
primary research data from human subjects or
pre-registering clinical trials. Organizations may
need to obtain proper approval from bodies like
the FDA prior to rolling out new BCI products and
services. However, BCIs in the consumer market
are not typically subject to these same require-
ments. One option for consumer-focused BCI
organizations seeking to promote strong privacy
protections would be committing to an indepen-
dent review board to consider questions around
neurodata collection, use, sharing, storage, and
other related concerns. A number of prominent
AI researchers and developers have crafted prin-
ciples and approaches to AI and ML.218 Because
BCIs often involve the use of AI and ML, many of
these AI principles will inform BCI development.
However, AI frameworks do not contemplate all of
the major challenges around recording or modu-
lating a user’s brain. As BCIs become more wide-
spread, providers should consider creating internal
BCI-specific principles for informing their internal
design, policy, and technical decisions. Review
boards could also determine whether BCI-related
data should be used for research where obtaining
prior user consent is impractical.
Organizations should also facilitate multi-stake-
holder engagement throughout the development
and deployment lifecycle of BCIs. Stakeholder
outreach should include researchers, policy pro-
fessionals, early adopters of the technology, and
those who either have yet to adopt the technology
but might do so in the future or may be impacted
due to the use of technology by others. The latter
group should include those who are often not
given a seat at the table when developers make
ethical decisions about emerging technology.
This should include individuals from vulnerable
populations, such as the disability community, in-
dividuals from historically surveilled communities,
and individuals from geolocations most exposed
to digital inequity, among others. The conversation
with all stakeholders, and perhaps most crucially
with vulnerable populations, should be co-partici-
patory and co-created from the start, meaning that
providers should not only inform these populations
about the technology, but absorb community feed-
back and integrate this feedback into internal de-
cision making. Providers should be sure to present
these changes and their internal design and de-
cision-making process back to these stakeholders
to help continue facilitating an ongoing and col-
laborative conversation. Further, providers should
be engaging these stakeholders from the start of
product development, research, and rollout. Pro-
viders should avoid premature decisions prior to
community engagement, and should be willing to
change course, heavily alter, or altogether scrap a
project if it runs counter to a particular communi-
ties’ preferences or could foreseeably cause harm.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 30
3. Companies, Research Institutions, and
Policymakers Should Set Policy and Technical
Standards for BCI Research, Development,
and Use that are Capable of Adapting as the
Technology, User Base, and Uses Evolve
Because of the fast-moving nature of this technol-
ogy, industry, research institutions, and policymak-
ers should draft and subscribe to standards, best
practices, and pragmatic regulations. As indicated
in this report, a number of laws, best practices,
and enforcement bodies can serve as founda-
tions for neurotechnology-specific standards and
frameworks. If and where possible, technical and
governance communities should leverage existing
policies, practices, and bodies pertaining to relat-
ed technologies to govern BCIs, as well as identify
places where existing frameworks or processes do
not sufficiently address novel risks.
The latter point is particularly pertinent, since a
number of notable privacy challenges are not
addressed by current rules. Many of the existing
comprehensive, and sectoral, privacy laws, includ-
ing GDPR, BIPA, and CPRA, carve out de-identified
data. Yet there is still no legal consensus on which
types of neurodata can or will be interpreted as
biometric data, and in the event that it is, research
has shown that biometric data is more difficult
to effectively de-identify.219 Another major gap
in current regulation relates to what immersive
technology expert Brittan Heller refers to as
“biometric psychography,” which describes com-
bining collected biometric data with information
about stimuli encountered by the user to produce
inferences about the user’s likes, dislikes, sexual
attraction, fears, and other psychology.220 It might
be necessary to rethink and broaden concepts
and associated definitions of biometrics to be
more inclusive—and therefore more predictive
of—downstream emerging properties of neuro-
data, including psychographical characteristics.
To protect against privacy and responsible gover-
nance risks related to these and other BCI-related
challenges, stakeholders should develop technical
and policy standards for responsible develop-
ment and use of BCIs capable of adapting as the
technology, user base, and use evolves. Technical
standards should promote privacy protective
techniques, including privacy enhancing technol-
ogies; data quality thresholds; testing standards
to ensure that AI and ML techniques are accurate,
interpretable, and explainable; among several oth-
er elements. Policy standards should include stan-
dards related to privacy by design, user profiling,
purpose limitations, data minimization, contractual
agreements between BCI manufacturers and third
parties related to de-identification, data sharing,
and retention, among other concerns.
Alongside technical and policy standards, industry
and regulators should promote up-to-date training
for developers around processes such as data han-
dling and de-identification learned from academia.
For example, depending on the magnet strength,
some fMRI images are capable of reconstructing
an individual’s face.221 It is common practice in the
academic neuroimaging sector to remove the first
few slices or images of a file before uploading to
a database to prevent identification through 3D
reconstruction of a participant’s face. But this is not
common practice across all organizations who col-
lect or share these kinds of images, particularly in
open-source communities. In addition, stakehold-
ers should consider a policy-driven call to action
for the development of tech-driven safeguards to
test for these kinds of errors and flag them, remove
them, or fix them.
4. BCI Stakeholders Should Encourage the
Adoption of Open Standards for Neurodata
and Share De-Identified Research Data Under
Open Licenses to Promote an Open and
Inclusive Research Ecosystem
The development of neurotechnologies presents
significant barriers to entry, as BCIs often require
significant capital investment and highly special-
ized skill sets that would likely be inaccessible to
all but a select few of companies and organiza-
tions. This creates an environment in which lead-
ing neurotechnology organizations could create
proprietary standards, fragmenting the neurotech-
nology research ecosystem. This would prevent
many in industry and academia from: accessing
the best and most cost-effective tools available,
sharing their knowledge, and incorporating di-
verse perspectives to advance innovation in the
field. To minimize such barriers to an open and in-
clusive research ecosystem, companies and other
stakeholders should support the development and
widespread adoption of open standards for neu-
rodata. Stakeholders may also consider whether
open-licensing of properly de-identified and con-
sented neurotechnology and neurodata research
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 31
datasets is feasible and appropriate—while this
has the potential to maximize data accessibility by
trusted researchers.
5. Policymakers Should Review the Adequacy of
Existing Policy Frameworks for Governing the
Unique Risks of Neurotechnologies
As established by this report, neurotechnologies
can pose both familiar and novel risks. For familiar
risks, such as vulnerability to hacking, the need
to protect sensitive data, or the collection of data
from minors, existing policy frameworks likely
apply just as effectively to neurotechnologies as
they do to consumer and medical technologies
available today. However, the unique risks posed
by neurotechnologies, such as the potential ero-
sion of mental privacy or even more challenging
concerns such as the implications for free will and
human agency, highlight the possibility that exist-
ing policy frameworks may be insufficient to ad-
equately protect people from harm. Furthermore,
as neurotechnologies mature and become more
commonplace, new applications unimaginable to-
day will pose a host of new, unforeseen risks and
benefits that today’s policy frameworks were not
designed to address.
Policymakers and other BCI stakeholders should
carefully evaluate how existing policy frameworks
apply to neurotechnologies and identify potential
areas where existing laws and regulations may be
insufficient for the unique risks of neurotechnolo-
gies. Importantly, policymakers should prioritize a
focus on well-defined risks, while tracking devel-
opments that can raise future concerns. Future ad-
vances may create unexpected problems, but may
also be mitigated by other factors in the future such
as yet-to-be-developed technological safeguards
or changing societal norms. Potential decisions to
ban particular high-risk uses of neurotechnology
should similarly be discussed and considered
in depth among experts prior to such decisions.
Regardless, it is critical that policymakers are well
educated about the risks neurotechnologies can
pose and potential solutions to these risks so that
they can swiftly and effectively implement these
solutions when appropriate.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 32
CONCLUSION
As BCIs evolve and are more commercially
available across numerous sectors, it is
paramount to understand the unique risks
such technologies pose. It is just as important to
understand how these technologies work and
what data is necessary for them to function. Pri-
vacy and data governance risks can be minimized
through broad adoption of both technical and
policy recommendations that can make BCI data
less identifiable, less potentially harmful, and more
secure. Because the field of neurotechnology is
especially future-facing, developers, researchers,
and policymakers will have to create best practices
and policies that consider existing risks and strate-
gically prioritize future risks in ways that balance
the need for proactive solutions while mitigating
misinformation and hype; deciding which of the
technical, social, or policy issues outlined in this
report to prioritize first remains an open but vitally
important area for discussion and concrete action.
BCIs will also likely augment and be combined
with many existing technologies that are current-
ly on the market. This means that new technical
and ethical issues are likely to arise and existing
issues could be compounded with one another. In
the near future, BCI providers, neuroscience and
neuroethics experts, policymakers, and societal
stakeholders will need to come together to con-
sider what constitutes high-risk use in the field and
make informed decisions around whether certain
BCI applications should be prohibited, a position
around which more robust and critical discussion is
needed. Finally and perhaps more fundamentally,
it is also possible that the future of privacy itself
and our notions of what it means to have or obtain
privacy at basic human or societal levels could be
challenged in ways that we cannot currently com-
prehend or anticipate. We hope this report and our
ongoing work helps support the technical, legal,
and policy developments that will be required to
ensure the advances in this sector are implement-
ed in ways that benefit society.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 33
ENDNOTES
1. Concepts such as mental privacy, human agency, and fairness are complicated, contextually-dependent, and culturally-influenced.
Likewise, terms used throughout this report—such as conscious, unconscious, subconscious, or intentional—have diverging meanings for
neuro-scholars, legal experts, and the general public. We do not have the space in this report to dive deeper into these notions; however,
it is important to acknowledge their nuance up-front, and we recommend that conversations around these topics and efforts at better
standardizing the language used in this space is warranted and should be prioritized.
2. Although the definition of neurodata is the same for humans and animals, the focus of this report is neurodata coming from human nervous
systems. There are also two points worth mentioning for the sake of clarity. First, while the majority of neurodata is currently related to
neurons (their electrical, hemodynamic, and chemical activity, their anatomical components, their connections, etc.), there already exists
neurotechnology which targets glia—helper cells of the nervous system—to change perception and health. While this report is focused on
neuronal neurodata, It is widely believed that these sorts of non-neuronal applications will continue to grow in the future, and thus what
is included in the concept of neurodata is likely to expand and change in parallel. Second and related, it is a scientific fact that any human
behavior can be traced back to neurodata; for the purposes of this report, we constrain the focus to primary neurodata and first order proxies
of neurodata, but it is important to acknowledge that second-order or downstream behaviors and associated analyses of these behavioral
data may also be seen as extensions of neurodata by some neuroscientists, neurotechnicians, and neuroethicists in the field.
3. While often connected to the Internet, some BCIs, including those that rely on implantable pulse generator technology (IPG) use
radiofrequency, rather than internet technologies such as WiFi or Bluetooth for communication and control.
4. See Andrea M. Matwyshyn, The Internet of Bodies, 61 Wm. & Mary L. Rev. 77 (2019), available at https://scholarship.law.wm.edu/wmlr/vol61/iss1/3/.
5. See Marcello Ienca & Gianclaudio Malgieri, Mental Data Protection and the GDPR, 4 (May 5, 2021), available at https://papers.ssrn.com/sol3/
papers.cfm?abstract_id=3840403, coining the term: “digital mind” to describe the “moment-by-moment quantification of the individual-level
human mind using data from neural interfaces and other digital technology—and a more intimate connection between minds and machines.”
6. The Institute of Electrical and Electronics Engineers, Inc., Standards Roadmap: Neurotechnologies for Machine Interfacing, (2020), https://
standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap .
7. There is no currently agreed-upon definition of technological maturity within the neurotech community or a mappable timeline to reasonably expect
translation of neuroscience research into direct-to-consumer products. Therefore, concepts such as “near-term” or “far-term” are not well delineated
and may change depending on the marketplace. Moreover, given that there are multiple technologies emerging or evolving simultaneously, it is
unknown what (if anything) will change and propel the field forward faster than imaging. This is particularly true where technologies intersect (e.g.
artificial intelligence + neurotech or quantum computing + neurotech). While it is necessary to dampen hype and misinformation around the field
as this can create unrealistic expectations or unwarranted fears, it would be unwise to not plan for more advanced capabilities whenever, or if ever,
they arise. Research on predicting the trajectory of BCI’s and other neurotechnological capabilities would be particularly useful for aiding in planning
and prioritizing issues while still remaining vigilant towards potential future or unknown down-stream consequences.
8. Bidirectional BCIs are systems that translate neural signals recorded from various areas of the brain into certain actions or sensations and
perceptions (for example, using motor cortex signals to create motor commands). In addition to bi-directional BCIs, BCIs can also be closed
loop—meaning that the device senses the effect of the modulation and then alters this modulation based on the observed effect. Closed
loop BCIs are often used to treat movement disorders like Parkinson’s Disease or sensorimotor impairments caused by spinal cord injury. See
Patrick D. Ganzer et al., Restoring the Sense of Touch Using a Sensorimotor Demultiplexing Neural Interface, Cell (Apr. 23, 2020), available
at https://www.cell.com/cell/fulltext/S0092-8674(20)30347-0.
9. Simon Little et al., Adaptive Deep Brain Stimulation in Advanced Parkinson Disease, Annals of Neurology (Jul. 12, 2013), available at https://
onlinelibrary.wiley.com/doi/full/10.1002/ana.23951; S. Andrew Josephson, A Novel Brain-Computer Interface Approach to Deep Brain
Stimulation for Parkinson’s Disease (2013), https://www.medscape.com/viewarticle/814726.
10. See SLUCare, After Sudden Hearing Loss, Cochlear Implant Returns Patient’s Quality of Life, (Sept. 24, 2019), https://www.youtube.com/
watch?v=Mb0wlYsq_UM; see also Ann Perreau, et al., Programming a Cochlear Implant for Tinnitus Suppression, Journal of the American
Academy of Audiology (Apr. 31, 2020), available at https://www.thieme-connect.de/products/ejournals/abstract/10.3766/jaaa.18086.
11. James Wu & Rajesh P. N. Rao, Melding Mind and Machine: How Close Are We?, Smithsonian Magazine (Apr. 11, 2017), https://www.
smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/.
12. Intro to Brain Computer Interface, NeurotechEDU, (last accessed Jun. 17, 2021), http://learn.neurotechedu.com/introtobci/. There is widely
accepted definition of an invasive procedure, but researchers recently proposed a new definition, which defines an “invasive procedure” as one
where purposeful/deliberate access to the body is gained via an inclusion, percutaneous puncture, where instrumentation is used in addition to
the puncture needle, or instrumentation via a natural orifice. See Sian Cousins et al., What Is an Invasive Procedure? A Definition to Inform Study
Design, Evidence Synthesis, and Research Tracking, BMJ Open (Jul. 9, 2019), https://bmjopen.bmj.com/content/bmjopen/9/7/e028576.full .
13. Jeremiah D. Wander & Rajesh P. N. Rao, Brain-Computer Interfaces: A Powerful Tool for Scientific Inquiry, Current Opinion in Neurobiology
(2014) 25: 70–75.
14. See Angela Chen, Elon Musk’s Dreams of Merging AI and Brains Are Likely to Remain Just That–for at Least a Decade, The Verge (Apr. 21,
2017), https://www.theverge.com/2017/4/21/15370376/elon-musk-neuralink-brain-computer-ai-implant-neuroscience.
15. Intro to Brain Computer Interface, supra note 12.
16. Jane Wakefiled, Elon Musk’s Neuralink ‘Shows Monkey Playing Pong with Mind’, BBC (Apr. 9, 2021), https://www.bbc.com/news/
technology-56688812; See Neuralink, Monkey MindPong, YouTube (Apr. 8, 2021), https://www.youtube.com/watch?v=rsCul1sp4hQ.
17. John Koetsier, Elon Musk Wants to Put a ‘Fitbit In Your Skull’ to Summon Your Tesla, Forbes (Aug. 28, 2020), https://www.forbes.com/sites/
johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a; In addition to Neuralink,
several other companies are active in BCI development. See Cathy Hackl, Meet the 10 Companies Working On Reading Your Thoughts (And
Even Those of Your Pets), Forbes (Jun. 21, 2020), https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-
reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c.
18. Bryn Farnsworth, What is EEG (Electroencephalography) and How Does it Work?, iMotions Blog (Jul. 15, 2019), https://imotions.com/blog/what-is-eeg/.
19. See Murta Kulich, et al., Neurosensory Disorders in Mild Traumatic Brain Injury, 23-47, (Michael E. Hoffer & Carey D. Balaban ed., 2019).
https://scholarship.law.wm.edu/wmlr/vol61/iss1/3/
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3840403
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3840403
https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap
https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap
https://onlinelibrary.wiley.com/doi/full/10.1002/ana.23951
https://onlinelibrary.wiley.com/doi/full/10.1002/ana.23951
https://www.medscape.com/viewarticle/814726
https://www.thieme-connect.de/products/ejournals/abstract/10.3766/jaaa.18086
https://www.smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/
https://www.smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/
https://bmjopen.bmj.com/content/bmjopen/9/7/e028576.full
https://www.theverge.com/2017/4/21/15370376/elon-musk-neuralink-brain-computer-ai-implant-neuroscience
https://www.bbc.com/news/technology-56688812
https://www.bbc.com/news/technology-56688812
https://www.forbes.com/sites/johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a
https://www.forbes.com/sites/johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a
https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c
https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c
https://imotions.com/blog/what-is-eeg/
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 34
20. See Noman Naseer & Keum-Shik Hong, fNIRS-Based Brain-Computer Interfaces: A Review, 9:3 (Front Hum Neurosci) (2015), available at
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4309034/.
21. What is Transcranial Direct Current Stimulation?, Neuromodec, (last accessed May 16, 2021), https://neuromodec.com/what-is-transcranial-
direct-current-stimulation-tdcs/.
22. What is Transcranial Magnetic Stimulation (TMS)?, Neuromodec, (last accessed May 16, 2021), https://neuromodec.com/what-is-transcranial-
magnetic-stimulation-tms/.
23. See Nicola Riccardo Polizzotto et al., Is It Possible to Improve Working Memory with Prefrontal tDCS? Bridging Currents to Working
Memory Models, Front. Psycholo. (May 26, 2020), available at https://www.frontiersin.org/articles/10.3389/fpsyg.2020.00939/full; Can Brain
Stimulation Aid Memory and Brain Health?, Harvard Health Publishing (Aug. 6, 2015), https://www.health.harvard.edu/mind-and-mood/can-
brain-stimulation-aid-memory-and-brain-health, recognizing that more research is needed on the efficacy of brain stimulation for memory
retention and learning improvement.
24. Other methods used for non-invasive techniques to study the brain include: positron emission tomography (PET); functional magnetic
resonance imaging (fMRI); magnetic resonance tomography (MRT); magnetoencephalography (MEG); among many others.
25. Jerry J. Shih et al., Brain-Computer Interfaces in Medicine, 87(3) Mayo Clin Proc. 268-279 (Dec. 8, 2011), available at https://www.ncbi.nlm.nih.
gov/pmc/articles/PMC3497935/.
26. See Adi Robertson, I Tried the Wristband that Lets You Control Computers with Your Brain, The Verge (Jun. 6, 2018), https://www.theverge.
com/2018/6/6/17433516/ctrl-labs-brain-computer-interface-armband-hands-on-preview.
27. Electromyography (EMG), Brigham Health (last accessed May 16, 2021), https://www.brighamandwomens.org/neurology/neuromuscular-
diseases/electromyography.
28. Inside Facebook Reality Labs: The Next Era of Human-Computer Interaction, Tech@Facebook (Mar. 9, 2021), https://tech.fb.com/inside-
facebook-reality-labs-the-next-era-of-human-computer-interaction/.
29. This timeline is not intended to be a comprehensive list of neurotechnology breakthroughs, but rather a chronology of some foundational
moments in communication interfaces, BCIs, and related technology. While the BCI field is still emerging and innovating, this timeline shows that
research related to BCIs is part of a tradition of research related to electronic communication techniques and has been in the works for decades.
30. For more information about identifying individuals based on neurodata, see Russell A. Poldrack et al., Long-Term Neural and Physiological
Phenotyping of a Single Human, Nature Communications (Dec. 9, 2015), https://www.nature.com/articles/ncomms9885; Elise Hu, < Move
Objects with Your Mind? We’re Getting There, With the Help of an Armband, NPR (Jul. 16, 2019), https://www.npr.org/transcripts/717487081.
31. See Jason da Silva Castanheira et al., Brief Segments of Neurophysiological Activity Enable Individual Differentiation, Nature
Communications 12: 5713 (2021), available at https://www.nature.com/articles/s41467-021-25895-8 .
32. See e.g. Voices of VR, Podcast: #987: The Neuroscience of Neuromotor Interfaces + Privacy Implications with Facebook Reality Labs’
Thomas Reardon (Mar. 30, 2021), available at https://voicesofvr.com/987-the-neuroscience-of-neuromotor-interfaces-privacy-implications-
with-facebook-reality-labs-thomas-reardon-2/, suggesting that while identification based solely on an individual’s motor map is not being
done today, it is feasible given the uniqueness of motor maps.
33. Emily Gera, The Neuroscience of Mind-Control Gaming, Variety (Nov. 26, 2018), https://variety.com/2018/gaming/features/brain-computer-
interface-neurable-1203036143/.
34. Road Transport, SmartCap (last accessed May 16, 2021), http://www.smartcaptech.com/industries/transport/.
35. Brent J. Lance et al., Brain-Computer Interface Technologies in the Coming Decades, 100 Proceedings of the IEEE 1585-1599 (Mar. 1, 2012),
available at https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6162941.
36. A brain implant has been developed that uses AI to recognize brain activity related to speech and translate the activity into sentences.
See Jason Arunn Murugesu, Mind-Reading AI Turns Thoughts Into Words Using Brain Implant, New Scientist (Mar. 30, 2020), https://www.
newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/; Facebook hopes to someday incorporate
similar technology into VR headsets, which, unlike brain implants, are non-invasive. See Daphne Leprince-Ringuet, Facebook’s Mind-Reading
Plans Just Took Another Step Forward, ZDNet (Apr. 1, 2020), https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-
step-forward/.
37. Alexandre Gonfalonieri, Consumer Brain-Computer Interface: Challenges & Opportunities, Medium (May 18, 2021), https://
alexandregonfalonieri.medium.com/consumer-brain-computer-interface-challenges-opportunities-e8204190d828.
38. Id., citing Mariam Hassib & Stefan Schneegass, Brain Computer Interfaces for Mobile Interaction: Opportunities and Challenges, MobileHCI’15,
August 24-27, available at https://www.medien.ifi.lmu.de/pubdb/publications/pub/hassib2015mobilehci/hassib2015mobilehci .
39. Intro to Brain Computer Interface, supra note 12.
40. IBM defines machine learning as “a branch of artificial intelligence and computer science which uses data and algorithms to imitate the way humans
learn, gradually improving its accuracy,” IBM Cloud Education, Machine Learning (Jul. 15, 2020), https://www.ibm.com/cloud/learn/machine-learning.
41. We recognize that the neuroscience research sector is already and will continue to be greatly impacted by these kinds of neurotechnologies,
as more accessible BCIs will change who can perform what research and at what scale. For example, the company Kernal is making EEGs
more affordable and offering neuroscience studies as a service; see Ashlee Vance, Can a $110 Million Helmet Unlock the Secrets of the
Mind?, Bloomberg Businessweek (Jun. 16, 2021), https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-
hospital-aims-to-mine-mind-data. However, the focus in this report is primarily commercial or private sectors, and thus we have excluded
basic research as a section in this report.
42. See Ellen Wright Clayton et al., The Law of Genetic Privacy: Applications, Implications, and Limitations, Journal of Law and the Biosciences,
(Oct. 2019) 6(1), available at https://academic.oup.com/jlb/article/6/1/1/5489401.
43. See Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 (2008), available at https://www.ilga.gov/legislation/ilcs/ilcs3.
asp?ActID=3004&ChapterID=57; see also California Privacy Rights Act (CPRA) of 2020 (2020), available at https://www.caprivacy.org/
annotated-cpra-text-with-ccpa-changes/
44. OECD Recommendation on Responsible Innovation in Neurotechnology (Dec. 11, 2019), available at https://www.oecd.org/science/
recommendation-on-responsible-innovation-in-neurotechnology.htm.
45. Implanted Brain-Computer Interface (BCI) Devices for Patients with Paralysis or Amputation – Non-Clinical Testing and Clinical Considerations,
FDA (May 2021), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/implanted-brain-computer-
interface-bci-devices-patients-paralysis-or-amputation-non-clinical-testing.
https://www.frontiersin.org/articles/10.3389/fpsyg.2020.00939/full
https://www.health.harvard.edu/mind-and-mood/can-brain-stimulation-aid-memory-and-brain-health
https://www.health.harvard.edu/mind-and-mood/can-brain-stimulation-aid-memory-and-brain-health
https://www.nature.com/articles/ncomms9885
http://www.smartcaptech.com/industries/transport/
https://www.newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/
https://www.newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/
https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-step-forward/
https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-step-forward/
https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-hospital-aims-to-mine-mind-data
https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-hospital-aims-to-mine-mind-data
https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 35
46. Notably, Article 8 of the European Convention on Human Rights; Articles 7 and 8 of the EU Charter of Fundamental Rights. Many Constitutions
in Latin American countries also recognize the right to respect for private life and confidentiality, and sometimes an individual, separate right to
protection of personal data. See also below our Case Study on Chile and specific neurorights elevated recently at constitutional level.
47. The concept of “personality rights” is generally used to denote the bundle of rights aimed at the protection of the integrity and inviolability of
the individual, and it usually encompasses the right to private life, to one’s own image, to respect of a person’s name, to the inviolability of a
person’s body, to reputation etc. See Giorgio Resta The new frontier of personality rights and the problem of commodification: European and
comparative perspectives (2011), Tulane European and Civil Law Forum, Vol. 26, p. 33–65.
48. Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence, European Commission (Apr. 2021), available at https://
digital-strategy.ec.europa.eu/en/library/proposal-regulation-laying-down-harmonised-rules-artificial-intelligence.
49. CPRA, supra note 43.
50. General Data Protection Regulation (EU) 2016/679, (2016), available at https://gdpr-info.eu/.
51. See e.g. Karen S. Rommelfanger et al., Neuroethics Questions to Guide Ethical Research in the International Brain Initiatives, 100: 19-36
Neuron (Oct. 2018), available at https://www.sciencedirect.com/science/article/pii/S0896627318308237.
52. See Xiaotong Fu, et al., EEG-Based Brain-Computer Interfaces (BCIs): A Survey of Recent Studies on Signal Sensing Technologies and
Computational Intelligence Approaches and Their Applications, IEEE/ACM Transactions on Computational Biology and Bioinformatics (Dec.
2020), available at https://www.researchgate.net/publication/347966443_EEG-based_Brain-Computer_Interfaces_BCIs_A_Survey_of_
Recent_Studies_on_Signal_Sensing_Technologies_and_Computational_Intelligence_Approaches_and_their_Applications.
53. Emilia Mikołajewski & Dariusz Mikołajewski, Non-invasive EEG-based Brain-computer Interfaces in Patients With Disorders of Consciousness,
Military Medical Research (2014) 1(14), available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4459059/.
54. Masaki Nakanishi et al., Detecting Glaucoma with a Portable Brain-Computer Interface for Objective Assessment of Visual Function Loss,
JAMA Ophthalmology (2017), 135(6): 550-557, available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5772598/.
55. L. Huang & G. van Luijtelaar, Brain Computer Interface for Epilepsy Treatment, IntechOpen (Jun. 5, 2013), available at https://www.
semanticscholar.org/paper/Brain-Computer-Interface-for-Epilepsy-Treatment-Huang-Luijtelaar/8bdb7cc1897ce0b109d14b61567635b567f681cf.
56. Russ Juskalian, A New Implant for Blind People Jacks Directly Into the Brain, MIT Technology Review (Feb. 6, 2020), https://www.
technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/.
57. See e.g., Frost & Sullivan, Brain-Computer Interface Hold a Promising Future, Alliance of Advanced Biomedical Engineering (2017), https://
aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future.
58. Duncan Graham-Rowe, Wheelchair Makes the Most of Brain Control, MIT Technology Review (Sept. 13, 2010), https://www.technologyreview.
com/s/420756/wheelchair-makes-the-most-of-brain-control/.
59. The Brain Powered Wheelchair, Enabled.in (2014), https://enabled.in/wp/brain-powered-wheelchair/.
60. Brian Implants Enable Man to Simultaneously Control Two Prosthetic Limbs with ‘Thoughts’, Neuroscience News (Dec. 12, 2020), https://
neurosciencenews.com/bci-prosthetic-limb-movement-17423/.
61. Id.
62. See Mathis Fluery et al., A Survey on the Use of Haptic Feedback for Brain-Computer Interfaces and Neurofeedback, Front. in Neurosci.
(Jun. 23, 2020), available at https://www.frontiersin.org/articles/10.3389/fnins.2020.00528/full.
63. See Xiang Zhang et al, Internet of Things Meets Brain-Computer Interface: A Unified Deep Learning Framework for Enabling Human-Thing
Cognitive Interactivity, IEEE Internet of Things Journal, 6:2, 2084-2092 (Oct 2018), available at https://ieeexplore.ieee.org/document/8506382;
see e.g. Neal Ungerleider, This Life-Changing Philips Hue Hack Makes the Internet of Everything Mean Something, Fast Company (Aug. 6, 2014),
https://www.fastcompany.com/3034044/this-life-changing-philips-hue-hack-makes-the-internet-of-everything-mean-something.
64. See Iris Coates McCall et al., Owning Ethical Innovation: Claims about Commercial Wearable Brain Technologies, Neuron (Mar. 2019), 102(4)
728-731, available at https://www.cell.com/neuron/fulltext/S0896-6273(19)30289-2.
65. Neurosky Store (last accessed May 16, 2021), https://store.neurosky.com/.
66. Id.
67. Id.
68. Id.
69. Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac
Pacemakers: FDA Safety Communication, iData Research (Jan. 9, 2017), https://idataresearch.com/firmware-update-address-cybersecurity-
vulnerabilities-identified-abbotts-formerly-st-jude-medicals-implantable-cardiac-pacemakers-fda-safety-communication/.
70. Ms. Smith, Hacking Pacemakers, Insulin Pumps and Patients’ Vital Signs in Real Time, CSO (Aug. 12, 2018), https://www.csoonline.com/
article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html.
71. Jeffrey Tully et al., Connected Medical Technology and Cybersecurity Informed Consent: A New Paradigm, 22(3) J Med Internet Res (2020),
available at https://www.jmir.org/2020/3/e17612/.
72. Xiao Zhang et al., Tiny Noise Can Make an EEG-Based Brain-Computer Interface Speller Output Anything, arxiv (Jul 16, 2020), available at
https://arxiv.org/abs/2001.11569.
73. Walter Glannon, Ethical Issues With Brain-Computer Interfaces, Front. Syst. Neurosci., (Jul. 30, 2014), https://www.frontiersin.org/
articles/10.3389/fnsys.2014.00136/full.
74. 45 C.F.R. part 46 (2018), https://www.ecfr.gov/cgi-bin/
retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML.
75. Connect2HealthFCC – Wireless Health and Medical Devices Background, FCC.gov (last accessed May. 16 2021), https://www.fcc.gov/general/
connect2healthfcc-wireless-health-and-medical-devices-background.
76. See Muse (last accessed, Oct. 31, 2021), https://choosemuse.com/.
77. The consent usually required for participation in a research project is different and separate than the consent for processing of personal data
for the purposes of the research project under the GDPR – see EDPB Q&A Document on processing of personal data for scientific health
research – https://edpb.europa.eu/sites/…reresearch_final (February 2021).
https://www.technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/
https://www.technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/
https://aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future
https://aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future
https://www.technologyreview.com/s/420756/wheelchair-makes-the-most-of-brain-control/
https://www.technologyreview.com/s/420756/wheelchair-makes-the-most-of-brain-control/
https://enabled.in/wp/brain-powered-wheelchair/
https://ieeexplore.ieee.org/document/8506382
https://www.csoonline.com/article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html
https://www.csoonline.com/article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html
https://arxiv.org/abs/2001.11569
https://www.frontiersin.org/articles/10.3389/fnsys.2014.00136/full
https://www.frontiersin.org/articles/10.3389/fnsys.2014.00136/full
https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML
https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML
https://www.fcc.gov/general/connect2healthfcc-wireless-health-and-medical-devices-background
https://www.fcc.gov/general/connect2healthfcc-wireless-health-and-medical-devices-background
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 36
78. GDPR, supra note 50, arts. 6(1) and 9(2)(i) and 9(2)(j) (2016), available at https://gdpr-info.eu/art-6-gdpr/.
79. European Commission, supra note 48.
80. See Valeria Marcia & Kevin C. Desouza, The EU Path Towards Regulation on Artificial Intelligence, Brookings (Apr. 26, 2021), https://www.
brookings.edu/blog/techtank/2021/04/26/the-eu-path-towards-regulation-on-artificial-intelligence/.
81. Id.
82. Melody Moore Jackson & Rudolph Mappus, “Applications for Brain-Computer Interfaces,” in Brain-Computer Interfaces: Applying our Minds
to Human-Computer Interaction, ed. Desney S. Tan and Anton Nijolt, (2010), London: Springer, 89–104.
83. Raw EEG recordings contain noise and require significant post-processing to provide even rudimentary interpretations. This runs counter to
common myths that raw EEG recordings alone can provide deep insight into the inner workings of the human mind and detailed explanations
of what the wearer is thinking.
84. Priya Singh, 10 Real Life Examples of BCI Devices That You Can Control With Your Thoughts, Analytics India Magazine (Nov. 20, 2017), https://
analyticsindiamag.com/10-times-companies-made-inexpensive-consumer-based-bci-devices-using-eeg/.
85. Diamond Feit, Hands On: NeuroBoy, a Game You Play With Your Brain, Wired (Oct. 1, 2009), https://www.wired.com/2009/10/adventures-of-neuroboy/.
86. Star Wars Science Force Trainer II Brain-Sensing Hologram Electronic Game, Amazon.com (last accessed Mar. 16, 2020), https://www.
amazon.com/Science-Trainer-Brain-Sensing-Hologram-Electronic/dp/B00X5CCDYQ.
87. Linxing Jiang et al., BrainNet: A Multi-Person Brain-to-Brain Interface for Direct Collaboration Between Brains, Scientific Reports (2019), 9:
6115, available at https://www.nature.com/articles/s41598-019-41895-7.
88. Sarah McQuate, How You and Your Friends Can Play a Video Game Together Using Only Your Minds, UW News (Jul. 1, 2019), https://www.
washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/.
89. Lauren Goode, Get Ready to Hear a Lot More about ‘XR’, Wired (Jan. 5, 2019), https://www.wired.com/story/what-is-xr/.
90. Victor Tangermann, Expert: VR Headsets Should Have Brain Interfaces, Futurism (Mar. 26, 2019), https://futurism.com/brain-computer-interface-vr-headsets.
91. See Neurable (last accessed Mar. 17, 2020), https://www.neurable.com/; Other than EEG electrodes, companies are experimenting with other
non-invasive methods, such as fNIRS, integrated into HMDs.
92. Gera, supra note 33.
93. Id.
94. See e.g. Ryota Horie et al., A Hands-On Game by using a Brain-Computer Interface, and Immersive Head Mounted Display, and a Wearable
Gesture Interface, IEEE Global Conference on Consumer Electronics (GCCE) (2017), https://ieeexplore.ieee.org/document/8229324.
95. See e.g. Nataliya Kos’myna, Project AttentivU, MIT Media Lab (last updated Feb. 4, 2020), https://www.media.mit.edu/projects/attentivu/overview/.
96. See e.g. Seongah Chin & Chung-Yeon Lee, Personality Trait and Facial Expression Filter-Based Brain-Computer Interface, International
Journal of Advanced Robotic Systems (May 15, 2017), https://journals.sagepub.com/doi/full/10.5772/55665.
97. See e.g. Kyle Melnick, Sundance: Breathe is a Multi-Person Mixed Reality Experience Powered By Breathing, VRScout (Jan. 24, 2020),
https://vrscout.com/news/sundance-breath-multi-person-vr-breathing/.
98. See e.g. Neurowear (last accessed Sept. 24, 2021), https://neurowear.com/.
99. See OpenBCI (last accessed Feb. 16, 2021), https://openbci.com/.
100. Antony Vitillo, OpenBCI: Games Using Brain-Interfaces Coming in 3 Years, The Ghost Howls (Feb. 12, 2021), https://skarredghost.
com/2021/02/12/openbci-galea-valve-index-bci/amp/?__twitter_impression=true&s=0.
101. Tangermann, supra note 90; another prominent example of BCI technology combined with a VR HMD is the hardware developed by
NextMind; See NextMind (last accessed Jun. 11, 2021), https://www.next-mind.com/.
102. Luke Appleby, Gabe Newell Says Brain-Computer Interface Tech Will Allow Video Games Far Beyond What Human ‘Meat Peripherals’ Can
Comprehend, 1 News (Jan. 24, 2021), https://www.tvnz.co.nz/one-news/new-zealand/gabe-newell-says-brain-computer-interface-tech-allow-
video-games-far-beyond-human-meat-peripherals-can-comprehend.
103. Brittan Heller, Reimagining Reality: Human Rights and Immersive Technology, Carr Center for Human Rights Policy (Jun. 12, 2020), available
at https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller .
104. See Courtney Fiedman, Traffickers Targeting People Online More Than Ever Before, Experts Warning Parents, KSAT.com (Jan. 17, 2021),
https://www.ksat.com/news/local/2021/01/18/traffickers-targeting-people-online-more-than-ever-before-experts-warning-parents/.
105. 16 C.F.R. § 312 (1998, updated 2013).
106. Request for Public Comment on the Federal Trade Commission’s Implementation of the Children’s Online Privacy Protection Rule, 84 FR
35842 (proposed Jul. 25, 2019), https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-
federal-trade-commissions-implementation-of-the-childrens-online.
107. BIPA, supra note 43, 96. 740 ILL. COMP. STAT. ANN. 14/10.
108. WASH. REV. CODE § 19.35.010.
109. GDPR, supra note 50, art. 14(4) (2016), available at https://gdpr-info.eu/art-14-gdpr/.
110. CPRA, supra note 43.
111. See SmartCap (last accessed May 17, 2021), http://www.smartcaptech.com/.
112. Julie Weed, Wearable Tech That Tells Drowsy Truckers It’s Time to Pull Over, New York Times (Feb. 11, 2020), https://www.nytimes.
com/2020/02/06/business/drowsy-driving-truckers.html.
113. Id.
114. Kos’myna, supra note 95.
115. Erin Winick, With Brain-Scanning Hats, China Signals It Has No Interest in Workers’ Privacy, MIT Technology Review (Apr. 30, 2018), https://
www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/.
116. Stephen Chen, ‘Forget The Facebook Leak’: China is Mining Data Directly From Workers’ Brains On an Industrial Scale, South China Morning
Post (Apr. 29, 2018), https://www.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains.
10 Real Life Examples Of BCI Devices That You Can Control With Your Thoughts
10 Real Life Examples Of BCI Devices That You Can Control With Your Thoughts
https://www.wired.com/2009/10/adventures-of-neuroboy/
https://www.washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/
https://www.washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/
https://www.wired.com/story/what-is-xr/
https://futurism.com/brain-computer-interface-vr-headsets
https://www.media.mit.edu/projects/attentivu/overview/
https://vrscout.com/news/sundance-breath-multi-person-vr-breathing/
https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller
https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller
https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online
https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online
https://gdpr-info.eu/art-14-gdpr/
http://www.smartcaptech.com/
https://www.nytimes.com/2020/02/06/business/drowsy-driving-truckers.html
https://www.nytimes.com/2020/02/06/business/drowsy-driving-truckers.html
https://www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/
https://www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/
https://www.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 37
117. Alexandre Gonfalonieri, What Brain-Computer Interfaces Could Mean for the Future of Work, Harvard Business Review (Oct. 6, 2020), https://
hbr.org/2020/10/what-brain-computer-interfaces-could-mean-for-the-future-of-work#.
118. See e.g. Sujatha K et al., Brain Computer Interface Technology in Polygraphy, 117 International Journal of Pure and Applied Mathematics 235
(2017), available at https://acadpubl.eu/jsi/2017-117-20-22/articles/22/44 .
119. See Caputron (last accessed Jun. 17, 2021), https://caputron.com; see also Best tDCS Device of 2021, tDCS.com (Jan. 20, 2021), https://www.
tdcs.com/best-tdcs-devices.
120. Royal Society, iHuman: Blurring Lines Between Mind and Machine, 42 (Sept. 2019), https://royalsociety.org/-/media/policy/projects/ihuman/
report-neural-interfaces .
121. Justin M. Nelson et al., The Effects of Transcranial Direct Current Stimulation (tDCS) on Multitasking Performance and Oculometrics, Military
Psychology (2019) 31(3): 212–226, available at https://www.tandfonline.com/doi/abs/10.1080/08995605.2019.1598217?journalCode=hmlp20.
122. Gonfalonieri, supra note 117.
123. Sarah Marsh, Neurotechnology, Elon Musk and the Goal of Human Advancement, The Guardian (Jan. 1, 2018), https://www.theguardian.com/
technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces.
124. Evelyn Arevalo, Neuralink Could Start The First Human Trials Later This Year, Tesmanian Blog (Feb. 8, 2021), https://www.tesmanian.com/
blogs/tesmanian-blog/neuralink.
125. John F. Burke et al., Brain Computer Interface to Enhance Episodic Memory in Human Participants, Front. Hum. Neurosci. (2014) 8: 1055,
https://www.frontiersin.org/articles/10.3389/fnhum.2014.01055/full.
126. Tech@Facebook, supra note 28.
127. Francis R. Willett et al., High-Performance Brain-To-Text Communication Via Handwriting, 593 Nature, 249-254 (May 12, 2021), https://www.
nature.com/articles/s41586-021-03506-2; Pavithra Rajeswaran & Amy L. Osborn, Neural Interface Translates Thoughts into Type, Nature (May
12, 2021), https://www.nature.com/articles/d41586-021-00776-8.
128. See Gabrielle Rejouis, Data, Camera, Busted: How Surveillance Interferes with the Right to Organize at Work, Center on Privacy &
Technology at Georgetown Law (May 6, 2020), https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-
interferes-with-the-right-to-organize-at-work-ea974763f328, discussing the chilling effects of worker surveillance.
129. Commercial, Smart Cap (last accessed Apr. 11, 2021), http://www.smartcaptech.com/industries/commercial/, arguing that drivers’ privacy is
protected because the technology does not use privacy-invasive in-cab cameras.
130. See e.g. Annie Palmer, Amazon is Using AI-Equipped Cameras in Delivery Vans and Some Drivers are Concerned About Privacy, CNBC
(Feb. 3, 2021), https://www.cnbc.com/2021/02/03/amazon-using-ai-equipped-cameras-in-delivery-vans.html.
131. See Jingxin Liu et al., Emotion Detection From EEG Recordings, 12th International Conference on Natural Computation, Fuzzy Systems and
Knowledge Discovery (ICNC-FSKD) (Aug. 13-15, 2016), https://ieeexplore.ieee.org/document/7603437.
132. See Hannah Devlin, AI Systems Claiming to ‘Read’ Emotions Pose Discriminatory Risks, The Guardian (Feb. 16, 2020), https://www.
theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks.
133. Patricia Nilsson, How AI Helps Recruiters Track Jobseekers’ Emotions, Financial Times (Mar. 2, 2018), https://medium.com/financial-times/
how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0.
134. See Gabrice Jotterand & James Giordano, Transcranial Magnetic Stimulation, Deep Brain Stimulation and Personal Identity: Ethical
Questions, and Neurological Approaches for Medical Practice, 23:5 International Review of Psychiatry 476-485 (2011), available at https://
www.tandfonline.com/doi/full/10.3109/09540261.2011.616189, specifically discussing identity concerns in the medical context, but these
challenges could similarly impact employees using neurotechnology.
135. See Eran Klein et al., Brain-Computer Interface-Based Control of Closed-Loop Brain Stimulation: Attitudes and Ethical Considerations, 3:3
Brain Computer Interfaces 140-148 (2016), available at https://www.tandfonline.com/doi/full/10.1080/2326263X.2016.1207497.
136. Roberto Portillo-Lara et al., Mind the Gap: State-of-the-Art Technologies and Applications for EEG-Based Brain-Computer Interfaces, 5:3 APL
Bioengineering (2021), available at https://aip.scitation.org/doi/10.1063/5.0047237.
137. Electronic Communications Privacy Act (ECPA), Public Law 99-508, available at https://www.govinfo.gov/content/pkg/STATUTE-100/pdf/
STATUTE-100-Pg1848 .
138. Americans With Disabilities Act of 1990, Pub. L. No. 101-336, 104 Stat. 328 (1990), available at https://www.ada.gov/pubs/ada.htm.
139. U.S. Department of Labor, Bureau of Labor Statistics, Union Members – 2020 (Jan. 22, 2021), https://www.bls.gov/news.release/pdf/union2 .
140. AFL-CIO, AFL-CIO Commission on the Future of Work and Unions (Sept. 13, 2019), https://aflcio.org/reports/afl-cio-commission-future-work-and-unions.
141. GDPR, supra note 50, art. 7(4)(i).
142. 29 U.S.C. §§ 2001 – 2009 (2002), available at https://www.law.cornell.edu/uscode/text/29/chapter-22, for example EPPA exempts employer
use of polygraph exams for certain government employees, defense contract employees, certain employer investigations of employee theft
and drug-related conduct, and employees hired to perform security services.
143. See Katherine F. Mendez & Christina Jaremus, Future Employer: Are Humans with Microchips in Their Brains the Future of Work, Seyfarth
(May 19, 2021), https://www.seyfarth.com/news-insights/future-employer-are-humans-with-microchips-in-their-brains-the-future-of-work.
html#page=1, citing microchip laws in California, Oklahoma, and Missouri.
144. See e.g. Roy Cellan-Jones, Office Puts Chips Under Staff’s Skin, BBC (Jan. 29, 2015), https://www.bbc.com/news/technology-31042477.
145. See Christopher Wegemer, Brain-Computer Interfaces and Education: the State of Technology and Imperatives for the Future, International
Journal of Learning Technology 14(2): 141 (Jan. 2019), available at https://www.researchgate.net/publication/335486095_Brain-computer_
interfaces_and_education_the_state_of_technology_and_imperatives_for_the_future.
146. Martin Spüler et al., “Brain-Computer Interfaces for Educational Applications,” in Informational Environments: Effects of Use, Effective Designs, ed.
Jürgen Buder et al., (Oct. 2017), https://www.researchgate.net/publication/320378280_Brain-Computer_Interfaces_for_Educational_Applications.
147. Peter Gerjets & Friedrich Hesse. When Are Powerful Learning Environments Effective? The Role of Learner Activities and of Students’
Conceptions Of Educational Technology, International Journal of Educational Research (2004) 41(6): 445-465, https://www.sciencedirect.com/
science/article/abs/pii/S0883035505000595.
148. Spüler, supra note 146.
https://caputron.com
https://www.theguardian.com/technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces
https://www.theguardian.com/technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces
https://www.tesmanian.com/blogs/tesmanian-blog/neuralink
https://www.tesmanian.com/blogs/tesmanian-blog/neuralink
https://www.nature.com/articles/s41586-021-03506-2
https://www.nature.com/articles/s41586-021-03506-2
https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-interferes-with-the-right-to-organize-at-work-ea974763f328
https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-interferes-with-the-right-to-organize-at-work-ea974763f328
https://www.theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks
https://www.theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks
https://medium.com/financial-times/how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0
https://medium.com/financial-times/how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0
https://www.tandfonline.com/doi/full/10.3109/09540261.2011.616189
https://www.tandfonline.com/doi/full/10.3109/09540261.2011.616189
https://www.bls.gov/news.release/pdf/union2
https://aflcio.org/reports/afl-cio-commission-future-work-and-unions
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 38
149. John Sweller et al., Cognitive Architecture and Instructional Design, Educational Psychology Review (1998) 10(3): 251–296, https://www.
researchgate.net/publication/200772805_Cognitive_Architecture_and_Instructional_Design.
150. Sydney Johnson, This Company Wants to Gather Student Brainwave Data to Measure ‘Engagement’, EdSurge (Oct. 26, 2017), https://www.
edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement.
151. These headbands have since faced backlash for this application: see Jane Li, A “Brain-Reading” Headband for Students is Too Much Even
for Chinese Parents, Quartz (Nov. 5, 2019), https://qz.com/1742279/a-mind-reading-headband-is-facing-backlash-in-china/.
152. Nicole Kobie, Why Computers Won’t Be Reading Your Mind Anytime Soon, Wired UK (Mar. 12, 2020), https://www.wired.co.uk/article/brain-computer-interfaces.
153. Siobhan Ball, Glasses Act as a Shock Collar For Students Who Don’t Pay Attention, Daily Dot (Aug. 31, 2019), https://www.dailydot.com/
unclick/shock-student-glasses/.
154. Sydney Johnson, Brainwave Headsets Are Making Their Way Into Classrooms—For Meditation and Discipline, EdSurge (Nov. 17, 2017), https://
www.edsurge.com/news/2017-11-14-brainwave-headsets-are-making-their-way-into-classrooms-for-meditation-and-discipline.
155. See HARPA (last accessed May 17, 2021), https://www.harpa.org/.
156. See Jacqueline Alemany, White House Considers New Project Seeking Links Between Mental Health and Violent Behavior, Washington Post
(Aug. 22, 2019), https://www.washingtonpost.com/politics/2019/08/22/white-house-considers-new-project-seeking-links-between-mental-
health-violent-behavior/.
157. State Student Privacy Laws, Student Privacy Compass (last accessed May 16, 2021), https://studentprivacycompass.org/state-laws/.
158. 20 U.S.C. § 1232(g) (2001), available at https://www.law.cornell.edu/uscode/text/20/1232g.
159. U.S. Department of Education, Family Educational Rights and Privacy Act (FERPA) (last accessed Sept. 25, 2021), https://www2.ed.gov/policy/
gen/guid/fpco/ferpa/index.html.
160. U.S. Department of Education, Biometric Record (last accessed May 16, 2021), https://studentprivacy.ed.gov/content/biometric-record.
161. A Parent’s Guide to Student Data Privacy, ConnectSafely et. al. 3 (2015), https://www.connectsafely.org/wp-content/uploads/2015/04/
StudentDataPrivacy .
162. This report uses the terms “smart cities and smart communities” to refer to communities of all shapes and sizes with digital infrastructure.
163. See e.g. Smarter Cities, IBM (last accessed Jun. 17, 2021), https://www.ibm.com/smarterplanet/us/en/smarter_cities/solutions/planning_mgt_solutions/.
164. See Shedding Light on Smart City Privacy, FPF (last accessed Jun. 17, 2021), https://fpf.org/uncategorized/smart-cities/.
165. See Neurable, supra note 91.
166. See Trimble (last accessed May 17, 2021), https://www.trimble.com/.
167. Neurable and Trimble Partner to Explore the Use of Brain-Computer Interfaces For the Transportation and AEC Industries, Financial Release,
Trimble (Jan. 3, 2019), https://investor.trimble.com/news-releases/news-release-details/neurable-and-trimble-partner-explore-use-brain-computer.
168. Id.
169. Jiang, supra note 87.
170. For more information about Silent Talk, see 2010 Defense Department Budget, https://www.darpa.mil/attachments/(2G7)%20Global%20
Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved) ; see also Patrick Tucker,
It’s Now Possible to Telepathically Communicate with a Drone Swarm, Defense One (Sept. 6, 2018), https://www.defenseone.com/
technology/2018/09/its-now-possible-telepathically-communicate-drone-swarm/151068/.
171. Sung-Ja Choi & Byeong-Gwon Kang, Prototype Design and Implementation of an Automatic Control System Based on a BCI, Wireless
Personal Communications (2014) 79(4): 2551–2563, https://www.researchgate.net/publication/271659937_Prototype_Design_and_
Implementation_of_an_Automatic_Control_System_Based_on_a_BCI.
172. See e g. Autonomos Labs (last accessed May 17, 2021), https://autonomos.inf.fu-berlin.de/.
173. Paul Myles, Hyundai Claims Brainwave in Driver Health Monitoring, Automotive (Jul. 21, 2021), https://www.tu-auto.com/hyundai-claims-
brainwave-in-driver-health-monitoring/.
174. Id.
175. See Andrew London, I Flew a Drone with My Brain – But That’s Only the Beginning, Techradar (Mar. 24, 2018), https://www.techradar.com/
news/i-flew-a-drone-with-my-brain-but-thats-only-the-beginning.
176. For an overview of some of the emerging governance in this area, see Jeff Merritt et al., Governing Smart Cities: Policy Benchmarks for
Ethical and Responsible Smart City Development, World Economic Forum (Jul. 2021), available at https://www3.weforum.org/docs/WEF_
Governing_Smart_Cities_2021 .
177. Eben Harrell, Neuromarketing: What You Need to Know, Harvard Business Review (Jan. 23, 2019), https://hbr.org/2019/01/neuromarketing-
what-you-need-to-know#:~:text=%E2%80%9CNeuromarketing%E2%80%9D%20loosely%20refers%20to%20the,pricing%2C%20and%20
other%20marketing%20areas.
178. Sharad Agarwal & Tanusree Dutta, Neuromarketing and Consumer Neuroscience: Current Understanding and the Way Forward, 42(4)
DECISION, 457-462 (Nov. 2015), available at https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_
neuroscience_current_understanding_and_the_way_forward.
179. Id.
180. Samuel M. McClure et al., Neural Correlates of Behavioral Preference for Culturally Familiar Drinks, Neuron (2004) 44(2): 379–387, available
at https://pubmed.ncbi.nlm.nih.gov/15473974/.
181. Id.
182. Id.
183. The Advertising Research Foundation encouraged its members to use neuromarketing technology in 2017. Introduction to Neuroscience and
Biometric Marketing Research Methods, The Advertising Research Foundation (Aug. 2017), http://thearf.org/wp-content/uploads/2018/02/
KAH-Neuroscience-FINAL-web .
184. For more information about the differences between fMRI and EEG, see Christoph Mulert, Simultaneous EEG and fMRI: Towards the Characterization of
Structure and Dynamics of Brain Networks, Dialogues Clin Neurosci. (Sept. 2013), available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3811108/.
https://www.edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement
https://www.edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement
https://www.wired.co.uk/article/brain-computer-interfaces
Glasses act as a shock collar for students who don’t pay attention
Glasses act as a shock collar for students who don’t pay attention
https://www.harpa.org/
https://studentprivacycompass.org/state-laws/
https://studentprivacy.ed.gov/content/biometric-record
https://www.trimble.com/
https://investor.trimble.com/news-releases/news-release-details/neurable-and-trimble-partner-explore-use-brain-computer
https://www.darpa.mil/attachments/(2G7)%20Global%20Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved)
https://www.darpa.mil/attachments/(2G7)%20Global%20Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved)
https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_neuroscience_current_understanding_and_the_way_forward
https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_neuroscience_current_understanding_and_the_way_forward
http://thearf.org/wp-content/uploads/2018/02/KAH-Neuroscience-FINAL-web
http://thearf.org/wp-content/uploads/2018/02/KAH-Neuroscience-FINAL-web
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3811108/
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 39
185. See A Brief Overview of the Federal Trade Commission’s Investigative, Law Enforcement, and Rulemaking Authority, FTC (Oct. 2019), https://
www.ftc.gov/about-ftc/what-we-do/enforcement-authority.
186. NMSBA Code of Ethics, NMSBA (last accessed Jun. 17, 2021), https://www.nmsba.com/neuromarketing-companies/code-of-ethics.
187. See United Nations Convention on the Rights of the Child, General Comment on Children’s Rights in Relation to the Digital Environment
¶ 42 (2021), available at https://docstore.ohchr.org/SelfServices/FilesHandler.ashx?enc=6QkG1d%2fPPRiCAqhKb7yhsqIkirKQZLK2M-
58RF%2f5F0vEG%2bcAAx34gC78FwvnmZXGFUl9nJBDpKR1dfKekJxW2w9nNryRsgArkTJgKelqeZwK9WXzMkZRZd37nLN1bFc2t.
188. Charles N. Munyon, Neuroethics of Non-primary Brain Computer Interface: Focus on Potential Military Applications, Front. Neurosci. (Oct. 23,
2018), https://www.frontiersin.org/articles/10.3389/fnins.2018.00696/full.
189. Al Emondi, Next-Generation Nonsurgical Neurotechnology, DARPA (last accessed May 21, 2021), https://www.darpa.mil/program/next-
generation-nonsurgical-neurotechnology.
190. Paul Tullis, The US Military Is Trying to Read Minds, MIT Technology Review (Oct. 16, 2019), https://www.technologyreview.com/s/614495/us-
military-super-soldiers-control-drones-brain-computer-interfaces/.
191. See 2010 Defense Department Budget, supra note 170.
192. DARPA Public Affairs, Six Paths to the Nonsurgical Future of Brain-Machine Interfaces, DARPA (May 20, 2019), https://www.darpa.mil/news-
events/2019-05-20.
193. Kristin Houser, DARPA Is Using Gamers’ Brain Waves To Train Robot Swarms, Futurism (Feb. 8, 2020), https://futurism.com/the-byte/darpa-
gamers-brain-waves-train-robots-swarms.
194. Michael N. Tennison & Jonathan D. Moreno, Neuroscience, Ethics, and National Security: The State of the Art, PLoS Biology (Mar. 20, 2012),
https://journals.plos.org/plosbiology/article?id=10.1371/journal.pbio.1001289#s4.
195. Matthew Pava, Restoring Active Memory (RAM), DARPA (last accessed Sept. 25, 2021), https://www.darpa.mil/program/restoring-active-memory.
196. Anika Binnendijk, et al., Brain-Computer Interfaces: U.S. Military Applications and Implications, RAND Corporation (2020) 9, https://www.rand.
org/content/dam/rand/pubs/research_reports/RR2900/RR2996/RAND_RR2996 .
197. Id. at 22.
198. Id. at 23-23.
199. See Ragini Verma et al., Neuroimaging Findings in US Government Personnel with Possible Exposure to Directional Phenomena in Havana, Cuba, 322(4):
336-347 JAMA (Jul. 2019), available at https://jamanetwork.com/journals/jama/fullarticle/2738552?guestAccessKey=47486c47-c01c-47fa-8b6e-
41fc69f29cf4&utm_source=For_The_Media&utm_medium=referral&utm_campaign=ftm_links&utm_content=tfl&utm_term=072319.
200. George J. Annas, Military Medical Ethics—Physician First, Last, Always, New England Journal of Medicine (Sept. 11, 2008), 359(11): 1087-1090,
available at https://www.nejm.org/doi/full/10.1056/NEJMp0805975.
201. Munyon, supra note 188.
202. Annas, supra note 100.
203. Munyon, supra note 190.
204. Tennison, supra note 194.
205. Id.
206. Lucille Nalbach Tournas, If Police Have Devices That Can Read Your Mind, How Does the Fifth Amendment Fit In?, Slate (May 28, 2021),
https://slate.com/technology/2021/05/brain-computer-interface-mind-reading-fifth-amendment.html.
207. Tennison, supra note 194.
208. Constitutional reform text and procedural documents available at https://www.senado.cl/appsenado/templates/tramitacion/index.
php?boletin_ini=13827-19.
209. En histórica Votación, Aprueban Proyecto Del Ley Que Regulará Los Neuroderechos en Chile, La Tercera (Apr. 13, 2021), https://www.
latercera.com/que-pasa/noticia/en-historica-votacion-aprueban-proyecto-del-ley-que-regulara-los-neuroderechos-en-chile/4IAQJIVHM5F75G
RLAR2GQ27V24/.
210. Bill of Law Establishing Neuroprotection, available at https://www.senado.cl/appsenado/templates/tramitacion/index.php?boletin_ini=13828-19.
211. Nayef Al-Rodhan, The Rise of Neurotechnology Calls for a Parallel Focus on Neurorights, Scientific American (May 27, 2021), https://www.
scientificamerican.com/article/the-rise-of-neurotechnology-calls-for-a-parallel-focus-on-neurorights/.
212. Law No. 19.451, available at https://www.bcn.cl/leychile/navegar?idNorma=30818.
213. Abel Wajnerman Paz, Are Neural Data Protected by Bodily Integrity? A Discussion of the ‘Organic’ View on Neural Data Rights, Neuroethics
Blog (May 12, 2021), http://www.theneuroethicsblog.com/2020/05/are-neural-data-protected-by-bodily.html.
214. Id.
215. See Stacey Gray, Always On: Privacy Implications of Microphone-Enabled Devices, FPF (Apr. 2016), https://fpf.org/wp-content/
uploads/2016/04/FPF_Always_On_WP .
216. See Jules Polonetsky & Jeremy Greenberg, NSF Convergence Accelerator: The Future of Privacy Technology (C-Accel 1939288), FPF
(2020), https://fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public .
217. See NIST, Cybersecurity Framework (Apr. 2018), available at https://www.nist.gov/cyberframework.
218. See e.g. IBM’s Multidisciplinary, Multidimensional Approach to AI Ethics (last accessed May 15, 2021), https://www.ibm.com/artificial-
intelligence/ethics; Artificial Intelligence and Ethics, Microsoft EU Policy Blog (last accessed Nov. 1, 2021), https://blogs.microsoft.com/
eupolicy/artificial-intelligence-ethics/; Sundar Pichai, AI at Google: Our Principles, The Keyword (Jun. 7, 2018), https://www.blog.google/
technology/ai/ai-principles/; Jerome Pesenti, AI at F8 2018: Open Frameworks and Responsible Development, Facebook Engineering (May
2, 2018), https://engineering.fb.com/2018/05/02/mlapplications/ai-at-f8-2018-open-frameworks-and-responsible-development/.
219. See e.g. Mark Roman Miller et al., Personal Identifiability of User Tracking Data During Observation of 360-Degree VR Video, 10 Scientific
Reports (Oct. 15, 2020), available at https://www.nature.com/articles/s41598-020-74486-y, showing that a pool of 511 de-identified
participants experiencing less than 5 minutes of VR could be identified, based on biometric tracking, by a random forest with 95% accuracy.
220. Heller, supra note 103.
221. See e.g. Rufin VanRullen & Leila Reddy, Reconstructing Faces from fMRI Patterns Using Deep Generative Neural Networks, 2
Communications Biology (2019), available at https://www.nature.com/articles/s42003-019-0438-y.
https://www.frontiersin.org/articles/10.3389/fnins.2018.00696/full
https://www.darpa.mil/program/next-generation-nonsurgical-neurotechnology
https://www.darpa.mil/program/next-generation-nonsurgical-neurotechnology
https://www.technologyreview.com/s/614495/us-military-super-soldiers-control-drones-brain-computer-interfaces/
https://www.technologyreview.com/s/614495/us-military-super-soldiers-control-drones-brain-computer-interfaces/
https://www.darpa.mil/news-events/2019-05-20
https://www.darpa.mil/news-events/2019-05-20
https://futurism.com/the-byte/darpa-gamers-brain-waves-train-robots-swarms
https://futurism.com/the-byte/darpa-gamers-brain-waves-train-robots-swarms
https://fpf.org/wp-content/uploads/2016/04/FPF_Always_On_WP
https://fpf.org/wp-content/uploads/2016/04/FPF_Always_On_WP
https://fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public
https://www.nature.com/articles/s41598-020-74486-y
1400 EYE STREET NW | SUITE 450 | WASHINGTON, DC 20005 INFO@FPF.ORG | 202-768-8950
The Future of Privacy Forum (FPF) is a catalyst for privacy leadership and scholarship,
advancing responsible data practices in support of emerging technologies. FPF is based
in Washington, DC, and includes an advisory board comprising leading figures from
industry, academia, law, and advocacy groups. Learn more at fpf.org.
DATA PROTECTION
LAWS OF THE WORLD
Full Handbook
Downloaded: 20 June 2022
TABLE OF CONTENTS
Albania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Algeria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Angola . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Argentina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Armenia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Aruba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Austria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Azerbaijan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Bahamas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Bahrain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Bangladesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Barbados . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Belarus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Belgium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Benin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Bermuda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Bolivia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Bonaire, Sint Eustatius and Saba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Bosnia and Herzegovina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Botswana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
British Virgin Islands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Brunei . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Bulgaria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Burkina Faso . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Burundi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Cambodia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Cape Verde . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Cayman Islands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Chad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Chile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Colombia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Costa Rica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Croatia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Cuba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Curaçao . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Cyprus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Czech Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Democratic Republic of Congo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Denmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Dominican Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Ecuador . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Egypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
El Salvador . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Equatorial Guinea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Estonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Ethiopia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Fiji . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Finland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Gabon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Georgia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Ghana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Gibraltar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Greece . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Guatemala . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Guernsey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Guinea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Haiti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Honduras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Hong Kong, SAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Hungary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Iceland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Indonesia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Iran . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Ireland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Israel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Italy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Jersey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Jordan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Kazakhstan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Kenya . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Kosovo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Kuwait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Kyrgyzstan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Laos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Latvia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Lebanon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Lesotho . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Liberia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Libya . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Lithuania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Luxembourg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Macau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Madagascar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Malaysia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Malta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Mauritius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Mexico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Moldova . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Monaco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Mongolia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Montenegro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Morocco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Mozambique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Myanmar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Namibia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Nepal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
New Zealand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
Nicaragua . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
Niger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Nigeria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
North Macedonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
Norway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Pakistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Panama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Paraguay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Peru . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
Philippines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Poland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Portugal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Qatar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Qatar – Financial Centre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
Republic of Congo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Romania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
Russia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Rwanda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Saudi Arabia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Senegal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Serbia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Seychelles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Singapore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
Sint Maarten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Slovak Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Slovenia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
South Africa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956
South Korea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Spain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
Sri Lanka . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Sweden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
Switzerland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004
Taiwan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Tajikistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Tanzania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020
Thailand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
Tonga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Trinidad and Tobago . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Tunisia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Turkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Turkmenistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
UAE – Abu Dhabi Global Market Free Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1050
UAE – Dubai (DIFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
UAE – Dubai Health Care City Free Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1068
UAE – General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Uganda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083
Ukraine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1087
United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093
United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Uruguay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114
Uzbekistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1118
Venezuela . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
Vietnam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128
Zambia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
Zimbabwe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 6 | | www.dlapiperdataprotection.com
I. INTRODUCTION
EU data protection legislation is facing huge changes. Data protection laws are built on fundamental rights enshrined in the Charter
of Fundamental Rights of the European Union which are the core building blocks of the EU’s legal regime. Privacy issues arising
from an exponential growth in consumer and mobile technologies, an increasingly connected planet and mass cross- border data
flows have pushed the EU to entirely rethink its data protection legislation to ensure that these fundamental rights are fully
protected in today’s digital economy.
In 2012, the European Commission published a draft regulation (the General Data Protection Regulation, ‘GDPR’). Just over four
years later, the final text of GDPR was published in the Official Journal of the European Union on April 27, 2016. Regulation
heralds some of the most stringent data protection laws in the world and has been in force since May 25, 2018. 2016/679
The previous EU Data Protection Directive (95/46/EC) was adopted in 1995. It was implemented differently by EU Member States
into their respective national jurisdictions, resulting in the fragmentation of national data protection laws within the EU. As it is a
Regulation, GDPR came into effect immediately on May 25, 2018 without any need for additional domestic legislation in EU
Member States. However, with more than 30 areas where Member States are permitted to legislate (differently) in their domestic
laws there will continue to be significant variation in both substantive and procedural data protection laws among the EU’s
different Member States.
With fines of up to 4% of total worldwide annual turnover for failing to comply with the requirements of GDPR, organizations
have had a great deal to do to comply with the new regime.
II. CURRENT SITUATION
After almost four years of often fractious negotiations, GDPR was published in the Official Journal of the European Union as
Regulation 2016/679 on April 27, 2016.
There was a two-year transition period to allow organizations and governments to adjust to the new requirements and
procedures. Following the end of this transitional period, the Regulation became directly applicable throughout the EU from May
25, 2018, without requiring implementation by the EU Member States through national law.
The goal of European legislators was to harmonize the previous legal framework, which was fragmented across Member States. A
‘Regulation’ (unlike a Directive) is directly applicable and has consistent effect in all Member States, and GDPR was intended to
increase legal certainty, reduce the administrative burden and cost of compliance for organizations that are active in multiple EU
Member States, and enhance consumer confidence in the single digital marketplace. However, in order to reach political
agreement on the final text there are more than 30 areas covered by GDPR where Member States are permitted to legislate
differently in their own domestic data protection laws. There continues to be room for different interpretation and enforcement
practices among the Member States. There is therefore likely to continue to be significant differences in both substantive and
procedural data protection laws and enforcement practice among EU Member States with GDPR in force.
We have summarized the key changes introduced by the GDPR in the following sections.
Key changes to the previous data protection framework include:
A. WIDER TERRITORIAL SCOPE
Where organizations are established within the EU
GDPR applies to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization
within the EU. For these purposes “establishment” implies the “effective and real exercise of activity through stable arrangements”
(Recital 22) and “the legal form of such arrangements…is not the determining factor” (Recital 22), so there is a wide spectrum of
what might be caught from fully functioning subsidiary undertakings on the one hand, to potentially a single individual sales
representative depending on the circumstances.
Europe’s highest court, the Court of Justice of the European Union (the CJEU) has been developing jurisprudence on this concept,
https://www.dlapiperdataprotection.com
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 7 | | www.dlapiperdataprotection.com
recently finding ( , (C-131/12)) that Google Inc. with EU-based sales andGoogle Spain SL, Google Inc. v AEPD Mario Costeja Gonzalez
advertising operations (in that particular case, a Spanish subsidiary) was established within the EU. More recently, the same court
concluded ( (C-230/14)) that a Slovakian property website was also established in Hungary and therefore subjectWeltimmo v NAIH
to Hungarian data protection laws.
Where organizations are not established within the EU
Even if an organization is able to prove that it is not established within the EU, it will still be caught by GDPR if it processes
personal data of data subjects who are in the Union where the processing activities are related “to the offering of goods or
services” (Art 3(2)(a)) (no payment is required) to such data subjects in the EU or “the monitoring of their behavior” (Art 3(2)(b))
as far as their behavior takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of
monitoring.
Practical implications
1. Compared to the previous Directive, GDPR captures many more overseas organizations. US tech should particularly take note
as the provisions of GDPR have clearly been designed to capture them.
2. Overseas organizations not established within the EU who are nevertheless caught by one or both of the offering goods or
services or monitoring tests must designate a representative within the EU (Article 27).
B. TOUGHER SANCTIONS
Revenue-based fines
GDPR joins anti-bribery and anti-trust laws as having some of the very highest sanctions for non-compliance including
revenue-based fines of up to 4% of annual worldwide turnover.
To compound the risk for multinational businesses, fines are imposed by reference to the revenues of an undertaking rather than
the revenues of the relevant controller or processor. Recital 150 of GDPR states that ‘undertaking’ should be understood in
accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union which prohibit anti-competitive
agreements between undertakings and abuse of a dominant position. Unhelpfully the Treaty doesn’t define the term either and the
extensive case-law is not entirely straightforward with decisions often turning on the specific facts of each case. However, in many
cases group companies have been regarded as part of the same undertaking. This is bad news for multinational businesses as it
means that in many cases group revenues will be taken into account when calculating fines, even where some of those group
companies have nothing to do with the processing of data to which the fine relates provided they are deemed to be part of the
same undertaking. The assessment will turn on the facts of each case.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to 20,000,000 Euros or in the case of an undertaking up to 4% of total worldwide turnover
of the preceding year, whichever is higher apply to breach of:
the basic principles for processing including conditions for consent
data subjects’ rights
international transfer restrictions
any obligations imposed by Member State law for special cases such as processing employee data
certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to 10,000,000 Euros or in the case of an undertaking up to 2% of total worldwide
turnover of the preceding year, whichever is the higher apply to breach of:
obligations of controllers and processors, including security and data breach notification obligations
obligations of certification bodies
obligations of a monitoring body
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 8 | | www.dlapiperdataprotection.com
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Broad investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. In particular:
any person who has suffered “material or non-material damage” as a result of a breach of GDPR has the right to receive
compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that
individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove financial
loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80). Although this falls someway short of a US style class action right, it certainly increases the risk of group
privacy claims against consumer businesses. Employee group actions are also more likely under GDPR.
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Practical implications
1. The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal
and compliance challenge – it is much broader than that, requiring organizations to completely transform the way that they collect,
process, securely store, share and securely wipe personal data. Engagement of senior management and forming the right team is
key to successful GDPR readiness.
2. Organizations caught by GDPR need to map current data collection and use, carry out a gap analysis of their current
compliance against GDPR and then create and implement a remediation plan, prioritizing high risk areas.
3. GDPR requires suppliers and customers to review supply chains and current contracts. Contracts will need to be renegotiated
to ensure GDPR compliance and commercial terms will inevitably have to be revisited in many cases given the increased costs of
compliance and higher risks of non-compliance.
4. The very broad concept of ‘undertaking’ is likely to put group revenues at risk when fines are calculated, whether or not all
group companies are caught by GDPR or were responsible for the infringement of its requirements. Multinationals even with quite
limited operations caught by GDPR will therefore need to carefully consider their exposure and ensure compliance.
5. Insurance arrangements need to be reviewed and cyber and data protection exposure added to existing policies or purchased as
stand-alone policies where possible. The terms of policies require careful review as there is wide variation among wordings and
many policies may not be suitable for the types of losses which are likely to occur under GDPR.
C. MORE DATA CAUGHT
Personal data is defined as “any information relating to an identified or identifiable natural person.” (Article 4) A low bar is set for
“identifiable” – if anyone can identify a natural person using “all means reasonably likely to be used” (Recital 26) the information is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 9 | | www.dlapiperdataprotection.com
personal data, so data may be personal data even if the organization holding the data cannot itself identify a natural person. A
name is not necessary either – any identifier will do such as an identification number, location data, an online identifier or other
factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and RFID tags all listed as examples.
Although the definition and recitals are broader than the equivalent definitions in the current Directive, for the most part they are
simply codifying current guidance and case law on the meaning of ‘personal data’.
GDPR also includes a broader definition of “special categories” (Article 9) of personal data which are more commonly known as
sensitive personal data. The concept has been expanded to expressly include the processing of genetic data and biometric data.
The processing of these data are subject to a much more restrictive regime.
A new concept of ‘pseudonymisation’ (Article 4) is defined as the processing of personal data in such a manner that the personal
data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional
information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not
attributed to an identified or identifiable natural person. Organizations which implement pseudonymization techniques enjoy
various benefits under GDPR.
Practical implications
1. If in any doubt, it is prudent to work on the assumption that data is personal data given the extremely wide definition of
personal data in GDPR.
2. GDPR imposes such a high bar for compliance, with sanctions to match, that often the most effective approach to minimize
exposure is not to process personal data in the first place and to securely wipe legacy personal data or render it fully anonymous,
reducing the amount of data subject to the requirements of GDPR.
3. Where a degree of identification is required for a specific purpose, the next best option is only to collect and use
pseudonymous data. Although this falls within the regulated perimeter, it enjoys a number of benefits for organizations in
particular that in the event of a data breach it is much less likely that pseudonymous data will cause harm to the affected
individuals, thereby also reducing the risk of sanctions and claims for the relevant organization.
4. Organizations should only use identifiable personal data as a last resort where anonymous or pseudonymous data is not
sufficient for the specific purpose.
D. SUPPLIERS (PROCESSORS) CAUGHT TOO
GDPR directly regulates data processors for the first time. The current Directive generally regulates controllers (i.e., those
responsible for determining the purposes and means of the processing of personal data) rather than ‘data processors’ –
organizations who may be engaged by a controller to process personal data on their behalf (e.g., as an agent or supplier).
Under GDPR, processors are required to comply with a number of specific obligations, including to maintain adequate
documentation (Article 30), implement appropriate security standards (Article 32), carry out routine data protection impact
assessments (Article 32), appoint a data protection officer (Article 37), comply with rules on international data transfers (Chapter
V) and cooperate with national supervisory authorities (Article 31). These are in addition to the requirement for controllers to
ensure that when appointing a processor, a written data processing agreement is put in place meeting the requirements of GDPR
(Article 28). Again, these requirements have been enhanced and gold-plated compared to the equivalent requirements in the
Directive.
Processors are directly liable to sanctions (Article 83) if they fail to meet these criteria and may also face private claims by
individuals for compensation (Article 79).
Practical implications
1. GDPR completely changes the risk profile for suppliers processing personal data on behalf of their customers. Suppliers now
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 10 | | www.dlapiperdataprotection.com
face the threat of revenue-based fines and private claims by individuals for failing to comply with GDPR. Telling an investigating
supervisory authority that you are just a processor won’t work; they can fine you too. Suppliers need to take responsibility for
compliance and assess their own compliance with GDPR. In many cases, this requires the review and overhaul of current
contracting arrangements to ensure better compliance. The increased compliance burden and risk requires a careful review of
business cases.
2. Suppliers need to decide for each type of processing undertaken whether they are acting solely as a processor or if their
processing crosses the line and renders them a data controller or joint controller, attracting the full burden of GDPR.
3. Customers (as controllers) face similar challenges. Supply chains need to be reviewed and assessed to determine current
compliance with GDPR. Privacy impact assessments need to be carried out. Supervisory authorities may need to be consulted. In
many cases contracts are likely to need to be overhauled to meet the new requirements of GDPR. These negotiations will not be
straightforward given the increased risk and compliance burden for suppliers. They will also be time consuming and it would be
sensible to start the renegotiation exercise sooner rather than later, particularly as suppliers are likely to take a more inflexible
view over time as standard positions are developed.
4. There are opportunities for suppliers to offer GDPR “compliance as a service” solutions, such as secure cloud solutions, though
customers will need to review these carefully to ensure they dovetail to their own compliance strategy.
E. DATA PROTECTION PRINCIPLES
The core themes of the data protection principles in GDPR remain largely as they were in the Directive, though there has been a
significant raising of the bar for lawful processing (see ) and a new principle of accountability hasHigher Bar for Lawful Processing
been added.
Personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”)
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”)
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”)
accurate and where necessary kept up-to-date (the “accuracy principle”)
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”)
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”)
The controller is responsible for and must be able to demonstrate compliance with the above principles (the accountability
principle).
Practical implications
1. Controllers need to assess and ensure compliance of data collection and use across their organizations with each of the above
principles as any failure to do so attracts the maximum category of fines of up to 20 million Euros / 4% of worldwide annual
turnovers. Data mapping, gap analysis and remediation action plans need to be undertaken and implemented.
2. The enhanced focus on accountability will require a great deal more papering of process flows, privacy controls and decisions
made to allow controllers to be able to demonstrate compliance. See Accountability and Governance
F. HIGHER BAR FOR LAWFUL PROCESSING
The lawfulness, fairness and transparency principle among other things requires processing to fall within one or more of the
permitted legal justifications for processing. Where special categories of personal data are concerned, additional much more
restrictive legal justifications must also be met.
Although this structure is present in the Directive, the changes introduced by GDPR will make it much harder for organizations to
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#accountability
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 11 | | www.dlapiperdataprotection.com
fall within the legal justifications for processing. Failure to comply with this principle is subject to the very highest fines of up to 20
million Euros or in the case of an undertaking up to 4% of annual worldwide turnover, whichever is the greater.
In particular:
The bar for valid consents has been raised much higher under GDPR. Consents must be fully unbundled from other terms
and conditions and will not be valid unless freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)).
Consent also attracts additional baggage for controllers in the form of extra rights for data subjects (the right to be
forgotten and the right to data portability) relative to some of the other legal justifications. Consent must be as easy to
withdraw consent as it is to give – data subjects have the right to withdraw consent at any time – and unless the
controller has another legal justification for processing any processing based on consent alone would need to cease once
consent is withdrawn.
To compound the challenge for controllers, in addition to a hardening of the requirements for valid consent, GDPR has
also narrowed the legal justification allowing data controllers to process in their legitimate interests. This justification also
appears in the Directive though the interpretation of the concept in the current regime has varied significantly among the
different Member States with some such as the UK and Ireland taking a very broad view of the justification and others
such as Germany taking a much more restrictive interpretation. GDPR has followed a more Germanic approach,
narrowing the circumstances in which processing will be considered to be necessary for the purposes of the legitimate
interests of the controller or a third party. In particular, the ground can no longer be relied upon by public authorities.
Where it is relied upon, controllers will need to specify what the legitimate interests are in information notices and will
need to consider and document why they consider that their legitimate interests are not overridden by the interests or
fundamental rights and freedoms of the data subjects, in particular where children’s data is concerned.
The good news is that the justification allowing processing necessary for the performance of a contract to which the data subject
is party or in order to take steps at the request of the data subject to enter into a contract is preserved in GDPR, though
continues to be narrowly drafted. Processing which is not necessary to the performance of a contract will not be covered. The
less good news for controllers relying on this justification is that it comes with additional burdens under GDPR, including the right
to data portability and the right to be forgotten (unless the controller is able to rely on another justification).
Other justifications include where processing is necessary for compliance with a legal obligation; where processing is necessary to
protect the vital interests of a data subject or another person where the data subject is incapable of giving consent; where
processing is necessary for performance of a task carried out in the public interest in the exercise of official authority vested in the
controller. These broadly mirror justifications in the previous Directive.
Processing for new purposes
It is often the case that organizations will want to process data collected for one purpose for a new purpose which was not
disclosed to the data subject at the time the data was first collected. This is potentially in conflict with the core principle of
purpose limitation and to ensure that the rights of data subjects are protected, GDPR sets out a series of considerations that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are a fresh consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Processing of special categories of personal data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 12 | | www.dlapiperdataprotection.com
As is the case in the Directive, GDPR sets a higher bar to justify the processing of special categories of personal data. These are
defined to include “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation.” (Article 9(1)) Processing of these data are
prohibited unless one or more specified grounds are met which are broadly similar to the grounds set out in the Directive.
Processing of special categories of personal data is only permitted (Article 9(2)):
with the explicit consent of the data subject
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
in limited circumstances by certain not-for-profit bodies
where processing relates to the personal data which are manifestly made public by the data subject
where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their
legal capacity
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
The justifications and conditions for processing special categories of data is one area where Member States are permitted to
introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data,
biometric data and health data.
Processing of personal data relating to criminal convictions and offenses
GDPR largely mirrors the requirements of the Directive in relation to criminal conviction and offences data. This data may only be
processed under official authority or when authorized by Union or Member State law (Article 10) which means this is another
area where legal requirements and practice is likely to diverge among the different Member States.
Practical Implications
1. Controllers need to ensure that they have one or more legal justifications to process personal data for each purpose. Practically
this will require comprehensive data mapping to ensure that all personal data within the extended enterprise (i.e. including data
processed by third parties as well as data within the organization) has a legal justification to be processed.
2. Consideration needs to be given as to which are the most appropriate justifications for different purposes and personal data,
given that some justifications attract additional regulatory burdens.
3. The common practice of justifying processing with generic consents needs to cease with GDPR in force. Consent comes with
many additional requirements under GDPR and as such is likely to be a justification of last resort where no other justifications are
available.
4. Where controllers propose to process legacy data for new purposes, they need to be able to demonstrate compliance with the
purpose limitation principle. To do that, controllers should document decisions made concerning new processing, taking into
account the criteria set out in GDPR and bearing in mind that technical measures such as encryption or psuedonymisation of data
will generally make it easier to prove that new purposes are compatible with the purposes for which personal data were originally
collected.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 13 | | www.dlapiperdataprotection.com
G. TRANSFERS
International transfers and particularly those to the US have regularly made front page headline news over the last 12 months with
the successful torpedoing of the EU/US Safe Harbor regime by Europe’s highest court. Organizations will be relieved to hear that
for the most part GDPR does not make any material changes to the previous rules for transfers of personal data cross-border,
largely reflecting the regime under the Directive. That said, in contrast to the previous regime where sanctions for breaching
transfer restrictions are limited, failure to comply with GDPR’s transfer requirements attract the highest category of fines of up to
20 million Euros or in the case of undertakings up to 4% of annual worldwide turnover.
Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in GDPR are met
(Article 44).
Transfers to third countries, territories or specified sectors or an international organization which the Commission has decided
ensures an adequate level of protection do not require any specific authorization (Article 45(1)). The adequacy decisions made
under the current Directive shall remain in force under GDPR until amended or repealed (Article 45(9)); so for the time being
transfers to any of the following countries are permitted: Andorra, Argentina, Canada (with some exceptions), Switzerland, Faeroe
Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
The well-publicized gap for transfers from the EU to US following the ruling that Safe Harbor is invalid will, it is hoped, be filled
with the new EU/US Privacy Shield.
Transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition
that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards
include among other things binding corporate rules which now enjoy their own Article 47 under GDPR and standard contractual
clauses. Again, decisions on adequacy made under the Directive will generally be valid under GDPR until amended, replaced or
repealed.
Two new mechanics are introduced by GDPR to justify international transfers (Article 46(2)(e) and (f)): controllers or processors
may also rely on an approved code of conduct pursuant to Article 40 or an approved certification mechanism pursuant to Article
42 together in each case with binding and enforceable commitments in the third country to apply these safeguards including as
regards data subjects’ rights. GDPR also removes the need to notify and in some Member States seek prior approval of model
clauses from supervisory authorities.
GDPR includes a list of derogations similar to those included in the Directive permitting transfers where:
(a) explicit informed consent has been obtained
(b) the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
(d) the transfer is necessary for important reasons of public interest
(e) the transfer is necessary for the establishment, exercise or defense of legal claims
(f) the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
(g) the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanic is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48)are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; otherwise transfer in response to such requests where
there is no other legal basis for transfer will breach GDPR’s restrictions.
Practical Implications
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 14 | | www.dlapiperdataprotection.com
1. Given the continued focus of the media and regulators on international transfer and the increased sanctions to be introduced by
GDPR, all controllers and processors need to carefully diligence current data flows to establish what types of data is being shared
with which organizations in which jurisdictions.
2. Current transfer mechanics need to be reviewed to assess compliance with GDPR and, where necessary, remedial steps
implemented before GDPR comes into force.
3. For intra-group transfers, consider binding corporate rules which not only provide a good basis for transfers but also help
demonstrate broader compliance with GDPR helping to comply with the principle of accountability.
H. DATA BREACH NOTIFICATION
One of the most profound changes to be introduced by GDPR is a European wide requirement to notify data breaches to
supervisory authorities and affected individuals.
In the US, and the hefty penalties for failing to notify havedata breach notification laws are now in force in all 50 States
fundamentally changed the way US organizations investigate and respond to data incidents. Not notifying has become a high risk
option.
In contrast, Europe previously had no universally applicable law requiring notification of breaches. In the majority of Member
States there was either no general obligation to notify or minimal sanctions for failing to do so; for many organizations not
notifying and thereby avoiding the often damaging media fall-out is still common practice in Europe. That fundamentally changes
with GDPR in force.
GDPR requires “the controller without undue delay, and where feasible, not later than 72 hours after having become aware of it,
[to] notify the … breach to the supervisory authority” (Article 33(1)). When the personal data breach is likely to result in a high
risk to the rights and freedoms of individuals the controller is also required to notify the affected individuals “without undue delay”
(Article 34). Processors are required to notify the controller without undue delay having become aware of the breach (Article
33(2)).
The notification to the regulator must include where possible the categories and approximate numbers of individuals and records
concerned, the name of the organization’s DPO or other contact, the likely consequences of the breach and the measures taken
to mitigate harm (Article 33(3)).
Although the obligation to notify is conditional on awareness, burying your head in the sand is not an option as controllers are
required to implement appropriate technical and organizational measures together with a process for regularly testing, assessing
and evaluating the effectiveness of those measures to ensure the security of processing (Article 32). Controllers are also required
to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits by
the supervisory authority.
Failing to comply with the articles relating to security and data breach notification attract fines of up to 10 million Euros or 2% of
annual worldwide turnover, potentially for both the controller and the processor. As data breach often leads to investigations by
supervisory authorities and often uncovers other areas of non-compliance, it is quite possible that fines of up to 20 million Euros
or 4% of annual worldwide turnover will also be triggered.
Practical implications
1. Notification will become the norm: Sweeping breaches under the carpet has become a very high risk option under GDPR.
Organizations that are found to have deliberately not notified can expect the highest fines and lasting damage to corporate and
individual reputations. Notifying and building data breach infrastructure to enable prompt, compliant notification will be a necessity
under GDPR.
2. A coordinated approach, including technology, breach response policy and training and wider staff training. Data breaches are
increasingly a business as usual event. Lost or stolen devices; emails sent to incorrect addresses in error and the continuing rise of
cybercrime means that for many organizations, data breaches are a daily occurrence. To deal with the volume of breaches,
https://www.dlapiperdataprotection.com
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 15 | | www.dlapiperdataprotection.com
organization’s need a combination of technology, breach response procedures and staff training.
a. Technology requirements: these will vary for each organization but will typically include a combination of firewalls, log
recording, data loss prevention, malware detection and similar applications. There are an increasingly sophisticated array of
applications that learn what “normal” looks like for a particular corporate network to be able to spot unusual events more
effectively. The state of the art continues to change rapidly as organizations try to keep pace with sophisticated hackers. Regular
privacy impact assessments and upgrades of technology are required.
b. Breach response procedures: to gain the greatest protection from technology, investment is required in dealing with red flags
when they are raised by internal detection systems or notified from external sources. Effective breach response requires a
combination of skill sets including IT, PR and legal. Develop a plan and test it regularly.
c. Staff training: the weak link in security is frequently people rather than technology. Regular staff training is essential to raise
awareness of the importance of good security practices, current threats and who to call if a breach is suspected. It is also
important to avoid a blame culture that may deter staff from reporting breaches.
3. Consider privilege and confidentiality as part of your plan. Make sure that forensic reports are protected by privilege wherever
possible to avoid compounding the losses arising from a breach. Avoid the temptation to fire off emails when a breach is
suspected; pick up the phone. Don’t speculate on what might have happened; stick to the facts. Bear in mind that you may be
dealing with insider threat – such as a rogue employee – so keep any investigation on a strictly need to know basis and always
consider using external investigators if there is any possibility of an inside attack.
4. Appoint your external advisors today if you haven’t done so already. When a major incident occurs, precious time can be
wasted identifying and then retaining external support teams when you are up against a 72 hour notification deadline. Lawyers,
forensics and PR advisors should ideally be contracted well before they are needed for a live incident. Find out more about DLA
Piper’s breach response credentials and team.
5. Insurance: many insurers are now offering cyber insurance. However, there is a lack of standardization in coverage offered.
Limits are often too small for the likely exposure. Conditions are often inappropriate such as a requirement for the insured to
have fully complied with all applicable laws and its own internal policies which will rarely be the case. That said, it is usually possible
to negotiate better coverage with carriers in what continues to be a soft insurance market. Now is a good time to check the
terms of policies and work with your legal team and brokers to ensure that you have the best possible coverage. You should
clarify with brokers and underwriters what amounts to a notifiable incident to insurers under your policies as again there is no
common standard and failing to notify when required may invalidate cover. You should also ensure that your insurance policies
will cover the costs of your preferred external advisors as many policies will only cover advice from panel advisors.
6. Develop standard notification procedures: Perhaps the greatest challenge facing organizations and regulators is the sheer
volume of data breach and the lack of standards or guidance as to how breaches should be notified and at what point they become
notifiable. In the absence of guidance organization’s will need to make an informed decision as to how to develop internal
operations for the detection, categorization, investigation, containment and reporting of data breaches. Similarly, supervisory
authorities will need to develop standard approaches and standard categorizations of incidents to ensure that limited resources
are focused on the most serious incidents first.
I. MORE RIGHTS FOR INDIVIDUALS
GDPR builds on the rights enjoyed by individuals under the previous Directive, enhancing those rights and introducing a new right
to data portability. These rights are backed up with provisions making it easier to claim damages for compensation and for
consumer groups to enforce rights on behalf of consumers.
Transparency
One of the core building blocks of GDPR’s enhanced rights for individuals is the requirement for greater transparency. Various
information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and
plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data is obtained:
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/services/intellectual-property-and-technology/cybersecurity/
https://www.dlapiper.com/services/intellectual-property-and-technology/cybersecurity/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 16 | | www.dlapiperdataprotection.com
the identity and contact details of the controller
the Data Protection Officer’s contact details (if there is one)
both the purpose for which data will be processed and the legal basis for processing including if relevant the legitimate
interests for processing
the recipients or categories of recipients of the personal data
details of international transfers
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this
the existence of rights of the data subject including the right to access, rectify, require erasure (the “right to be
forgotten”), restrict processing, object to processing and data portability; where applicable the right to withdraw consent,
and the right to complain to supervisory authorities
the consequences of failing to provide data necessary to enter into a contract
the existence of any automated decision making and profiling and the consequences for the data subject.
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Slightly different transparency requirements apply (Article 14) where information have not been obtained from the data subject.
Subject access rights (Article 15)
These broadly follow the existing regime set out in the Directive though some additional information must be disclosed and there
is no longer a right for controllers to charge a fee, with some narrow exceptions. Information requested by data subjects must be
provided within one month as a default with a limited right for the controller to extend this period for up to three months.
Right to rectify (Article 16)
Data subjects continue to enjoy a right to require inaccurate or incomplete personal data to be corrected or completed without
undue delay.
Right to erasure (right to be forgotten)(Article 17)
This forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in
), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national forCase C-131/12
an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.
The right to be forgotten now has its own Article in GDPR. However, the right is not absolute; it only arises in quite a narrow set
of circumstances notably where the controller has no legal ground for processing the information. As demonstrated in the Google
Spain decision itself, requiring a search engine to remove search results does not mean the underlying content controlled by third
party websites will necessarily be removed. In many cases the controllers of those third party websites may have entirely
legitimate grounds to continue to process that information, albeit that the information is less likely to be found if links are
removed from search engine results.
The practical impact of this decision has been a huge number of requests made to search engines for search results to be removed
raising concerns that the right is being used to remove information that it is in the public interest to be accessible.
Right to restriction of processing (Article 18)
Data subjects enjoys a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data is no longer needed save for legal claims of the
data subject, or where the legitimate grounds for processing by the controller and whether these override those of the data
subject are contested.
Right to data portability (Article 20)
This is an entirely new right in GDPR and has no equivalent in the previous Directive. Where the processing of personal data is
justified either on the basis that the data subject has given their consent to processing or where processing is necessary for the
performance of a contract, or where the processing is carried out be automated means, then the data subject has the right to
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 17 | | www.dlapiperdataprotection.com
receive or have transmitted to another controller all personal data concerning them in a structured, commonly used and
machine-readable format.
The right is a good example of the regulatory downsides of relying on consent or performance of a contract to justify processing –
they come with various baggage under GDPR relative to other justifications for processing.
Where the right is likely to arise controllers need to develop procedures to facilitate the collection and transfer of personal data
when requested to do so by data subjects.
Right to object (Article 21)
The Directive’s right to object to the processing of personal data for direct marketing purposes at any time is retained.
In addition, data subjects have the right to object to processing which is legitimized on the grounds either of the legitimate
interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of
the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data
subject or that the processing is for the establishment, exercise or defense of legal claims.
The right not to be subject to automated decision making, including profiling (Article 22)
This right expands the Directive right not to be subject to automated decision making. GDPR expressly refers to profiling as an
example of automated decision making. Automated decision making and profiling “which produces legal effects concerning [the
data subject] … or similarly significantly affects him or her” are only permitted where
(a) necessary for entering into or performing a contract
(b) authorized by EU or Member State law, or
(c) the data subject has given their explicit i.e. opt-in) consent.(
The scope of this right is potentially extremely broad and may throw into question legitimate profiling for example to detect fraud
and cybercrime. It also presents challenges for the online advertising industry and website operators who will need to revisit
consenting mechanics to justify online profiling for behavioral advertising. This is an area where further guidance is needed on how
Article 22 will be applied to specific types of profiling.
Practical implications
1. Controllers need to review and update current fair collection notices to ensure compliance with the expanded information
requirements. Much more granular notices are required using plain and concise language.
2. Consideration should be given to which legal justifications for processing are most appropriate for different purposes, given that
some such as consent and processing for performance of a contract come with additional regulatory burden in the form of
enhanced rights for individuals.
3. For some controllers with extensive personal data held on consumers, it is likely that significant investment in customer
preference centers is required on the one hand to address enhanced transparency and choice requirements and on the other hand
to automate compliance with data subject rights.
4. Existing data subject access procedures should be reviewed to ensure compliance with the additional requirements of GDPR.
5. Policies and procedures need to be written and tested to ensure that controllers are able to comply with data subjects’ rights
within the time limits set by GDPR. In some cases, such as where data portability engages, significant investments may be required.
J. DATA PROTECTION OFFICERS
GDPR introduces a significant new governance burden for those organizations which are caught by the new requirement to
appoint a DPO. Although this was already a requirement for most controllers in Germany under previous data protection laws, it
is an entirely new requirement (and cost) for many organizations.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 18 | | www.dlapiperdataprotection.com
The following organizations must appoint a data protection officer (DPO) (Article 37):
public authorities
controllers or processors whose core activities consist of processing operations which by virtue of their nature, scope or
purposes require regular and systemic monitoring of data subjects on a large scale
controllers or processors whose core activities consist of processing sensitive personal data on a large scale.
DPOs must have “expert knowledge” (Article 37(5)) of data protection law and practices though perhaps in recognition of the
current shortage of experienced data protection professionals, it is possible to outsource the DPO role to a service provider
(Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which
relate to the protection of personal data” (Article 38(1)). The role is therefore a sizeable responsibility for larger controllers and
processors.
The DPO must directly report to the highest management level, must not be told what to do in the exercise of their tasks and
must not be dismissed or penalized for performing their tasks (Article 38(3)).
The specific tasks of the DPO are set out in GDPR including (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws
to monitor compliance with law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
to advise and monitor data protection impact assessments
to cooperate and act as point of contact with the supervisory authority
Practical implications
1. Organizations need to assess whether or not they fall within one or more of the categories where a DPO is mandated. Public
authorities will be caught (with some narrow exceptions) as will many social media, search and other tech firms who monitor
online consumer behavior to serve targeting advertising. Many b2c businesses which regularly monitor online activity of their
customers and website visitors will also be caught.
2. There is currently a shortage of expert data protection officers as outside of Germany this is a new requirement for most
organizations. Organizations will therefore need to decide whether to appoint an internal DPO with a view to training them up
over the next couple of years or use one of the external DPO service providers several of which have been established to fill this
gap in the market. Organizations might consider a combination of internal and external DPO resources as given the size of the
task it may not be realistic for just one person to do it.
K. ACCOUNTABILITY AND GOVERNANCE
Accountability is a recurring theme of GDPR. Data governance is no longer just a case of doing the right thing; organizations need
to be able to prove that they have done the right thing to regulators, to data subjects and potentially to shareholders and the
media often years after a decision was taken.
GDPR requires each controller to demonstrate compliance with the data protection principles (Article 5(2)). This general
principle manifests itself in specific enhanced governance obligations which include:
Keeping a detailed record of processing operations (Article 30)
The requirement in previous data protection laws to notify the national data protection authority about data processing
operations was abolished and replaced by a more general obligation on the controller to keep extensive internal records
of their data protection activities. The level of detail required is far more granular compared to many previous Member
State notification requirements. There is some relief granted to organizations employing fewer than 250 people though the
exemption is very narrowly drafted.
Performing data protection impact assessment for high risk processing (Article 35)
A data protection impact assessment is a mandatory pre-requisite before processing personal data for processing which is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 19 | | www.dlapiperdataprotection.com
likely to result in a high risk to the rights and freedoms of individuals. Specific examples are set out of high risk processing
requiring impact assessments including: automated processing including profiling that produce legal effects or similarly
significantly affect individuals; processing of sensitive personal data; and systematic monitoring of publicly accessible areas
on a large scale. DPOs, where in place, have to be consulted. Where the impact assessment indicates high risks in the
absence of measures to be taken by the controller to mitigate the risk, the supervisory authority must also be consulted
(Article 36) and may second guess the measures proposed by the controller and has the power to require the controller
to impose different or additional measures (Article 58).
Designating a data protection officer (Article 37) See Data Protection Officers
Notifying and keeping a comprehensive record of data breaches (Articles 33 and 34) See Data Breach Notification
Implementing data protection by design and by default (Article 25)
GDPR introduces the concepts of “data protection by design and by default.” “Data protection by design” requires taking
data protection risks into account throughout the process of designing a new process, product or service, rather than
treating it as an afterthought. This means assessing carefully and implementing appropriate technical and organizational
measures and procedures from the outset to ensure that processing complies with GDPR and protects the rights of the
data subjects.
“Data protection by default” requires ensuring mechanisms are in place within the organization to ensure that, by default,
only personal data which are necessary for each specific purpose are processed. This obligation includes ensuring that only
the minimum amount of personal data is collected and processed for a specific purpose; the extent of processing is limited
to that necessary for each purpose; the data is stored no longer than necessary and access is restricted to that necessary
for each purpose.
Practical implications
1. Data mapping: every controller and processor needs to carry out an extensive data audit across the organization and supply
chains, record this information in accordance with the requirements of Article 30 and have governance in place to ensure that the
information is kept up-to-date. The data mapping exercise is also be crucial to be able to determine compliance with GDPR’s
other obligations so this exercise should be commenced as soon as possible.
2. Gap analysis: Once the data mapping exercise is complete, each organization needs to assess its current level of compliance with
the requirements of GDPR. Gaps need to be identified and remedial actions prioritized and implemented.
3. Governance and policy for data protection impact assessments: the data mapping exercise should identify high risk processing.
Data protection impact assessments need to be completed and documented for each of these (frequently these will include third
party suppliers) and any remedial actions identified implemented. Supervisory authorities may need to be consulted. A procedure
needs to be put in place to standardize future data protection impact assessments and to keep existing impact assessments
regularly updated where there is a change in the risk of processing.
4. Data protection by design and by default: in part these obligations will be addressed through implementing remedial steps
identified by the gap analysis and in data protection impact assessments. However, to ensure that data protection by design and by
default is delivered, extensive staff and supplier engagement and training will also be required to raise awareness of the importance
of data protection and to change behaviors.
L. DEROGATIONS
European data protection laws today are in many cases substantively very different among Member States. This is partly due to the
ambiguities in the Directive being interpreted and implemented differently, and partly due to the Directive permitting Member
States to implement different or additional rules in some areas. As GDPR will become law without the need for any secondary
implementing laws, there will be a greater degree of harmonization relative to the current regime. However, GDPR preserves the
right for Member States to introduce different laws in many important areas and as a result we are likely to continue to see a
patchwork of different data protection laws among Member States, for certain types of processing.
Each Member State is permitted to restrict the rights of individuals and transparency obligations (Article 23) by legislation when
the restriction “respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a
democratic society” to safeguard one of the following:
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#data protection officers
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#data breach notification
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 20 | | www.dlapiperdataprotection.com
(a) national security
(b) defense
(c) public security
(d) the prevention, investigation, detection or prosecution of breaches of ethics for regulated professions, or crime, or the
execution of criminal penalties
(e) other important objectives of general public interest of the EU or a Member State, in particular economic or financial interests
(f) the protection of judicial independence and judicial proceedings
(g) a monitoring, inspection or regulatory function connected with national security, defense, public security, crime prevention,
other public interest or breach of ethics
(h) the protection of the data subject or the rights and freedoms of others
(i) the enforcement of civil law claims
To be a valid restriction for the purposes of GDPR, any legislative restriction must contain specific provisions setting out:
(a) the purposes of processing
(b) the categories of personal data
(c) the scope of the restrictions
(d) the safeguards to prevent abuse or unlawful access or transfer
(e) the controllers who may rely on the restriction
(f) the permitted retention periods
(g) the risks to the rights and freedoms of data subjects
(h) the right of data subjects to be informed about the restriction, unless prejudicial to the purpose of the restriction
In addition to these permitted restrictions, Chapter IX of GDPR sets out various specific processing activities which include
additional derogations, exemptions and powers for Member States to impose additional requirements. These include:
processing and freedom of expression and information (Article 85)
processing and public access to official documents (Article 86)
processing of national identification numbers (Article 87)
processing in the context of employment (Article 88)
safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes (Article 89)
obligations of secrecy (Article 90)
existing data protection rules of churches and religious associations (Article 91)
These special cases also appeared in the Directive, though in some cases have been amended or varied in GDPR.
Practical implications
1. Controllers and processors first need to determine which Member States’ laws apply to their processing activities and whether
processing will be undertaken within any specific processing activities which may be subject to additional restrictions.
2. These Member State laws then need to be checked to determine what additional requirements engage. Changes in law need to
be monitored and any implications for processing activities addressed.
3. Derogations pose a challenge to multi-national organizations seeking to implement standard European-wide solutions to address
compliance with GDPR; these need to be sufficiently flexible to allow for exceptions where different rules engage in one or more
Member State.
M. CROSS-BORDER ENFORCEMENT
The ideal of a one-stop-shop ensuring that controllers present in multiple Member States would only have to answer to their lead
home regulator failed to make it into the final draft. GDPR includes a complex, bureaucratic procedure allowing multiple
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 21 | | www.dlapiperdataprotection.com
‘concerned’ authorities to input into the decision making process.
The starting point for enforcement of GDPR is that controllers and processors are regulated by and answer to the supervisory
authority for their main or single establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities and there are powers for
a supervisory authorities in another Member State to enforce where infringements occur on its territory or substantially affects
data subjects only in its territory (Article 56(2)).
In situations where multiple supervisory authorities are involved in an investigation or enforcement process there is a cooperation
procedure (Article 60) involving a lengthy decision making process and a right to refer to the consistency mechanism (Articles 63 –
65) if a decision cannot be reached, ultimately with the European Data Protection Board having the power to take a binding
decision.
There is an urgency procedure (Article 66) for exceptional circumstances which permits a supervisory authority to adopt
provisional measures on an interim basis where necessary to protect the rights and freedoms of data subjects.
Practical implications
1. Controllers and processors need to determine which Member States’ supervisory authorities have jurisdiction over their
processing activities; which is the lead authority and which other supervisory authorities may have jurisdiction.
2. An important aspect of managing compliance risk is to try to stay on the right side of your regulator by engaging positively with
any guidance published and taking up opportunities such as training and attending seminars.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 22 | | www.dlapiperdataprotection.com
DATA PROTECTION AND PRIVACY GROUP KEY CONTACTS
Americas
Europe, Middle East and Africa
Asia Pacific
Jennifer Kashatus
Partner
T +1 202 799 4448
jennifer.kashatus@dlapiper.com
Kate Lucente
Partner and Co-Editor,
Data Protection Laws of
the World
T +1 813 222 5927
kate.lucente@dlapiper.com
Andrew Serwin
Partner, Global
Co-Chair Data
Protection, Privacy and
Security Group
T +1 858 677 1418
andrew.serwin@dlapiper.com
Andrew Dyson
Partner, Global
Co-Chair Data
Protection, Privacy and
Security Group
T +44 (0)113 369 2403
andrew.dyson@dlapiper.com
Ewa Kurowska-Tober
Partner, Global
Co-Chair Data
Protection, Privacy and
Security Group
T +48 22 540 74 1502
ewa.kurowska-tober@dlapiper.com
Denise
Lebeau-Marianna
Partner
T + 33 (0)1 40 15 24 98
denise.lebeau-marianna@dlapiper.com
Diego Ramos
Partner
T +349 17901658
diego.ramos@dlapiper.com
Richard van Schaik
Partner
T +31 20 541 9828
richard.vanschaik@dlapiper.com
Carolyn Bigg
Partner, Global
Co-Chair of Data
Protection, Privacy and
Security Group
T +852 2103 0576
carolyn.bigg@dlapiper.com
Nicholas Boyle
Partner
T +61 2 9286 8479
nicholas.boyle@dlapiper.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 23 | | www.dlapiperdataprotection.com
EDITORS
James Clark
Senior Associate and
Co-Editor, Data
Protection Laws of the
World
T +44 113 369 2461
james.clark@dlapiper.com
Kate Lucente
Partner and Co-Editor,
Data Protection Laws of
the World
T +1 813 222 5927
kate.lucente@dlapiper.com
Lea Lurquin
Associate and
Contributing Editor,
Data Protection Laws of
the World
T +1 415 615 6024
lea.lurquin@dlapiper.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 24 | | | www.dlapiperdataprotection.com
ALBANIA
Last modified 22 December 2021
LAW
The Republic of Albania regulates personal data protection pursuant to Law No. 9887, dated 10 March 2008 “On Protection of
Personal Data”, as amended (” “) (Official Gazette of the Republic of Albania No. 44, dated 1 April 2008).Data Protection Law
The Data Protection Law was last amended in 2014, thus it is yet to be harmonized with the Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data (” “). GDPR
The complete harmonization of the current Albanian legislation in force on data protection with the GDPR has been one of the
main objectives of the Office of Information and Data Protection Commissioner since 2018, however this objective has yet to be
achieved (due in part to the Covid-19 pandemic).
DEFINITIONS
Definition of Personal Data
Data Protection Law defines personal data as any information relating to an identified or identifiable natural person, directly or
indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity.
Definition of Sensitive Personal Data
Data Protection Law defines sensitive data as any information related to a natural person referring to his racial or ethnic origin,
political opinions, trade union membership, religious or philosophical beliefs, criminal prosecution, as well as data concerning his
health and sexual life.
NATIONAL DATA PROTECTION AUTHORITY
The Right to Information and Data Protection Commissioner (the ” “) is the Albanian independent authority inCommissioner
charge of supervising and monitoring the protection of personal data and the right to information by respecting and guaranteeing
the fundamental human rights and freedoms in compliance with the legal framework.
The Commissioner is a public legal person, elected by the Parliament upon a proposal of the Council of Ministers for a 5-year
term, eligible for re-election. The Parliament also designates the organizational structure of the Commissioner’s Office.
The information obtained by the Commissioner while exercising his duties shall be used only for supervisory purposes in
compliance with the legislation on the protection of personal data. The Commissioner shall remain under the obligation of
confidentiality even after the termination of his functions.
The Commissioner is seated at Rr. “Abdi Toptani”, Nd. 5, 1001, Tirana, Albania.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 25 | | | www.dlapiperdataprotection.com
REGISTRATION
Data Protection Law provides for the legal obligation of every controller to notify the Commissioner on the processing of
personal data for which it is responsible. The notification shall be made before the controller processes the data for the first time,
or when a change of the processing notification status is required.
The notification shall contain the name and address of the controller, the purpose of personal data processing, the categories of
data subjects and personal data, the recipients and categories of the recipients of personal data, the proposal on the international
transfers that the controller aims to carry out and a general description of the measures for the security of personal data. The
notification is done either online, on the website of the Commissioner, or manually, by submitting the competed notification form
to the Commissioner’s Office.
The information submitted by the data controller through the notification, except for the general description of the measures for
the security of personal data, shall be published by the Commissioner’s Office on the Electronic Register of Controllers which is
accessible by the public on the .official website
The notification process and the publication of the information it contains is fundamental to ensure transparency for the public and
consequently to protect personal data. Through the access to the Electronic Register of Controllers, the public has the means of
understanding how personal data are processed by the controlling entities.
The failure of the controlling entities to comply with the obligation to notify the Commissioner constitutes an administrative
offence and is punishable by a fine.
However, there are cases when the controllers are exempted from the notification obligation as follows:
The processing of personal data is performed in order to keep a register, which in accordance with the law or sub-legal
acts provides information for the public;
The processing of personal data is performed in order to protect the constitutional institutions, national security interests,
foreign policies, economic or financial interests of the state, or for the prevention or prosecution of criminal offences;
The processing of data is done pursuant to Decision of the Commissioner No. 4 “On the Determination of the Cases
Exempted from the Notification Obligation of the Personal Data which are Processed”, dated 27 December 2012.
DATA PROTECTION OFFICERS
In compliance with the responsibility to issue instructions on measures to be undertaken for the activity of specific sectors, the
Commissioner has issued two instructions:
Instruction No. 22 “On the Determination of Rules for Maintaining the Security of Personal Data Processed by Small
Processing Entities”, dated 24 September 2012, as amended.
Small processing entities shall mean the controllers or processors that process personal data by way of electronic or manual
means, by fewer than six processing persons, either directly or through processors.
Instruction No. 47 “On the Determination of Rules for Maintaining the Security of Personal Data Processed by Large
Processing Entities”, dated 14 September 2018.
Large processing entities shall mean the controllers or processors that process personal data by way of electronic or manual
means, by six or more processing persons, either directly or through processors.
Personal data processing entities are responsible for the internal supervision of the protection of the processed personal data.
Each subject that is subject to instruction no. 47, dated 14 September 2018 (i.e., large processing entities), shall authorize in
writing at least one Data Protection Officer (” “) who shall be charged to carry out theDPO (Albanian terminology: Contact Person)
internal supervision. Small processors contracted by large processors are also advised to appoint a DPO.
Instruction no. 47, dated 14 September 2018 determines the criteria that a person must fulfil in order to be appointed as a DPO,
https://www.dlapiperdataprotection.com
https://www.idp.al/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 26 | | | www.dlapiperdataprotection.com
as well as the duties and responsibilities of a DPO, which include, among others:
the internal supervision of the fulfilment of the obligations for the protection of personal data by the personal data
processing entity;
the implementation of technical, organizational and staff related measures;
the necessary cooperation with the Commissioner;
etc.
COLLECTION & PROCESSING
Data Protection Law states that fair and lawful processing is one of the core principles for the protection of personal data.
Personal data shall be collected and/or processed for specific, clearly defined and legitimate purposes.
Personal data protection is based on data adequacy, data which are relevant to the purpose of their processing and not excessive
in relation to such purpose, as well as data accuracy, data which are updated and complete.
Additionally, the data are to be kept in a form that allows the identification of data subjects for no longer than it is necessary for
the purpose for which they were collected or further processed.
Data Protection Law provides for the legal criteria for personal data processing, sensitive data processing and special processing of
data.
Personal data may be processed only:
with the consent of the personal data subject;
if necessary, for the performance of a contract to which the data subject is a party or in order to negotiate or amend a
draft/contract at the request of the data subject;
to protect the vital interests of the data subject;
to comply with a legal obligation of the controller;
for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to
whom the data are disclosed;
if the processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any
other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the
data subject’s right to protection of personal life and privacy.
The processing of personal data in the field of national security, criminal law and crime prevention, shall be performed by official
authorities as stipulated in the law.
The controller or processor that processes personal data for the purpose of offering business opportunities or services may use
personal data obtained from a public data list. The controller or processor cannot process these data further, if the data subject
has expressed his disagreement or has objected their further processing.
It should be noted that additional personal data cannot be added to the data obtained from the public data list without the consent
of the data subject. However, the controller is allowed to keep these personal data in its filing system even after the data subject
has objected the processing. Such data can be used only if the data subject gives his content.
Collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data
subject has given his explicit consent.
Sensitive data may be processed only if:
the data subject has given his consent, which may be revoked at any given moment making any further processing of data
illegal;
it is in the vital interest of the data subject or another person and the data subject is physically or mentally incapable of
giving his consent;
it is authorized by the responsible authority for an important public interest, under adequate safeguards;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 27 | | | www.dlapiperdataprotection.com
it is related to data which are widely made known by the data subject or it is necessary, for exercising/protecting a legal
right;
the data are processed for historic, scientific or statistical purposes, under adequate safeguards;
the data are required for the purposes of preventive medicine, medical diagnosis, the provision of health care, treatment
or management of health care services and the data are used by the medical personnel or other persons with the
obligation to preserve confidentiality;
the data are processed by non-profit political, philosophical or religious organizations and trade unions for purposes of
their legitimate activity, only for members, sponsors, or other persons related to their activity. These data shall not be
disclosed to a third party without the consent of the data subject unless otherwise stipulated by law.
the data processing is necessary for the purpose of fulfilling the legal obligations and specific rights of the controller in the
field of employment in compliance with the Labour Code.
Special processing of data:
Processing for historical, scientific and statistical purposes:
Personal data collected for any purpose, may be further processed for historic, scientific or statistical purposes, provided that the
data is not processed in order to take measures or decisions related to an individual.
The transmission of sensitive data for scientific research shall take place only in case of an important public interest. Personal data
shall be used exclusively by individuals who are bound by the obligation of confidentiality. When data processing is made in a
manner that allows the identification of the data subject, the data should be encrypted immediately in order for the subjects to be
no longer identifiable. Encrypted personal data shall be used exclusively by individuals bound by the obligation of confidentiality.
Processing of personal data and freedom of expression:
The Commissioner has issued an Instruction No. 31, dated 27 December 2012 “On the Determination of the Conditions and
Criteria for the Exemption from the relevant Obligations in Personal Data Processing for Journalism, Literature or Artistic
Purposes”. The exemptions for these purposes shall be allowed up to the extent that they reconcile the right of personal data
protection with the rules governing the right to freedom of expression.
TRANSFER
The international transfer of personal data may be carried out with recipients from states which have an adequate level of personal
data protection. The level of personal data protection for a state is established by assessing all circumstances related to the nature,
purpose and duration of the processing, the country of origin and final destination, as well as the legal provisions and security
standards in force in the recipient state.
Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data
protection:
European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic
Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory
authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints,
investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.
International transfer of personal data with a state that does not have an adequate level of personal data protection may be done
if:
it is authorized by international acts ratified by the Republic of Albania and are directly applicable;
the data subject has given his consent for the international transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or for the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 28 | | | www.dlapiperdataprotection.com
implementation of pre-contractual measures taken in addressing a request of the data subject, or the transfer is necessary
for the conclusion or performance of a contract between the controller and a third party, in the interest of the data
subject;
it is a legal obligation of the controller;
it is necessary for protecting vital interests of the data subject;
it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal
right;
it is done from a register that is open for consultation and provides information to the general public.
Pursuant to the Data Protection Law, the Commissioner issues instructions in order to allow certain categories of personal data
to be transferred to a state that does not have an adequate level of personal data protection. In these cases, the controller is
exempted from the authorization request. Accordingly, the Commissioner has issued the Instruction No. 41, dated 13 June 2014
“On Allowing some Categories of International Transfers of Personal Data in a Country that does not have an Adequate Level of
Personal Data Protection”.
Controllers wishing to transfer personal data to other countries lacking adequate personal data protection, may fill in an
application form “For the Approval of the Transfer of Personal Data to a State that does not have an Adequate Level of Data Protection,
through the Authorization of the Commissioner”.
In 2014, the Commissioner has also issued a Manual on the International Transfer of Personal Data which provides guidelines to
the international transfer of personal data.
The exchange of personal data with the diplomatic representations of foreign governments or international institutions in the
Republic of Albania shall be considered an international transfer of data.
SECURITY
Data Protection Law introduces the obligation of the data controller or processor to undertake appropriate organizational and
technical measures to protect personal data from unlawful or accidental destruction, accidental loss, or from being accessed or
disclosed by unauthorized persons, as well as from any kind of unlawful processing.
The controller is under the obligation to document the measures it has undertaken to ensure protection of personal data, in
compliance with the law and other legal regulations.
The data controller undertakes the following special security measures:
defines the functions among the organizational units and the operators for the use of data;
the use of data shall be done by order of authorized organizational units or operators;
instructs all operators on their obligations arising from the data protection legal framework;
prohibits access of unauthorized persons to the working facilities of the data controller or processor;
data and programs shall be accessed only by authorized persons;
prohibits access to and use of the filing system by unauthorized persons;
data processing equipment shall be operated only with an authorization and every device shall be secured with preventive
measures against unauthorized operation;
records and documents data alteration, rectification, erasure, transfer etc.
The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established the
detailed rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed
Rules for the Security of Personal Data”.
The recorded data may only be used in accordance with their collection purpose, unless they are used to guarantee national
security, public security, for the prevention or investigation of a criminal offence, or prosecution of the author thereof, or of any
infringement of ethics of the regulated professions.
The data documentation shall be kept for as long as it is necessary for their collection purpose.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 29 | | | www.dlapiperdataprotection.com
The obligation of confidentiality and integrity of the controllers, processors and any other persons that come to know the content
of the processed data while exercising their duty shall survive the termination of their functions. The processed data shall not be
disclosed unless provided otherwise by law. Anyone acting under the authority of the controller or the processor shall not
process the personal data to which they have access, without the authorization of the controller, unless obliged by law.
BREACH NOTIFICATION
Data Protection Law does not provide for a general obligation of the data controller or data processor to notify the
Commissioner in case of personal data breach.
However, pursuant to Instruction No. 47, dated 14 September 2018 “On the Determination of Rules for Maintaining the Security
of Personal Data Processed by Large Processing Entities”, which, as mentioned above applies only to large data processing entities,
the DPO shall promptly notify the large data processing entity in writing of any risk of violation of the data subjects’ rights,
including in case of the violation of personal data protection legislation.
In the event that, following the notification of the DPO, the large data processing entity fails to take appropriate measures to
address the problem in a timely manner, the DPO notifies the Commissioner without delay. Therefore, in case of breach of data
handled by a large data processing entity, resulting from the violation of violation of the data subjects’ rights, or from the violation
of personal data protection legislation, which has not been addressed effectively, the DPO has the obligation to notify the
Commissioner.
It should also be noted, that pursuant to an opinion of the Commissioner on the protection of personal data on the websites of
public and private controllers, data subjects have the right to be notified by the data controller if their personal data have been
compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected). To the best of our
understanding the opinion expressed by the Commissioner in this opinion, merely serves as a guideline and has not a binding
effect.
On the other hand, Law No. 9918, dated 19 May 2008 “On Electronic Communications in the Republic of Albania”, as amended (”
“), (Official Gazette of the Republic of Albania No. 84, dated 10 June 2008) provides forElectronic Communications Law
another breach notification procedure.
The Electronic Communications Law defines personal data breach as any breach of security leading to the destruction, loss, alteration or
unauthorized distribution, accidental or unlawful, or access to personal data transmitted, stored or processed, in connection with the provision
of an electronic communications service available to the public.
Pursuant to article 122 of the Electronic Communications Law, entrepreneurs of public electronic communications networks and
services are under the obligation to, individually or when necessary, in cooperation with each-other, implement technical and
organizational measures, to ensure the security of networks and/or services, provided by them.
These measures are meant to ensure an adequate level of protection and security of personal data against potential, foreseeable
risks. With respect to the personal data of the users, entrepreneurs of public electronic communications networks and services
are under the obligation to inform their users about any specific risk, how the risk can be reduced by the users, as well as the
possible costs, which must be covered by the user, if the risk that happens is beyond the measures that the entrepreneur can
take.
In addition, in case of personal data breach, the entrepreneur who provides electronic communications services available to the
public promptly notifies the Authority of Electronic and Postal Communications (” “). When the breach of personal dataAEPC
may adversely affect the personal data and privacy of the subscriber or individual, the entrepreneur shall also promptly notify the
said subscriber or individual.
However, if the entrepreneur has proved to the AEPC that it has implemented the necessary technological protection measures
and these measures have been applied to the relevant data, then the entrepreneur is not required to notify the subscriber or the
individual of the violation of personal data. These technological safeguards ensure that the personal data become illegible to any
person who does not have authorized access to the data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 30 | | | www.dlapiperdataprotection.com
ENFORCEMENT
The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner
has the right to:
conduct administrative investigations, have access to personal data processing and collect all the necessary information in
order to fulfil his supervisory obligations;
order the blocking, erasure, destruction or suspension of the unlawful processing of personal data;
give instructions prior to the processing of data and ensure their publication.
In cases of recurring or intentional serious infringement of the Data Protection Law by a controller or processor, the
Commissioner acts in compliance with article 39 of Data Protection Law and reports the case publicly or reports it to the
Parliament and the Council of Ministers.
Article 39 (1) of Data Protection Law specifies that data processing in violation of the Data Protection Law constitutes
administrative offences and may be subject to administrative fines which vary from 10,000 ALL (approx. 83 EUR) to 1,000,000 ALL
(approx. 8300 EUR), with legal persons being subject to double the amount specified herein.
Data Protection Law also states that the fine is doubled when the following provisions are breached:
When the data subject has filed a complaint, the controller shall have no right to make any changes to the personal data
until a final decision is reached.
The Commissioner is responsible for authorizing, in special cases, the use of personal data for purposes not designated
during the phase of their collection in compliance with the principles of the Data Protection Law.
The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the
administrative trials.
Fines shall be paid no later than 30 days from their issuing. When the deadline expires, the decision becomes an executive title and
is executed in a mandatory manner by the bailiff’s office, upon request of the Commissioner. Fines are cashed in the state budget.
In case the offence consists in a crime, the Commissioner files the relevant criminal charges with the competent law enforcement
authorities.
ELECTRONIC MARKETING
Data Protection Law provides that the collection of personal data related to a data subject, solely for reasons of direct marketing
is allowed only if the data subject has given his explicit consent.
Data Protection Law defines direct marketing as the communication of the promotional material, by every means and way, using personal
data of legal or natural persons, agencies or other entities with or without interference.
Moreover, the data subject has the right to demand the controller not to start processing, or in case the processing has started, to
stop processing personal data related to him for the purposes of direct marketing and to be informed in advance before personal
data are disclosed for the first time for such purpose.
The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes,
advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by
the data subject.
In addition, pursuant to article 124 of the Electronic Communications Law, electronic communications service providers may
process traffic data for marketing purposes only after prior approval by the subscriber. Subscribers should be informed on the
type of traffic data being processed, before give approval for their processing. Subscribers and users have the right to withdraw to
any time from the approval they have made.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 31 | | | www.dlapiperdataprotection.com
ONLINE PRIVACY
The Data Protection Law does not provide for regulatory measures targeting cookies. Accordingly, the general data protection
rules, as provided for by the Data Protection Law apply to online privacy as well.
Although there are no specific regulatory measures under the data protection regulatory framework, the Commissioner has tried
to provide some clarifications on the notion of cookies and on their use, albeit in a minimalist way.
The Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific
This rudimentary definition is further complemented by a short explanation which states that cookies information. allow any server
to know what pages have been visited recently, just by reading them.
In addition, the Commissioner has issued an opinion (which is slightly dated and as mentioned above does not have a binding effect
on the data controllers) on the protection of personal data on the websites of public and private controllers. In this opinion the
Commissioner reminds the data controllers on their obligations per the Data Protection Law and on the rights of data subjects,
which apply to online personal data collection:
The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is
likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not
given their consent.
Furthermore, in this opinion the Commissioner emphasizes the importance for data controllers to adopt privacy policies, which
should include, inter alia:
The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users
that use the website and to notify the latter about their use.
In addition to the above, it should be noted that the Electronic Communication Law (articles 124 -126), introduces rules on the
processing of location data.
Under these rules, electronic communication providers may process traffic data only as long as such data is necessary for the
purpose of the transmission of the communication’s transmission and thereafter must delete such data or render them
anonymous.
Electronic communications service providers must provide in the contract entered into with the user details on the storage, the
duration and the manner of processing of the traffic data. The Electronic Communication Law provides that these traffic data can
be processed only by the relevant persons which are authorized by the electronic communications service providers, namely
those who are responsible for billing or traffic management, customer service, marketing, fraud detection, or the provision of
added value services, provided that the processing of traffic data should be limited only to the scope of their respective activity.
In addition, the Electronic Communication Law provides that the processing of location data can be carried out for the duration
value added services and only if the data is rendered anonymous or if the user has granted their prior consent, which consent may
be revoked at any time.
Prior to obtaining the consent of the users, the electronic communications service providers must provide information on:
the type of location data to be processed;
the purposes and duration of processing;
the possibility that the location data be shared with third parties, for value-added service purposes.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 32 | | | www.dlapiperdataprotection.com
The location data can be processed only by the relevant persons which are authorized by the electronic communications service
providers, namely those who are responsible for the provision of the service or by third parties which are responsible for the
provision of added value services, provided that the processing of traffic data should be limited only to the scope of their
respective activity.
KEY CONTACTS
Tashko Pustina
tashkopustina.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Flonia Tashko
Partner
T +35542389190
flonia.tashko@tashkopustina.com
Alban Shanaj
Senior Associate
T +35542389190
alban.shanaj@tashkopustina.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 33 | | | www.dlapiperdataprotection.com
ALGERIA
Last modified 22 December 2021
LAW
Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data processing (“ ”).Law No. 18-07
DEFINITIONS
Definition of Personal Data
Any information, regardless of the medium, relating to an identified or identifiable person, hereinafter referred to as “data subject”,
directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her
physical, physiological, genetic, biometric, mental, economic, cultural or social identity.
Definition of Sensitive Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of
the data subject or relating to health, including genetic data.
NATIONAL DATA PROTECTION AUTHORITY
An independent administrative authority for the protection of personal data, known as the “national authority”, is hereby
established, with its headquarters in Algiers.
The national authority is responsible for ensuring that the processing of personal data is carried out in accordance with the
provisions of the law and for ensuring that the use of information and communication technologies does not pose a threat to the
rights of individuals, public freedoms and privacy.
However, although Law No. 18-07 provides for the existence of a national authority, it has not yet been set up.
REGISTRATION
Any processing of personal data is subject to prior declaration to or authorisation by the national authority.
The prior declaration, which includes an undertaking that the processing will be carried out in accordance with Law No. 18-07, is
filed with the national authority. It may be made by electronic means.
However, as the national authority has not yet been set up, this procedure is not yet applicable.
DATA PROTECTION OFFICERS
The data controller shall implement appropriate technical and organisational measures to protect personal data against accidental
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 34 | | | www.dlapiperdataprotection.com
or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing
involves the transmission of data over a network, and against all other unlawful forms of processing.
COLLECTION & PROCESSING
Personal data processing may only be processed with the express consent of the data subject. The data subject may withdraw
his/her consent at any time.
However, in some cases, consent is not required if the processing is necessary.
The person concerned by the collection of their data has a right to information, a right of access, a right of rectification and a right
to object to their data being collected.
TRANSFER
The data controller may only transfer personal data to a foreign State with the authorisation of the national authority in
accordance with Law No. 18-07 and if that State ensures an adequate level of protection of the privacy and fundamental rights and
freedoms of individuals with regard to the processing of such data.
In any case, it is forbidden to communicate or transfer personal data to a foreign country, when such transfer is likely to affect
public security or the vital interests of the State.
However, as the national authority has not yet been established, the consent of the data subject is required.
SECURITY
The controller must put in place measures to ensure the integrity and protection of the data.
These measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to
be protected.
If the processing is carried out on behalf of the controller, the controller must choose a processor providing sufficient guarantees
in respect of the technical and organisational security measures relating to the processing to be carried out and must ensure
compliance with those measures.
Transfer of data abroad
The foreign State must ensure an adequate level of protection of the privacy and fundamental rights and freedoms of individuals
with regard to data processing.
The adequacy of the level of protection provided by a State is assessed in particular by the security measures applicable there.
BREACH NOTIFICATION
Administrative measures
In case of violations of the provisions of Law No. 18-07 by the controller, administrative measures are taken by the national
authority:
warning;
formal notice;
provisional withdrawal for a period not exceeding one year, or definitive withdrawal of the declaration receipt or
authorisation;
a fine.
The national authority may also impose fines on the controller which:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 35 | | | www.dlapiperdataprotection.com
refuses, without legitimate reason, the rights of information, access, rectification or opposition;
fails to make the required notifications to the national authority.
Criminal sanctions
Violation of the provisions of Law No. 18-07 is punishable by imprisonment and/or a fine.
However, as the national authority has not yet been established, the related sanctions are not applicable.
Mandatory breach notification
Where the processing of personal data over electronic communication networks results in the destruction, loss, alteration,
disclosure or unauthorised access of such data, the service provider must notify the national authority and the data subject
without delay where such a breach may affect the privacy of the data subject.
Failure by a service provider to notify the national authority or the data subject of a personal data breach is punishable by
imprisonment and a fine.
ENFORCEMENT
The application of the sanctions listed under the above headings is relatively limited, as the national authority is not yet
established.
However, offences committed by the data controller may be subject to criminal prosecution (without the need for action by the
national authority).
ELECTRONIC MARKETING
Law No. 18-05 of 10 May 2018 on electronic commerce provides that the e-provider who collects personal data and builds up
customer and prospect files must only collect the data necessary to conclude commercial transactions. It must:
collect the consent of e-consumers prior to the collection of data;
guarantee the security of information systems and the confidentiality of data;
comply with the relevant legislative and regulatory provisions.
ONLINE PRIVACY
Not applicable.
KEY CONTACTS
L& P Partners
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Benaouda Miloudi
Associate
T +213 (7) 93 99 92 34
bmiloudi@dz-lpp.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 36 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 37 | | | www.dlapiperdataprotection.com
ANGOLA
Last modified 30 December 2021
LAW
Angola regulates data privacy and protection issues under the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic
Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) and the Protection of Information Systems
and Networks Law (Law no. 7/17, 16 February 2017).
DEFINITIONS
Definition of personal data
The Data Protection Law defines personal data as any given information, regardless of its nature, including images and sounds
related to a specific or identifiable individual.
An identifiable person is an individual directly or indirectly identified, notably, by reference to his or her identification number or
to the combination of specific elements of his or her physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
The Data Protection Law defines sensitive personal data as personal data related to:
Philosophical or political beliefs
Political affiliations or trade union membership
Religion
Private life
Racial or ethnic origin
Health or sex life (including genetic data)
NATIONAL DATA PROTECTION AUTHORITY
The Data Protection Law establishes the (APD) as Angola’s data protection authority. APD’s OrganicAgência de Proteção de Dados
Statute was stablished by the Presidential Decree 214/2016 of October 10, and it’s board currently in office was nominated by the
Presidential Decree 277/2019 September 6.
REGISTRATION
As provided by Law, entities shall provide prior notice to, or obtain prior authorization from, APD (depending on the type of
personal data and purpose of processing) to process personal data. Please note that in the case of authorization, compliance with
specific legal conditions is mandatory. APD has authority to exempt certain processing from notification requirements.
Generally, notification and authorization requests should include the following:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 38 | | | www.dlapiperdataprotection.com
The name and address of the controller and of its representative (if applicable)
The purposes of the processing
A description of the data subject categories and the personal data related to those categories
The recipients or under which categories of recipient to whom the personal data may be communicated and respective
conditions
Details of any third party entities responsible for the processing
The possible combinations of personal data
The duration of personal data retention
The process and conditions for data subjects to exercise their rights
Any predicted transfers of personal data to third countries
A general description (to allow APD to assess whether security measures adopted are suitable to protect personal data in
its processing)
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer.
COLLECTION & PROCESSING
Generally, entities must obtain prior express consent from data subjects and provide prior notice to the APD to lawfully collect
and process personal data. However, data subject consent is not required in certain circumstances provided by law.
To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior
authorization from APD (please note that the authorization may only be granted in specific cases provided by law). If sensitive
personal data processing results from a legal provision, APD must be provided with notice.
All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness and respect
to private life as well as to legal and constitutional guarantees.
It is also mandatory that data processing is limited to the purpose for which the data is collected and that personal data is not held
for longer than is necessary for that purpose.
There are specific rules applicable to the processing of personal data related to the following:
Sensitive data on health and sexual life
Illicit activities, crimes and administrative offenses
Solvency and credit data
Video surveillance and other electronic means of control
Advertising by email
Advertising by electronic means (direct marketing)
Call recording
Specific rules for the processing of personal data within the public sector also apply.
TRANSFER
International transfers of personal data to countries with an adequate level of protection require prior notification to the APD. An
adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. APD decides which
countries ensure an adequate level of protection by issuing an opinion to this respect.
International transfers of personal data to countries that do not ensure an adequate level of protection are subject to prior
authorization from the APD, which will only be granted if specific requirements are met. For transfers between companies in the
same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and
mandatory internal rules on data protection and privacy.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 39 | | | www.dlapiperdataprotection.com
Please note that the communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific
legal conditions and requirements.
SECURITY
Data controllers must implement appropriate technical and organizational measures and adopt adequate security levels to protect
personal data from accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized
disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other
unlawful forms of processing.
Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to
be protected, relative to the entities facilities and implementation costs. Specific security measures shall be adopted regarding
certain type of personal data and purposes (notably, sensitive data, call recording and video surveillance).
Under the Protection of Information Systems and Networks Law, service providers, operators and companies offering information
society services must: (i) guarantee the security of any device or set of devices used in the storage, processing, recovery or
transmission of computer data on execution of a computer program and (ii) promote the registration of users as well as the
implementation of technical measures in order to anticipate, detect and respond to risk situations. The Law requires an accident
and incident management plan in case of a computer emergency.
BREACH NOTIFICATION
There is no mandatory breach notification requirement under the Data Protection Law.
However, pursuant to the Electronic Communications and Information Society Services Law, companies offering electronic
communications services accessible to the public shall, without undue delay, notify the APD and the Electronic Communications
Authority, , (INACOM) of any breach of security committed with intent or that recklessly leadsInstituto Angolano das Comunicações
to destruction, loss, partial or total modification or non-authorized access to personal data transmitted, stored, retained or in any
way processed under the offer of electronic communications services.
Companies offering electronic communications services accessible to the public shall also keep an accurate register of data
breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the
breach.
The same applies under Protection of Information Systems and Networks Law.
ENFORCEMENT
Data protection
As mentioned above, the competent authority for the enforcement of Data Protection Law is the APD. However, considering that
the APD was recently created, the level of enforcement is not significant at this stage.
Electronic communications
INACOM regulates and monitors compliance with the Electronic Communications and Information Society Services Law, and
issues penalties for its violation. Presently, INACOM’s level of enforcement is not yet significant.
ELECTRONIC MARKETING
The dissemination of electronic communications for advertising purposes is generally subject to the prior express consent of its
recipient (opt-in) and to prior notification to APD.
Entities may process personal data for electronic marketing purposes without data subject consent in specific circumstances,
notably:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 40 | | | www.dlapiperdataprotection.com
When advertising is addressed to the data subject as representative employee of a corporate person, and
When advertising communications are sent to an individual with whom the product or service supplier has already
concluded a transaction, provided an opportunity to refuse consent was expressly provided to the customer at the time
of the transaction at no additional cost.
ONLINE PRIVACY
The Electronic Communications and Information Society Services Law establishes the right of all Citizens to enjoy protection
against abuse or violations of their rights through the Internet or other electronics means, such as:
The right to confidentiality of communications and to privacy and non-disclosure of their data
The right to security of their information by improvement of quality, reliability and integrity of the information systems
The right to security on the Internet, specifically for minors
The right not to receive spam
The right to the protection and safeguarding of their consumer rights and as users of networks or electronic
communications services
In view of the above, entities are generally prohibited from storing any kind of personal data without prior consent of the user.
This does not prevent technical storage or access for the sole purpose of carrying out the transmission of a communication over
an e-communication network or if strictly necessary in order for the provider of an information society service to provide a
service expressly requested by the subscriber or user.
Traffic data
The processing of traffic data is allowed when required for billing and payment purposes, but processing is only permitted until the
end of the period during which the bill may lawfully be challenged or payment pursued. Traffic data must be eliminated or made
anonymous when no longer needed for the transmission of the communication.
The storage of specific information and access to that information is only allowed on the condition that the subscriber or user has
provided his or her prior consent. The consent must be based on accurate, clear and comprehensive information, namely about
the type of data processed, the purposes and duration of the processing and the availability of data to third parties in order to
provide value added services.
Electronic communications operators may store traffic data only to the extent required and for the time necessary to market
electronic communications services or provide value added services. Prior express consent is required and such consent may be
withdrawn at any time.
Processing should be limited to those employees in charge of:
Billing or traffic management
Customer inquiries
Fraud detection
Marketing of electronic communications
Services accessible to the public
The provision of value added services
Notwithstanding the above, electronic communication operators should keep in an autonomous file all traffic and localization data
exclusively for the purpose of:
Investigation
Detection, or
Prosecution of criminal offenses on Information and Communication Technologies (ICT)
Location data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 41 | | | www.dlapiperdataprotection.com
Location Data processing is only allowed if the data is made anonymous or to the extent and for the duration necessary for the
provision of value added services, provided prior express consent is obtained. In this case, prior complete and accurate
information must be provided on the type of data being processed, as well as the purposes and duration of processing and any
possibility of disclosure to third parties for the provision of value added services.
Electronic communication operators must ensure that data subjects have the opportunity to withdraw consent, or temporarily
refuse the processing of such data for each connection to the network or for each transmission of a communication, at any time.
The withdrawal mechanism must be provided through simple means, free of charge to the user. Processing should be limited to
those employees in charge of electronic communications services accessible to the public.
KEY CONTACTS
ACDA
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Joni Garcia
Associate
ACDA
T +244 926 61 25 25
j.garcia@adca-angola.com
Murillo Costa Sanches
Of Counsel
ACDA
T +244 926 61 25 25
m.sanches@adca-angola.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 42 | | | www.dlapiperdataprotection.com
ARGENTINA
Last modified 24 January 2022
LAW
Article 43 of the Federal Constitution, third paragraph, provides, in relevant part that any person may file an action to have access
to personal data about such person and to information about the purpose with which they are kept, included in public data
registries or banks, or in private data registries or banks, and to request the suppression, correction, confidentiality or updating of
the data where inaccurate or discriminatory.
These provisions do not create an express constitutional right to privacy or data protection, but do create the basic framework
for the protection of such right, as well as the foundation for the legislation, subsequently enacted, which regulates the details of
that protection.
Law 25,326 – the Personal Data Protection Law (PDPL) includes the basic personal data rules. It follows international standards,
and has been considered as granting adequate protection by the European Commission. Decree 1558 of 2001 includes regulations
issued under the PDPL. Further regulations have been issued by the relevant agencies.
DEFINITIONS
Definition of personal data
Personal data is defined as information of any type referred to individuals or legal entities, determined or which may be
determined.
Definition of sensitive personal data
Sensitive data includes personal data which reveal racial or ethnic origin, political opinions, religious, philosophical or moral
convictions, trade union affiliation and information related to health and sexual activities.
NATIONAL DATA PROTECTION AUTHORITY
Pursuant to Decree 746 of 2017, it is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública).
REGISTRATION
All archives, registries, databases and data banks, whether public or private, having the purpose of supplying information, must be
registered with the Registry organized by the national data protection authority. This registration requires the following
information, to be provided to the registry:
The name and domicile of the person responsible for the archive, registry, database or data bank
The characteristics and purpose of the archive, registry, database or data bank
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 43 | | | www.dlapiperdataprotection.com
The nature of the personal data included or to be included in the archive, registry, database or data bank
The way in which data are collected and updated
The destination of the data and the identity of the individuals or legal entities to whom such data may be transferred
The way in which the recorded information is interrelated
The means to assure the security of the data, indicating the category of persons with access to the processing of data
The term during which the data will be preserved
The way and conditions pursuant to which interested persons may have access to the data referring to such persons, and
the procedures to be followed to rectify and update the registered data
DATA PROTECTION OFFICERS
Generally, there is no specific requirement to appoint a data protection officer. Under certain circumstances, in which special
security standards apply, it may be necessary to appoint an officer in charge of data security.
COLLECTION & PROCESSING
Personal data collected for purposes of processing must be truthful, adequate, relevant and not excessive in relation with the
scope and purpose for which they were obtained. The gathering of data shall not take place by unfair or fraudulent means or in an
otherwise illegal manner.
Personal data may not be used for purposes different from or incompatible with those for which the personal data was initially
collected. Personal data must be accurate and properly updated when necessary. Totally or partially inaccurate personal data, or
those that are incomplete, shall be suppressed and substituted, or completed where relevant, by the person responsible for the
archive or database, whenever such person becomes aware of the inaccurate or incomplete character of the information.
Consent from the data subject is required, which must be free, express and informed consent and in writing or in another
equivalent form, unless:
The personal data were obtained from sources open to unrestricted public access
The personal data were obtained as part of the performance of state duties or in compliance with a legal obligation
The personal data consists of lists whose data are limited to the name, national identity document number, tax or social
security identification, occupation, date of birth and domicile
The personal data are derived from a contractual, scientific or professional relationship and are necessary for such
relationship
The personal data result from operations conducted by financial entities with their clients or consist in the information
such financial entities receive from their clients pursuant to the Financial Entities Law
When the authorization for the collection and processing of data is requested, the data subject must be informed about the
purpose for which the data will be processed, as well as about the individuals or groups of individuals who will have access to the
processed information. In addition, the archive, registry or data bank where the information will be kept must be identified,
together with the person responsible for it. The data subject must be informed about the voluntary or compulsory nature of the
answers requested from such owner, as well as about the consequences of providing the personal data or of refusing to give such
information or of providing untruthful information. The data subject must also be informed about the right to access, rectify and
suppress the relevant data.
Special rules apply to sensitive data. No person may be required to disclose sensitive data. Sensitive data may only be collected
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 44 | | | www.dlapiperdataprotection.com
and processed where necessary, and with consent, as expressly permitted by law, or for statistical or scientific purposes provided
the person they refer to may not be identified.
Data related to criminal records may only be processed by the relevant public authorities.
TRANSFER
Transfers and disclosures to third parties
Personal data may only be transferred for legitimate purposes of the transferor and the transferee, and generally with the prior
consent of the data subject who must be informed of the transfer’s purpose and of the transferee’s identity. This consent may be
rescinded.
Consent is not required in the case of transfer of data regarding which consent was not necessary for collection. Also, it is not
necessary in the case of transfer of data between state agencies, for purposes of performance of their respective activities, on in
connection with health-related data, if the transfer is necessary for public health or emergency reasons, or for the performance of
epidemiological studies, provided the identity of the persons to whom such data refer is reserved by means of adequate
dissociation mechanism. In addition, consent is not necessary, for personal data generally, if an adequate dissociation mechanism is
used in a way such that the data subjects are not identifiable.
Cross-border transfers
The cross-border transfer of personal data is prohibited to countries or international or supranational organization which do not
provide adequate protection to such data, unless:
The data subjects expressly consents to that transfer
The transfer is necessary for international judicial cooperation
The transfer takes place as part of certain exchanges of medical data
Bank or stock exchange transfers, in the context banking or stock exchange transactions
The transfer takes place as provided in the context of international treaties to which Argentina is a party
The transfer has as its purpose the international cooperation between intelligence agencies engaged in combating
organized crime, terrorism and drug traffic
SECURITY
The person responsible for a data archive, or using such archive, must adopt the technical and organizational measures to assure
the security and confidentiality of personal data, so as to avoid their adulteration, loss, consultation or non-authorized processing,
and to detect the misuse of information. The recording of personal data in archives, registries or data banks that do not comply
with the legal requirements on integrity and security is prohibited.
BREACH NOTIFICATION
Not specifically required under data protection law.
Failure to notify a data security breach is not in itself a violation of the data protection regime, but may bear on the effects of
security violation, especially if lack of such notification results in other security breaches or damages. The person responsible for
the data must keep records on security breaches, and these records may be requested by the data protection authority.
Breach notification may be mandatory if the data protection authority specifically requests information about data breaches.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 45 | | | www.dlapiperdataprotection.com
There are several enforcement mechanisms:
The data protection authority may enforce the legal provisions and regulations on data protection, imposing fines in case
of violation.
Violation of data protection rules may constitute a crime subject to prison terms imposed by criminal courts.
Court actions may be brought to have access to personal data and to request their correction, suppression, confidentiality
or updating.
ELECTRONIC MARKETING
Electronic marketing, to the extent that it may involve processing of personal data, is subject to the general rules applicable to
such data, such as valid data subject consent, adequate privacy notices as to use and disclosure of personal data and data subject
rights.
ONLINE PRIVACY
Although there are no detailed regulations on online privacy, the general rules on privacy provided by the Civil and Commercial
Code are applicable in this context. Nuisances from unrequested communications may be actionable. Unauthorized collection of
personal data will be subject to the general rules applicable to such data.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Guillermo Cabanellas
Senior Partner
T +5411 41145500
g.cabanellas@dlapiper.ar
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 46 | | | www.dlapiperdataprotection.com
ARMENIA
Last modified 21 December 2021
LAW
Personal Data Protection Law as of 18.05.2015, number .ՀՕ-49-Ն
DEFINITIONS
Definition of Personal Data
Personal Data is defined as any information related to an individual that allows or may allow directly or indirectly identifying a person.
Definition of Sensitive Personal Data
Special Category is define as any information related to a person’s
race
nationality or ethnicity
political views
religious or philosophical beliefs
membership in a professional union
health status, and
sexual life.
NATIONAL DATA PROTECTION AUTHORITY
Personal Data Protection Agency of the Ministry of Justice of the Republic of Armenia.
REGISTRATION
Registration is voluntarily unless otherwise specified by the authorised body.
DATA PROTECTION OFFICERS
No requirement to appoint a data protection officer.
COLLECTION & PROCESSING
By and large, the entities must obtain prior express consent from data subjects to lawfully collect and process personal
data The consent is not necessary in the cases directly provided by the legislation or if the data is being collected from
public sources.
The data subject may give his or her consent in person or through the representative, where the power of attorney
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 47 | | | www.dlapiperdataprotection.com
specifically provides for such a power.
The data subject’s consent shall be considered to be given and the processor shall have the right to process, where:
personal data are indicated in a document addressed to the processor and signed by the data subject, except for
the cases when the document, by its content, is an objection against processing of personal data;
the processor has obtained data on the basis of an agreement concluded with the data subject and uses it for the
purposes of operations prescribed by this Agreement;
the data subject, voluntarily, for use purposes, verbally transfers information on his or her personal data to the
processor.
Personal data may be processed without the data subject’s consent, where the processing of data is directly provided for
by law.
The processor of personal data or the authorised person, for obtaining the data subject’s written consent, shall notify the
data subject of the intention to process the data.
The data subject shall give his or her consent in writing or electronically, validated by electronic digital signature; in case of
an oral consent — by means of such reliable operations which will obviously attest the consent of the data subject on
using the personal data
Specific regulations regarding persons with incapacity or limited capacity and minor under the age of 16.
Specific regulations regarding biometric personal data.
TRANSFER
Transfer to third parties shall mean an operation aimed at transferring personal data to certain scope of persons or public at large
or at familiarising with them, including disclosure of personal data through the mass media, posting in information communication
networks or otherwise making personal data available to another person.
The processor may transfer personal data to third parties or grant access to data without the personal data subject’s consent,
where it is provided for by law and has an adequate level of protection.
The processor may transfer special category personal data to third parties or grant access to data without the personal data
subject’s consent, where:
the data processor is considered as a processor of special category personal data prescribed by law or an interstate
agreement, the transfer of such information is directly provided for by law and has an adequate level of protection;
in exceptional cases provided for by law special category personal data may be transferred for protecting life, health or
freedom of the data subject.
Personal data may be transferred to another country with the data subject’s consent or where the transfer of data stems from the
purposes of processing personal data and/or is necessary for the implementation of these purposes.
Personal data may be transferred to another state without the permission of the authorised body, where the given state ensures
an adequate level of protection of personal data.
SECURITY
The processor has an obligation to destruct or block personal data that are not necessary for achieving the legitimate purpose.
In the course of processing personal data the processor shall be obliged to use encryption keys to ensure the protection of
information systems containing personal data against accidental loss, unauthorised access to information system, unlawful use,
recording, destructing, altering, blocking, copying, and disseminating personal data and other interference.
The processor is obliged to prevent the access of appropriate technologies for processing personal data for persons not having a
right thereto and ensure that only data, subject to processing by him or her, are accessed by the lawful user of these systems and
the data which are allowed to be used.
The requirements for ensuring security of processing of personal data in information systems, the requirements for tangible media
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 48 | | | www.dlapiperdataprotection.com
of biometric personal data and technologies for storage of these personal data out of information systems shall be prescribed by
the decision of the government of the Republic of Armenia. In case another body exercising control is prescribed by law, this
body, within the scope of powers reserved to it by law, may prescribe higher requirements other than provided above.
Use and storage of biometric personal data out of information systems may be carried out only through such tangible media,
application of such technologies or forms, which ensure the protection of these data from the unauthorised access thereof,
unlawful use, destruction, alteration, blocking, copying, dissemination of the personal data, etc.
Processors of personal data or other persons provided for by this law shall be obliged to maintain confidentiality both in the
course of performing official or employment duties concerning the processing of personal data and after completing thereof.
BREACH NOTIFICATION
In case unlawful operations performed upon personal data are revealed, the processor shall be obliged to immediately, but not
later than within three working days eliminate the committed violations. In case it is impossible to eliminate the violations, the
processor shall be obliged to immediately destruct personal data.
The processor shall be obliged to inform the data subject or his or her representative on the elimination of violations or the
destruction of personal data within three working days, and where the request is received from the authorised body for the
protection of personal data — also this body.
Mandatory breach notification
In case of outflow of personal data from electronic systems the processor shall be obliged to immediately publish an
announcement thereon, meanwhile reporting on the outflow the Police of the Republic of Armenia and authorised body for the
protection of personal data.
ENFORCEMENT
Authorised body for the protection of personal data is entitled to:
check, on its initiative or on the basis of an appropriate application, the compliance of the processing of personal data with
the requirements of this Law;
apply administrative sanctions prescribed by law in the case of violation of the requirements of this Law;
require blocking, suspending or terminating the processing of personal data violating the requirements of this Law;
require from the processor rectification, modification, blocking or destruction of personal data where grounds provided
for by this Law exist;
prohibit completely or partially the processing of personal data as a result of examination of the notification of the
processor on processing personal data;
keep a register of processors of personal data;
recognise electronic systems for processing of personal data of legal persons as having an adequate level of protection and
include them in the register;
check the devices and documents, including the existing data and computer software used for processing data;
apply to court in cases provided for by law;
exercise other powers prescribed by law;
maintain the confidentiality of personal data entrusted or known to it in the course of its activities;
ensure the protection of rights of the data subject;
consider applications of natural persons regarding the processing of personal data and deliver decisions within the scope
of its powers;
submit, once a year, a public report on the current situation in the field of personal data protection and on the activities of
the previous year;
conduct researches and provide advice on processing data on the basis of applications or coverages of processors or
inform on best practices on processing of personal data;
report to law enforcement bodies where doubts arise with regard to violations of criminal law nature in the course of its
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 49 | | | www.dlapiperdataprotection.com
activities.
ELECTRONIC MARKETING
There is no regulation. However, it is advisable to obtain user consent, such as through appropriate disclaimers.
ONLINE PRIVACY
There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate
disclaimers.
KEY CONTACTS
LEGELATA Law Firm
legelata.am/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Arthur Buduryan
Partner
LEGELATA Law Firm
T +37495993696
arthur.buduryan@legelata.am
Artyom Poghosyan
Associate
LEGELATA Law Firm
T +37495992636
artyom.poghosyan@legelata.am
https://www.dlapiperdataprotection.com
https://legelata.am/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 50 | | | www.dlapiperdataprotection.com
ARUBA
Last modified 21 December 2021
LAW
National Ordinance Person Registration ( , National Gazette 2011, ConsolidatedLandsverordening persoonsregistratie
text no. 37) (“National Ordinance Person Registration”);
General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on
May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is
not only relevant to businesses established in the European Union but also to international businesses established in Aruba
which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.
DEFINITIONS
Definition of Personal Data
National Ordinance Person Registration
According to the Explanatory Memorandum on the National Ordinance Person Registration the term personal data has a broad
meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a particular
person; it is foreseeable that under certain circumstances data can be traced to one person through systematic comparison and
lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email address,
telephone number, membership number and/or identity number.
GDPR
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
Definition of Sensitive Personal Data
National Ordinance Person Registration
Religion or belief, race, political opinion, sexuality, as well as personal data of a medical, psychological or disciplinary nature, and
personal data concerning the trade union membership.
GDPR
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic
data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 51 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
National Ordinance Person Registration
Public prosecutor.
GDPR
An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The
authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of
natural persons in relation to processing and to facilitate the free flow of personal data within the EU.
REGISTRATION
National Ordinance Person Registration
No registration required.
GDPR
Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data
processing activities carried out by the company.
DATA PROTECTION OFFICERS
National Ordinance Person Registration
Pursuant to article 8 of the National Ordinance Person the data controller shall execute appropriate technical and organizational
measures to secure personal data against loss or violation of the data against unauthorized access, change or transmission thereof.
Besides the measures above, the National Ordinance Person Registration does not contain any clauses on appointing a mandatory
data protection officer.
GDPR
The appointment of a data protection officer under the GDPR is only mandatory in three situations:
When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal
convictions.
COLLECTION & PROCESSING
National Ordinance Person Registration
Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration.
Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in
his possession, with which a personal registration of which he is not the holder.
GDPR
Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain
purposes, like a website that markets to users based on their online behaviour.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 52 | | | www.dlapiperdataprotection.com
controller. Processors act on behalf of the relevant controller and under their authority.
TRANSFER
National Ordinance Person Registration
By means of article 9 of the National Ordinance Person Registration, recorded data will only be made available to third parties in
accordance with the purpose of the register and if obligated by law or done with the consent of the registered persons.
GDPR
The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the
rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions
applies.
SECURITY
National Ordinance Person Registration
Pursuant to article 8 of the of the National Ordinance person Registration the data controller shall execute appropriate technical
and organizational measures to secure personal data against loss or violation of the data against unauthorized access, change or
transmission thereof.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32
GDPR).
BREACH NOTIFICATION
National Ordinance Person Registration
Contains no specific clauses.
GDPR
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55
GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
ENFORCEMENT
National Ordinance Person Registration
Pursuant to article 20 of the National Ordinance person registration, the individual violating the provisions of the national
ordinance person registration can be punished with a maximum fine of Afl.10.000. (USD. 5586.59).
GDPR
The GDPR holds a variety of potential penalties for businesses.
For example, article 77 of GDPR states that:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 53 | | | www.dlapiperdataprotection.com
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data
relating him or her infringes this Regulation.”
Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the
data subject has his or her habitual residence.”
Penalties
Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,
for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”
suffered.
Fines
Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the
level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur
administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is
greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional
penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only
guidelines in article 84 of GDPR are that “ and that “Such penalties shall be effective, proportionate and dissuasive” Each Member State
shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
ELECTRONIC MARKETING
National Ordinance Person Registration
N/A
GDPR
Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.
Companies can only send email marketing to individuals if:
The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
ONLINE PRIVACY
National Ordinance Person Registration
Contains no specific clauses.
GDPR
Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do
have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a
person.
If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is
processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from
others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 54 | | | www.dlapiperdataprotection.com
etc. are not known.
KEY CONTACTS
HBN Law & Tax
hbnlawtax.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maarten Willems
Senior Associate
HBN Law & Tax
T +297 588 6060
maarten.willems@hbnlawtax.com
Misha Bemer
Partner
HBN Law & Tax
T +297 588 6060
misha.bemer@hbnlawtax.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 55 | | | www.dlapiperdataprotection.com
AUSTRALIA
Last modified 23 December 2021
LAW
Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal Privacy Act 1988
(Cth) (Privacy Act) and the Australian Privacy Principles contained in the Privacy Act apply to private sector entities(“APPs”)
(including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AU$3 million,
and all Commonwealth Government and Australian Capital Territory Government agencies.
The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy
Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek
civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement
remedial efforts.
Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation
applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory
government agencies. These Acts include:
(Australian Capital Territory)Information Privacy Act 2014
Information Act 2002 (Northern Territory)
Privacy and Personal Information Protection Act 1998 (New South Wales)
Information Privacy Act 2009 (Queensland)
Personal Information Protection Act 2004 (Tasmania), and
Privacy and Data Protection Act 2014 (Victoria)
Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the
following all impact privacy and data protection for specific types of data or activities: the (Cth), the Telecommunications Act 1997
(Cth), the (Cth), the (NSW), the Criminal Code Act 1995 National Health Act 1953 Health Records and Information Privacy Act 2002
(Vic) and the (NSW).Health Records Act 2001 Workplace Surveillance Act 2005
Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in
place. For example, the Australian Prudential and Regulatory Authority (“ ”), which regulates financial services institutionsAPRA
requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 234 Information Security (CPS
234), and the Australian Securities and Investment Commission regulates corporations more generally.
Other important privacy and data protection laws
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 56 | | | www.dlapiperdataprotection.com
Assistance and Access Act
The (“ ”) provides lawTelecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) AA Act
enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on “Designated
Communications Providers”. However, the AA Act may inadvertently have a much broader remit with limited judicial oversight,
and has been the subject of much criticism from local and global technology firms which have stated the legislation has the
potential to significantly impact security / encryption solutions in Australia.
The AA Act allows various agencies to do any of the following:
Issue a “technical assistance notice”, which requires a communications provider to give assistance that is reasonable,
proportionate, practicable and technically feasible
Issue a “technical capability notice”, which requires a communications provider to build new capabilities to assist the
agency. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be
satisfied that the notice is reasonable, proportionate, practicable and technically feasible
Make “technical assistance requests”, to give foreign and domestic communications providers and device manufacturers a
legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating
to issues of national interest, national security and law enforcement
Organizations will need to ensure customer terms and conditions deal carefully with the matter of legal compliance and any
commitments made to customers generally.
Consumer Data Right
The Commonwealth Government is in the implementation phases of the Consumer Data Right (“ ”) following a number ofCDR
policy reviews including the Productivity Commission’s “Data Availability and Use” report and the “Review into Open Banking in
Australia”.
The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to
accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products
they have on offer, it is intended that consumers’ ability to compare and switch between products and services will be improved,
as well as encouraging competition between service providers, which could lead to better prices for customers and more
innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within
designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers
but also to business consumers and related products.
The CDR rules have been implemented in respect of the banking sector in Australia. The energy sector is the next to be added to
the CDR, with the telecommunications sector currently scheduled to follow. Other sectors across the economy will be added to
the CDR over time.
The CDR regime addresses competition, consumer, privacy and confidentiality issues. As such, it is regulated by the Australian
Competition and Consumer Commission as well as the Office of the Australian Information Commissioner.
DEFINITIONS
Definition of personal data
Personal data (referred to as ‘personal information’ in Australia) means information or an opinion about an identified individual, or
an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or
opinion is recorded in material form or not.
The Privacy Act currently contains an exemption for “employee records”, such that any records containing personal information
which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act.
However there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful
applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of
the ongoing review of the Privacy Act (see ).Enforcement
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/australia/enforcement.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 57 | | | www.dlapiperdataprotection.com
Definition of sensitive personal data
Sensitive personal data (referred to as ‘sensitive information’ in Australia) means information or an opinion about:
Racial or ethnic origin
Political opinions
Membership of a political association
Religious beliefs or affiliations
Philosophical beliefs
Membership of a professional or trade association
Membership of a trade union
Sexual orientation or practices
Criminal record that is also personal information
Health information about an individual
Genetic information about an individual that is not otherwise health information
Biometric information that is to be used for the purpose of automated biometric identification or verification
Biometric templates
NATIONAL DATA PROTECTION AUTHORITY
The Privacy Commissioner, under the Office of the Australian Information Commissioner (” “) is the national dataOAIC
protection regulator responsible for Privacy Act oversight.
175 Pitt Street Sydney NSW 2000
T 1300 363 992
F +61 2 9284 9666
REGISTRATION
There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act,
organizations are not required to notify the Privacy Commissioner of any processing of personal information.
DATA PROTECTION OFFICERS
Organizations are not required to appoint a data protection officer. However, the Privacy Commissioner has issued guidance
recommending that organizations appoint a data protection officer as good practice.
COLLECTION & PROCESSING
Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business
functions or activities.
Under the Privacy Act, organizations must take reasonable steps to ensure that personal information collected is accurate and
up-to-date.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 58 | | | www.dlapiperdataprotection.com
At or before the time organizations collect personal information, or as soon as practicable afterwards, they must take reasonable
steps to provide individuals with notice of:
The Organization’s identity and contact information
Why it is collecting (or how it will use the) information about the individual
The entities or types of entities to which it might give the personal information
Any law requiring the collection of personal information
The main consequences (if any) for the individual if all or part of the information is not provided
The fact that the organization’s privacy policy contains information about how the individual may access and seek
correction of their personal information, how they may make a complaint about a breach of the APPs and how the
organization will deal with such complaint
Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in
which such recipients are likely to be located
Organizations should comply with these notification requirements by preparing a “collection statement” or “privacy notice” for
each significant collection of personal information, and providing this to individuals prior to collecting their personal information.
This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which
details the general personal information handling processes of the organisation. APP 1 lists the information which is required to be
included in a privacy policy.
In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice
requirements outlined above also apply to any personal information collected from a third party. Organizations must provide
individuals with required notice on receipt of personal information from a third party, even though they did not collect personal
information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between ‘data processors’ and
‘data controllers.’
Organizations must not use or disclose personal information about an individual unless one or more of the following applies:
The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose which
is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the
individual would reasonably expect the organization to use or disclose the information for that secondary purpose.
The individual consents.
The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the
individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the
organization.
A ‘permitted general situation’ or ‘permitted health situation’ exists; for example, the entity has reason to suspect that
unlawful activity relating to the entity’s functions has been engaged in, or there is a serious threat to the health and safety
of an individual or the public.
It is required or authorized by law or on behalf of an enforcement agency.
In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that:
Each direct marketing communication provides a simple means by which the individual can opt out
The individual has not previously requested to opt out of receiving direct marketing communications
The above direct marketing requirements apply to all forms of direct marketing. Additionally, specific requirements for
commercial electronic messaging are outlined in .Electronic Marketing
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/australia/electronic-marketing.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 59 | | | www.dlapiperdataprotection.com
The Privacy Act affords additional protections when processing involves sensitive information. Organizations are prohibited from
collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the
following:
The individual has consented to the collection and the collection of the sensitive information is reasonably necessary for
one or more of the entity’s functions or activities.
Collection is required or authorized by law or a court/tribunal order.
A ‘permitted general situation’ or ‘permitted health situation’ exists (for example, where the information is required to
establish or defend a legal or equitable claim or there is a serious threat to the life or health of the individual or the
public).
The entity is an enforcement body and the collection is reasonably necessary for that entity’s functions or activities.
The entity is a nonprofit organization and the information relates to the activities of the organization and solely to the
members of the organization (or to individuals who have regular contact with the organization relating to its activities).
Organizations must provide individuals with access to their personal information held by the organization upon an individual’s
request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an
organization. Under certain circumstances, the organization may limit the extent to which it provides an individual with access or
correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests.
Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with
the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified
individuals.
TRANSFER
Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organization
outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs
(other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any
act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a
breach of the APPs. However, this provision will not apply where any of the following apply:
The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which
effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to
mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no
reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability
(although the use of appropriate contractual provisions is a step towards ensuring compliance with the ‘reasonable steps’
requirement).
The individual consents to the transfer. However, under the Privacy Act the organization must, prior to receiving consent,
expressly inform the individual that if he or she consents to the overseas disclosure of the information the organization
will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs.
A ‘permitted general situation’ applies.
The disclosure is required or authorized by law or a court/tribunal order.
SECURITY
An organization must have appropriate security measures in place (ie, ‘take reasonable steps) to protect any personal information
it retains from misuse and loss and from unauthorized access, modification or disclosure. The Privacy Commissioner has issued
detailed guidance on what it considers to be reasonable steps in the context of security of personal information, which we
recommend be reviewed and implemented. Depending on the organization, and how and by which government agency it is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 60 | | | www.dlapiperdataprotection.com
regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. An
organization must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed
for the purpose(s) for which it was collected.
BREACH NOTIFICATION
Entities with obligations to comply with the Privacy Act must comply with the mandatory data breach notification regime under
the Privacy Act.
The mandatory data breach notification includes data breaches that relate to:
Personal information
Credit reporting information
Credit eligibility information
Tax file numbers
In summary, the regime requires organizations to notify the OAIC and affected individuals of “eligible data breaches” (in
accordance with the required contents of a notice). Where it is not practicable to notify the affected individuals individually, an
organization that has suffered an eligible data breach must make a public statement on its website containing certain information as
required under the Privacy Act, and take reasonable steps to publicise the contents of the statement.
An “eligible data breach” occurs when the following conditions are satisfied in relation to personal information, credit reporting
information, credit eligibility information or tax file information:
All of the following conditions are satisfied:
There is unauthorized access to, or unauthorized disclosure of, or loss of the information
A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious
harm to any of the individuals to which the information relates
Prevention of the risk of serious harm through remedial action has not been successful
While “serious” harm is not defined in the legislation, the OAIC has released guidance on how serious harm may be interpreted
and assessed by organizations. There are a number of key criteria to examine when determining if “serious” harm is likely to result
from a breach which should be assessed holistically and take into account: the kinds of information, sensitivity, security measures
protecting the information, the nature of the harm ( , physical, psychological, emotional, financial or reputational harm) and theie
kind(s) of person(s) who may obtain the information.
The regime also imposes obligations on organizations to assess within 30 calendar days whether an eligible data breach has
occurred where the organization suspects (on reasonable grounds) that an eligible data breach has occurred, but that suspicion
does not amount to reasonable grounds to believe that an eligible data breach has occurred.
There are various exceptions to the requirement to notify affected individuals and/or the OAIC of a data breach notification
including in instances where law enforcement related activities are being carried out or where there is a written declaration by the
Privacy Commissioner.
The introduction of the regime has resulted in many organizations requiring detailed contractual obligations with third party
suppliers in relation to cybersecurity and the protection of personal information of their customers / clients. Complimenting this
regime, the OAIC has also released several guidance notes relating to the regime which include topics such as the security of
personal information and whilst these are not legally binding, they are considered industry best practice.
Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances
including under the Prudential Standard CPS 234 Information Security (” “) which aims to strengthen APRA-regulatedCPS 234
entities’ resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively
in the event of a breach. CPS 234 applies to all APRA-regulated entities who among other things, are required to notify APRA
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 61 | | | www.dlapiperdataprotection.com
within 72 hours “after becoming aware” of an information security incident and no later than 10 business days after “it becomes
aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely
manner”.
ENFORCEMENT
The Privacy Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or
practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made.
Generally, the Privacy Commissioner prefers mediated outcomes between the complainant and the relevant organization.
Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to
ensure that the results of that investigation are publicly available. Currently, this is undertaken by disclosure through the OAIC
website of the entire investigation report.
The Privacy Commissioner may also investigate any “interferences with the privacy of an individual” (ie, any breaches of the APPs)
on its own initiative (ie, where no complaint has been made) and the same remedies as below are available.
After investigating a complaint, the Privacy Commissioner may dismiss the complaint or find the complaint substantiated and make
declarations that the organization rectify its conduct or that the organization redress any loss or damage suffered by the
complainant (which can include non-pecuniary loss such as awards for stress and/or humiliation). Furthermore, fines of up to
AU$440,000 for an individual and AU$2.2 million for corporations may be requested by the Privacy Commissioner and imposed
by the Courts for serious or repeated interferences with the privacy of individuals.
Following the release of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry report in December
2019, the Australian Government accepted the need for proposed reforms to the Privacy Act. A draft bill has been published
which would increase penalties under the Privacy Act to the greater of: AU$ 10 million, three times the value of the benefit
obtained through the misconduct, or 10% of annual turnover (as well as introducing the framework for a binding online privacy
code for social media and certain other online platforms including data brokerage services and platforms with more than 2,500,000
end users in Australia (excluding customer loyalty schemes). If these changes proceed, they would bring penalties for corporations
in line with those already in force under the Competition and Consumer Act 2010 (Cth) for breaches of the Australian Consumer
Law. As well as the current prosed changes, a broader review of the Privacy Act is currently being undertaken by the Australian
Government, in accordance with the published terms of reference.
ELECTRONIC MARKETING
The sending of electronic marketing (referred to as ‘commercial electronic messages’ in Australia) is regulated under the Spam Act
(“ ”) and enforced by the Australian Communications and Media Authority.2003 (Cth) Spam Act
Under the Spam Act, a commercial electronic message (which includes emails and SMS’s sent for marketing purposes) must not be
sent without the prior opt-in consent of the recipient.
In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a
functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing. Requests to unsubscribe
must be processed within 5 business days.
A failure to comply with the Spam Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly
consequences, with repeat offenders facing penalties of up to AU$2.1 million per day.
ONLINE PRIVACY
There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act, the
Spam Act and State and Territory privacy laws relating to online / e-privacy, and other specific laws regarding the collection of
location and traffic data etc. Specifically, the are no specific legal requirements regarding the use of cookies (or any similar
technologies). If the cookies or other similar technologies collect personal information of a user the organization must comply
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 62 | | | www.dlapiperdataprotection.com
with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also
ensure that the collection of customers’ personal information complies with the Privacy Act and the Privacy Commissioner has
released detailed guidance on this.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Nicholas Boyle
Partner
T +61 2 9286 8479
nicholas.boyle@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 63 | | | www.dlapiperdataprotection.com
AUSTRIA
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
In Austria, the laws concerning the implementation of the GDPR have been adopted gradually. In summer 2017, the
existing Data Protection Act 2000 ( ) was amended by the Data Protection Amendment Act 2018 (Datenschutzgesetz 2000
) which constituted the first implementation of various regulations related to GDPR,Datenschutz-Anpassungsgesetz 2018
and was intended to enter into force simultaneously with GDPR. The ‘Data Protection Act’ ( hasDatenschutzgesetz, DSG)
considerably amended the Data Protection Act 2000. In addition to the GDPR, it is now the central piece of legislation in
Austria regulating data privacy.
The Privacy Deregulation Act 2018 ( ) further amended the DSG. The DSG, asDatenschutz-Deregulierungs-Gesetz 2018
amended by the Privacy Deregulation Act 2018, came into force on May 25, 2018 and is now the applicable regulation in
Austria. The DSG also includes the implementation of the Directive (EU) 2016/680.
In addition to the DSG, further amendments to other statutory laws were adopted in order to implement the GDPR
(mostly to adapt to the terminology of the GDPR). These amendments were included in the General Data Protection
Adjustment Act ( ) and the research-sector specific Data ProtectionMaterien-Datenschutz-Anpassungsgesetz 2018
Adjustment Act – Science and Research (Datenschutz- Anpassungsgesetz 2018 – Wissenschaft und Forschung – WFDSAG
). Further amendments in other laws have been made by the Second General Data Protection Adjustment Act, which2018
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 64 | | | www.dlapiperdataprotection.com
was passed in June 2018 and applies retroactively. Finally, ordinances were also passed regulating respectively the cases
where a data privacy impact assessment is obligatory (the Obligatory DPIA Ordinance – ) and the exemptions fromDSFA-V
the obligation to conduct a data privacy impact assessment (the DPIA Exemptions Ordinance – DSFA-AV).
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly referred to in Recital 30, with IP addresses, cookies and RFID tags listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR concerns the ” ” of personal data. Processing has a broad meaning, and includes any set of operationsprocessing
performed on data, including mere storage, hosting, consultation or deletion.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to former legislation, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The DSG does not include any additional definitions or derogations to the GDPR. However, Section 1 DSG, which
provides a constitutional (human) right to data privacy, does not use the definition of “data subject” of the GDPR, but
rather uses the term “everyone” which is currently interpreted to include legal entities and other organizations too.
Consequently, the constitutional (human) right to data privacy, as well as some basic data subject rights, as regulated in
Section 1 DSG, also apply to legal entities and other organizations.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is conducted by data protection regulators, known as supervisory authorities (for example, the Cnil in
France or the ICO in the UK). The European Data Protection Board (successor of the so-called Article 29 Working Party) is
comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR establishes the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a singleie,
establishment of a controller or processor but affecting data subjects in multiple Member States), the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 65 | | | www.dlapiperdataprotection.com
The Austrian Data Protection Authority ( ) can be contacted as follows:Österreichische Datenschutzbehörde
Österreichische Datenschutzbehörde
Barichgasse 40-42 1030 Vienna
Austria / Europe
Phone number: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at
If possible, the Austrian Data Protection Authority prefers to communicate via email.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if one of the following conditions are met:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 66 | | | www.dlapiperdataprotection.com
to cooperate and act as point of contact with the supervisory authority.
The DSG contains in its Section 5 some additional regulation in respect to the rights and obligations of the DPO.
Thereunder, the DPO and all persons working for the DPO are obliged to retain confidentiality regarding the identity of
the persons that have approached the data protection officer as well as regarding all the circumstances that could reveal
the identity of such persons.
Under certain circumstances, the DPO and their assistant personnel have the right to refuse testimony regarding the data
obtained in their capacity as data protection officer, if a person employed in a position subject to the data protection
officer’s supervision is entitled to such right and to the extent that person has exercised such right. All files and other
documents of the data protection officer which are subject to this statutory right to remain silent in the aforementioned
extent cannot be lawfully seized.
Further regulations in Section 5 concern the DPOs of public organizations.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core principle of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance, potentially for years after a particular decision regarding processing of personal data. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 67 | | | www.dlapiperdataprotection.com
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce national legislation regarding processing of genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by national legislation (Article 10).
Section 4 Para 3 DSG regulates the processing of data regarding actions punishable under criminal or administrative law,
criminal convictions or suspected criminal actions.
Processing must (i) be based on an explicit legal authorization or obligation to process such data or (ii) be justified by a
statutory duty of care or legitimate interests pursuant to Article 6 (1) lit f GDPR, and be carried out in a manner ensuring
to protect the data subjects interests set out in the GDPR and the DSG.
For example, legitimate interest may be established in recruitment processes for trustworthy personnel.
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 68 | | | www.dlapiperdataprotection.com
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 69 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognised by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Austrian DSG imposes further obligations upon controllers and processors. Pursuant to Section 6, all employees,
agents or contractors of a controller or a processor who have access to personal data must be contractually obliged to
transfer personal data only after receiving an adequate and documented instruction by their employer (confidentiality
obligation). All employees, agents or contractors of a controller or a processor must be subject to confidentiality
undertakings or professional or statutory obligations of confidentiality. Measures must be taken to ensure that all
employees, agents or contractors of a controller or a processor are bound by the aforementioned undertakings and/or
obligations of confidentiality even after the termination of their respective contract, regardless of the cause or form
thereof.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 70 | | | www.dlapiperdataprotection.com
CCTV, or rather more broadly processing of images made in public or private spaces, including related sound recordings,
are subject to further regulation and requirements pursuant to Sections 12 and 13 DSG. This provision provides
limitations regarding the lawfulness of such processing as compared to Art 6 GDPR, as processing of image data is only
permissible in the following cases:
processing is necessary in order to protect the vital interests of the data subject
the data subject has given their consent
the processing is required or permitted by specific statutory law, or
the interests of the data controller override the interests of the data subjects in the specific case, and the
processing is proportionate
Overriding legitimate interests are assumed by the law in some cases listed as examples, such as preventive protection of
property or persons on private properties or publicly accessible spaces controller by the data controller.
The capturing of images / CCTV is always prohibited in the following cases:
processing of images capturing persons in their personal area of life without their express consent
processing of CCTV images for the purpose of employee monitoring
the automated comparison of personal data obtained by means of capturing images / CCTV without explicit
consent and for the creation of personality profiles with other personal data, or
the evaluation of personal data obtained by means of image capturing on the basis of special categories of personal
data (Art. 9 GDPR) as a selection criterion
In early 2020, the Austrian Data Protection Authority has published a non-binding opinion, referring to two decisions of
the Federal Administrative Court, and stating that Sections 12 and 13 DSG are not in line with the GDPR and shall
therefore no longer be applied. The Authority shall assess CCTV data processings exclusively on the basis of the GDPR.
However, the contents of the Sections 12 and 13 DSG are still practically used as criteria for assessment of the lawfulness
of the processing.
Other additional regulations for processing of data include:
regulation relating to processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes (Section 7), which allows processing of such data if they are publicly accessible,
have been collected lawfully for other research purposes or other lawful purposes, or are pseudonymized; other
data may only be processed to the extent there are specific statutory regulations, the data subjects have given
their consent or the Data Protection Authority has approved the processing
further regulation regarding the processing of data for purposes pursuant to Art 89(1) GDPR, most notably for
research purposes, included in the Act on Research Organisation ( FOG); thisForschungsorganisationsgesetz –
regulation includes provisions which lessen to some extent the requirements for processing of special categories
of data, including in particular the concept of “broad consent”, and limit the rights of data subjects in this respect
regulation relating to the processing of addresses for informing or sending questionnaires to data subjects (Section
8), which in principle requires consent for such processing, but also provides some derogations
regulation regarding data processing in cases of catastrophes (Section 10)
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 71 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident, and
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
Section 13 DSG imposes further obligations on Controllers in regard to CCTV and / or processing of captured images
pursuant to Section 12 DSG. The controller needs to secure the access to the CCTV / captured images in a way that
makes any access and / or subsequent alteration of captured images by an unauthorized third party impossible.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 72 | | | www.dlapiperdataprotection.com
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, they are required to notify the controller without undue delay upon
becoming aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. The Treaty does not
define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of
each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. Under EU
case-law regarding competition, there is also precedent for regulators to impose joint and several liability on parent companies for
fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called “look
through” liability. It is not yet clear whether this will translate directly to GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 73 | | | www.dlapiperdataprotection.com
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy broad investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR provides for specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” because of a breach of the GDPR has the right to receive
compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that
individuals will be able to claim compensation for distress even where they are not able to prove financial loss. These
claims can be made at any competent court.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Furthermore, individuals may lodge a complaint to a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
In Austria, the Austrian Data Protection Authority is responsible for the enforcement of the GDPR. Pursuant to Section
11 DSG, the Austrian Data Protection Authority is obliged to impose administrative fines pursuant to the Article 83
GDPR in an adequate way. The Authority should in particular also apply the measures pursuant to Art 58 GDPR in case of
first time breaches, in particular the possibility to issue warnings instead of imposing fines.
The fines under the GDPR are imposed under Austrian administrative criminal law. The Austrian administrative criminal
law in general does not allow authorities to impose fines against a legal entity, but provides only for the liability of natural
persons; in cases where violations are committed by a legal entity, the liable persons are either statutory representatives
(directors) or persons appointed as responsible persons for adherence with specific administrative laws. However, the
DSG provides a possibility to impose fines against legal entities, in the following cases:
A violation of GDPR or DSG is committed by a natural person who has power (1) to represent the legal entity or
to make decisions on behalf of the legal entity; or (2) has supervisory powers in the legal entity and has
committed this offence either alone or as a part of an organ of the legal entity ( management board)eg,
An employee of the legal entity violates the provisions of GDPR or DSG and the violation was possible due to
insufficient supervision or control by a person by a natural person that has power to (1) represent the legal entity;
(2) or to make decisions on the behalf of the legal entity; or (3) has supervisory powers in the legal entity,
provided the violation is not subject to criminal law.
The possibility to impose fines against a legal entity or a responsible natural person, as appropriate. If the fine is imposed
against a legal entity, the Authority is required to identify a particular natural person whose violations are to be attributed
to said entity; the responsible natural person may not be fined for the same breach.
Public bodies cannot be fined for violations of GDPR or DSG.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 74 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
The GDPR applies to most electronic marketing activities, as these will involve use of personal data ( eg, an email address which
includes the recipient’s name). The most relevant legal bases for electronic marketing will be consent, or the legitimate interests of
the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict
standards for consent under the GDPR apply, and marketing consent forms will need to incorporate clearly worded opt-in
mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merely the acceptance of termsnot
and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State, provides for specific rules on
electronic marketing (including circumstances in which consent must be obtained). The ePrivacy Directive is yet to be replaced by
a Regulation. However, it is currently uncertain when this is going to happen. In the meantime, Article 94 makes it clear that
references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive
95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.
The GDPR or DSG do not specifically address (electronic) marketing, however, the use of personal data for marketing purposes is
clearly within their scope. It is arguable that the processing of personal data of the existing customers within the scope of the
business is permissible for marketing purposes, and this has become common practice in Austria. For persons who are not yet
customers, the consent of the data subjects is generally required.
Electronic marketing is also regulated by the Austrian Telecommunications Act ( 2021, ‘TKG’). PursuantTelekommunikationsgesetz
to the TKG the sending of electronic messages without prior consent of the recipient is unlawful, if the sending is for direct
marketing purposes. No consent is required if the data has been obtained in the course of the sale of goods or provision of
services, occurs for the same or similar goods or services, the recipient is able to decline easily and with no costs for the use of
his or her personal data and the recipient has not previously declared, by requesting to be entered on to the relevant list
(maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR)), that they do not want to be
contacted.
The GDPR implementation Acts do not provide any amendments or derogations in respect of electronic marketing.
However, electronic marketing was and still is separately regulated in Austria in the Telecommunications Act
2021, TKG), Section 174, which implements the ePrivacy Directive.(Telekommunikationsgesetz
Pursuant to the TKG the sending of electronic messages without prior consent of the recipient is unlawful insofar as the
message is sent for direct marketing purposes. Explicit consent is not required where (1) the data have been obtained in
the context of the sale of goods or provision of services; (2) the electronic marketing concerns same or similar goods or
services of the sender; (3), the recipient is able to decline easily and with no costs for the use of his or her personal data
for electronic marketing, both when the data are collected as well as with each message received (‘opt-out’), and the
recipient has not previously declared, by requesting to be entered on to the relevant lists (the “Robinson lists”, maintained
by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) and the Austrian Chamber of
Commerce (WKO)), that he or she does not want to be contacted.
ONLINE PRIVACY
Online privacy is specifically regulated by the TKG.
Traffic data
Traffic Data held by communications services providers (CSPs) must be erased or anonymized when it is no longer necessary for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 75 | | | www.dlapiperdataprotection.com
the purpose of the transmission of a communication. However, Traffic Data can be retained for purposes of invoicing the services.
In such a case, if the invoice has been paid and no appeal has been lodged with the CSP within three months the Traffic Data must
be erased or anonymized.
Location data
Location Data may only be processed for emergency services and with consent of the user. Even in case of consent, the user must
be able to prohibit the processing by simple means, for free of charge and for a certain time period.
Cookie compliance
The relevant section of the TKG stipulates that a user must give informed consent for the storage of personal data, which includes
a cookie. The user has to be aware of the fact that consent for the storage or processing of personal data is given, as well as the
details of the data to be stored or processed, and has to agree actively. Therefore obtaining consent via some form of pop-up or
click through agreement seems advisable. Consent by way of browser settings, or a pre-selected checkbox etc. is probably not
sufficient in this respect.
If for technical reasons the short term storage of content data is necessary, such data must be deleted immediately thereafter.
Online privacy is still specifically regulated by the TKG, and the GDPR implementation acts have introduced only minor
amendments thereto. There are no regulations regarding online privacy in the DSG itself.
Media privilege
In an effort to balance freedom of speech and freedom of information publishers as well as owners and employees of
media outlets are granted privileges regarding the processing of data for journalistic purposes (Section 9 DSG). Certain
Chapters of the GDPR are not applicable to such processings, specifically:
Chapter II (Principles);
Chapter III (Rights of the data subject);
Chapter IV (Controller and Processor);
Chapter V (Transfers of personal data to third countries or international organizations);
Chapter VI (Independent supervisory authorities);
Chapter VII (Cooperation and consistency); and
Chapter IX (Provisions relating to specific processing situations).
The same exceptions (with the slight difference of Article 5 of Chapter II remaining applicable) are stipulated if data is
processed for scientific, artistic or literary purposes.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 76 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sabine Fehringer
Partner
T +43 1 531 78 1460
sabine.fehringer@dlapiper.com
Stefan Panic
Counsel
T +43 531 78 1034
stefan.panic@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Azerbaijan 77 | | | www.dlapiperdataprotection.com
AZERBAIJAN
Last modified 15 February 2022
LAW
Law on Personal Information dated 11 May 2010.
DEFINITIONS
Definition of Personal Data
Any information allowing to identify a person, directly or indirectly, is considered personal data.
Definition of Sensitive Personal Data
Personal data of special category includes information relating to race or nationality of an individual, his/her family life, religion and
belief, health or conviction.
NATIONAL DATA PROTECTION AUTHORITY
The major regulator/enforcement authority (DPA) is the Ministry of Digital Development and Transport.
In addition, the other designated state authorities which are vested in powers to enforce applicable data protection/privacy laws,
within the scope of their competences, include the Ministry of Internal Affairs, the Ministry of Justice, the State Security Service,
and the Special State Protection Service.
REGISTRATION
Information systems of personal data must be registered with the DPA. There are also certain exemptions from such registration
requirement.
DATA PROTECTION OFFICERS
The DPA, through its officers, may demand elimination of violations of statutory requirements by legal entities and individuals, also
take necessary actions for holding accountable persons who breached the statutory requirements regarding collection, processing
and protection of personal data.
COLLECTION & PROCESSING
Collection and processing of personal data can be implemented either with obtaining a prior consent of a data subject or when the
data is of open category (i.e. non-confidential).
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Azerbaijan 78 | | | www.dlapiperdataprotection.com
Transfer of personal data can be performed with a prior written consent of a data subject, unless the data is of open category.
SECURITY
Adequate level of protection of personal data should be provided by owners of operators of personal data.
BREACH NOTIFICATION
There is no specific requirement as to notification of the DPA by the owner or operator of personal data about breach.
ENFORCEMENT
If the rights of a data subject are breached as a result of the illegal collection and processing of personal data, inadequate
protection of such data, or non-compliance with the statutory requirements, the data subject may claim for compensation of
material and moral damages sustained by him/her through the local court.
ELECTRONIC MARKETING
No consent of a recipient is required for e-mail marketing, provided only that service providers must establish a registration
system for persons who wish to opt out from receiving marketing materials, and comply with such system.
ONLINE PRIVACY
There are no rules directly regulating use of cookies in Azerbaijani legislation. However, if cookies contain any personal data, the
Azerbaijani data protection rules will apply as to the use of such cookies.
If a data subject cannot be identified just based on location data, it would unlikely be deemed as personal data, falling outside the
scope of personal data protection related requirements.
KEY CONTACTS
MGB Law Offices
mgb-law.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Ismail Askerov
Senior Partner
MGB Law Offices
T +99412 493 6669
ismail.askerov@mgb-law.com
Lala Hasanova
Senior Associate
MGB Law Offices
T +99412 493 6669
lala.hasanova@mgb-law.com
https://www.dlapiperdataprotection.com
https://mgb-law.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 79 | | | www.dlapiperdataprotection.com
BAHAMAS
Last modified 22 December 2021
LAW
Data Protection (Privacy of Personal Information) Act (“DPA”).
DEFINITIONS
Definition of Personal Data
Section 2 DPA defines ‘personal data’ as data relating to a living individual who can be identified either from the data or from the
data in conjunction with other information in the possession of the data controller.
Definition of Sensitive Personal Data
‘Sensitive personal data’ is further defined in Section 2 DPA as personal data relating to: racial origin; political opinions or religious
or other beliefs; physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental
health of their employees in the ordinary course of personnel administration and not used or disclosed for any other person);
trade union involvement or activities; sexual life; or criminal convictions, the commission or alleged commission of any offence, or
any proceedings for any offence committed, the disposal of such proceedings or the sentence of any court in such proceedings.
It should be noted that although sensitive personal data (‘ ’) is distinguished from personal data under DPA in its specificity ofSPD
certain categories of data, SPD does not otherwise receive any special treatment compared to general personal data. While DPA
provides that the relevant Minister responsible for data protection may create regulations that would provide safeguards for such
data under the Act, such a regulation has never materialized.
NATIONAL DATA PROTECTION AUTHORITY
Section 14 DPA establishes a Data Protection Commissioner (‘ ’), a corporation sole, that is tasked with the enforcement ofDPC
the provisions of DPA. The DPC operates from the Office of the Data Protection Commissioner which would the Bahamian
equivalent of a national data protection authority as seen in other jurisdictions.
REGISTRATION
There is no obligation under DPA to register with the Office of the Data Protection Commissioner as a data controller (or data
processor).
DATA PROTECTION OFFICERS
There is no statutory duty to appoint a Data Protection Officer under DPA.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 80 | | | www.dlapiperdataprotection.com
DPA in The Bahamas has only limited extraterritorial effect (as it concerns data controllers). Per Section 4(1) of DPA, the Act
only applies to: data controllers established in The Bahamas (where the data is processed in the context of the local
establishment); and data controllers established outside The Bahamas that use equipment in The Bahamas for processing data
(other than for transit through The Bahamas).
In the above context, an ‘established’ data controller can be any of the following (in accordance with Section 4(3) of DPA): an
individual ordinarily resident in The Bahamas; a body incorporated or registered under Bahamian law; a partnership or other
unincorporated association formed under Bahamian law; and any person that does not fall into any of the foregoing categories but
maintains an office, branch or agency in The Bahamas through which they carry on a business activity or regular practice. It can be
seen, therefore, that a nexus to The Bahamas of the kind described above must be established for DPA to apply outside the
jurisdiction.
Data controllers are defined in Section 2 DPA as a person who, alone or with others, determines the purposes for which and the
manner in which any personal data are, or are to be processed. Data controllers owe a statutory duty of care to data subjects
pursuant to Section 12(1) as it regards the collection by him of personal data or information intended for inclusion in such data or
his dealing with such data. Further, Section 12(2) provides that data controllers must use contractual or other legal means to
provide a ‘comparable’ level of protection from any third party to whom he discloses information for the purpose of data
processing.
Data controllers, under Sections 6(1), must abide by several core duties as it relates that the collection, processing, keeping, use
and disclosure of data of data subjects, namely, to ensure:
The data or information constituting the data has been collected by means which are lawful and fair in the circumstances
of the case (e.g., data subjects should not be deceived or misled as to the purpose(s) for which the data is being processed
or collected – and the use of such data should not cause damage or distress to the data subject);
The data is accurate and kept up to date where necessary (except in the case of data back-up);
The data is only kept only for one or more specified or lawful purpose(s);
The data is not used or disclosed in a manner which is incompatible with that/those purpose(s);
The data collected is adequate, relevant and not excessive in relation to that purpose or purposes;
The data is not kept for a period longer than necessary for the purpose(s) for which it was collected (except in cases
where personal data needs to be kept for historical, statistical or research purposes);
There are appropriate security measures in place to prevent unauthorised access to, or alteration, disclosure or
destruction of data and against its accidental loss or destruction.
TRANSFER
Section 17 DPA speaks to the international transfer of data. Under Section 17(1) the DPC may prohibit the transfer of personal
data from The Bahamas to a place outside The Bahamas in cases where there is a failure to provide protection either by contract
or otherwise equivalent to that provided under DPA, subject to certain exceptions. In arriving at a determination to prohibit the
international transfer of data, the DPC must consider whether such a transfer would cause damage or distress to any person and
consider the desirability of the transfer. Pursuant to Section 17(8) however, data constituting data required or authorized to be
transferred under another enactment; or data that is required by any convention or other instrument imposing an international
obligation on The Bahamas; or otherwise, data that a data subject has consented to having transferred, will not apply under
Section 17.
SECURITY
As mentioned previously, Section 6(1)(d) provides that data controllers must ensure that appropriate security measures are taken
against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
In practice, appropriate security measures typically mean ‘industry-standard’ (particularly for institutions that store SPD, e.g. law
firms, hospitals, banks, insurance companies, etc).
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 81 | | | www.dlapiperdataprotection.com
There is no breach notification obligation under the provisions of DPA.
ENFORCEMENT
The DPC of The Bahamas is largely responsible for the enforcement of data protection in the jurisdiction. Section 15(1) states that
the DPC may investigate or cause to be investigated whether any of the provisions of DPA have been contravened by a data
controller or a data processor in relation to an individual when an individual has complained of a contravention of any DPA
provisions or where he may otherwise be of the opinion that a contravention make have occurred. Enforcement measures the
DPC can utilize include enforcement notices (Section 16 DPA), prohibition notices (Section 17 DPA), information notices (Section
18 DPA), and in rare instances bringing and prosecuting summary offences under DPA (Section 28 DPA).
Aside from its statutory functions, the DPC is also tasked with educating the public of data protection issues and trends and
providing assistance in data breach remediation.
In accordance with Section 29(1) DPA, penalties for a person guilty of an offence under DPA are liable on summary conviction to
a fine not exceeding $2,000.00 Bahamian Dollars; or on conviction on information, to a fine not exceeding $100,000.00 Bahamian
Dollars. Further, Section 29(2) provides that where a person is convicted of a DPA offence, the court may also order that any data
material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any
(relevant) data to be erased.
ELECTRONIC MARKETING
Data subjects have the right to prohibit processing for the purposes of direct marketing by way of Section 11 DPA. Though DPA
provides that ‘direct marketing’ includes direct mailing, it also applies by extension to electronic marketing and newsletters. In
order to prohibit such processing a data subject may make a written request to the data controller to cease using any data that
has been kept for the purpose of direct marketing. The data controller then has no more than forty days to either erase or cease
using the said data and notify the data subject in writing accordingly.
ONLINE PRIVACY
Outside of the current provisions of DPA and legislation governing law enforcement access to one’s computing devices and
encrypted data (e.g. the Interception of Communications Act, Computer Misuse Act, National Crime Intelligence Agency Act etc.),
online privacy is largely unregulated and there are no specific laws aimed at the use of cookies or the collection of location data.
Under the Electronic Communications and Transactions Act (‘ ’), however, Section 20 provides for online intermediary aECTA
procedure for ‘dealing with unlawful, defamatory, etc. information’. An intermediary is defined under Section 2 ECTA as, in the
context of an electronic communication, a person including a host on behalf of another person who sends, receives or stores
either temporary or permanently that electronic communication or provides related services with respect to that electronic
communication. Section 20(1) states that where an intermediary has actual knowledge that information in an electronic
communication gives rise to civil or criminal liability, then as soon as possible the intermediary should remove the information
from any information processing system within the intermediary’s control and cease to provide or offer services in respect of that
information and notify the police of the any relevant facts and of the identity of the person from whom the intermediary was
supplying services in respect of the information, if the identity of that person is known to the intermediary. Similarly, Section 20(2)
states that if an intermediary is aware of facts or circumstances from which the of civil or criminal liability in respect oflikelihood
the information in an electronic communication ought reasonably to have been known should, as soon as practicable, follow any
relevant procedure set out in any code of conduct that may be applicable to the intermediary under the Act or notify the police
and relevant Minister responsible for electronic communications. The Minister may then direct the intermediary to remove the
electronic communication from any information processing system within the control of the intermediary and cease to provide
services to the person to whom the intermediary was supplying services in respect of that electronic communication. It can be
argued that these provisions give intermediaries (e.g. telecommunications providers) facilitating communications between end
users’ communications broad powers to potentially cease services or effectively censor electronic communications they deem
objectionable on the grounds that civil or criminal liability could likely arise without any liability arising provided the action is made
in good faith.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 82 | | | www.dlapiperdataprotection.com
KEY CONTACTS
GrahamThompson
grahamthompson.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sean G. McWeeney Jr.
Associate
GrahamThompson
T +1 (242) 322-4130
sgm@gtclaw.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 83 | | | www.dlapiperdataprotection.com
BAHRAIN
Last modified 7 December 2021
LAW
Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (” “) on July 12, 2018. The PDPL is the mainPDPL
data protection regulation in Bahrain. The PDPL came into force on August 1st 2019, and supersedes any law with contradictory
provisions.
DEFINITIONS
Definition of personal data
Personal data is defined under the PDPL as any information of any form related to an identifiable individual, or an individual who
can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical,
physiological, intellectual, cultural or economic characteristics or social identity.
Definition of sensitive personal data
Sensitive personal data is a subset of personal data. It is personal data which reveals, directly or indirectly, the individual’s race,
ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or
sexual life. Sensitive personal data requires more rigorous treatment by data controllers.
NATIONAL DATA PROTECTION AUTHORITY
Under the PDPL, the Personal Data Protection Authority (” “) will have power to investigate violations of the PDPL onAuthority
its own, at the request of the responsible minister, or in response to a complaint.
The Authority can issue orders to stop violations, including issuing emergency orders and fines. Civil compensation is also allowed
for any individual who has incurred damage arising from the processing of their personal data by the data controller, or violating
the provisions of the PDPL by a business’s data protection officer. Finally, the most concerning feature of the PDPL for businesses
is that the it carries criminal penalties for violations of certain provisions.
Decree No. 78 of 2019 (the ” “) was enacted to determine the administrative authority that will assume the mandatedDecree
functions and powers of the Authority. This Decree came into force 29 September 2019.
Article I of the aforementioned Decree appoints the Ministry of Justice, Islamic Affairs and Endowments (the ” “) as theMinistry
Authority for the protection of personal data in accordance with the provisions of the PDPL, on a temporary basis pending the
financial allocation of the Authority in the general budget of Bahrain and the issuance of a decree forming the Board of Directors
pursuant to Article 39 of the PDPL.
The Minister of the Ministry will assume the functions and powers prescribed to Board of Directors of the Authority and the
Chairman of Board of Directors, in accordance with the provisions of the PDPL The Undersecretary of the Ministry will
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 84 | | | www.dlapiperdataprotection.com
assume the same functions and powers as the Executive Chairman.
REGISTRATION
The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must
be registered in that register.
DATA PROTECTION OFFICERS
Data controllers may voluntarily appoint a data protection officer. The Authority’s Board of Directors may also issue a decision
requiring specific categories of data controllers to appoint data protection officers. However, in all instances, the data controller
must notify the Authority of such an appointment within three days of its occurrence.
A data protection officer must help the data controller in exercising its rights and fulfilling its obligations prescribed under the
PDPL The data protection officer also has a number of other roles, including liaising with the Authority, verifying that personal
data is processed in accordance with the PDPL, notifying the Authority of any violations of the PDPL that the data protection
supervisor becomes aware of and maintaining a register of processing operations that the data controller must notify the
Authority about.
The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must
be registered in that register.
COLLECTION & PROCESSING
Processing is defined under the PDPL as any operation or set of operations carried out on personal data by automated or
non-automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using
or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or
destroying them.
Processing of personal data can only occur with the consent of the data subject, unless the processing is necessary:
to implement a contract to which the data subject is a party;
to take steps at the request of the data subject to conclude a contract;
to implement an obligation required by law, contrary to a contractual obligation or an order from a competent court;
to protect the vital interests of the data subject; or
to exercise the legitimate interests of the data controller or any third party to whom the data is disclosed, unless this
conflicts with the fundamental rights and freedoms of the data subject.
Processing of sensitive personal data is also prohibited without the consent of the data subject, except when the processing:
is required by the data controller to carry out their obligations;
is necessary for the protection of the data subject;
of the data is made available to the public by the data subject;
is necessary to exercise any of the procedures of claims of legal rights or the defence thereof;
is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare, treatment or management
of healthcare services;
is carried out within the activities of associations, unions and other non-profit organisations;
is carried out by a competent public entity; or
is related to the race or ethnicity, if they are necessary to ascertain equal opportunities or treatment of the society’s
individuals.
Data controllers are prohibited from processing the following personal data types without the prior written authorization of the
Authority:
automatic processing of sensitive personal data of data subjects who cannot provide consent;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 85 | | | www.dlapiperdataprotection.com
automatic processing of biometric data;
automatic processing of genetic data (unless such processing was provided by physicians and specialists at a licensed
medical establishment and is necessary for purposes of preventative medicine or diagnostic medicine, or purposes to
provide treatment or healthcare);
automatic processing of personal data files that are in the possession of two or more data controllers that are processing
personal data for different purposes; or
processing that consists of visual recording to be used for monitoring purposes.
TRANSFER
Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient
protection to personal data. Those countries need to be listed by the Authority and published in the Official Gazette.
Data controllers can also transfer personal data to countries that are not determined to have sufficient protection of personal data
where:
the transfer occurs pursuant to a permission to be issued by the Authority on a case-by-case basis, if it deems that the
data will be sufficiently protected;
if the data subject has consented to that transfer;
if the data to be transferred has been extracted from a register that was created in accordance with the PDPL for the
purpose of providing information to the public, regardless of whether viewing of this register is available to everyone or
limited to the parties concerned in accordance with specific terms and conditions. In this instance, one shall have to satisfy
the terms and conditions prescribed for viewing the register before viewing that information;
if the transfer is necessary for any of the following:
to implement a contract between the data subject and the data controller, or to undertake preceding steps at the
data subject’s request for the purpose of concluding a contract;
to implement or conclude a contract between the data controller and a third party for the benefit of the data
subject;
to protect the data subject’s vital interests;
to implement an obligation imposed by the PDPL (even if this is contrary to the contractual obligation), or to
implement an order issued by a competent court, the public prosecution, the investigating judge or the military
prosecution; or
to prepare, execute or defend a legal claim.
SECURITY
The PDPL requires that data controllers apply technical and organizational measures capable of protecting the data against
unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of
processing.
The PDPL requires that the Authority’s Board of Directors issues a decision specifying the terms and conditions that the technical
and organizational measures must satisfy. The decision may require specific activities by applying special security requirements
when processing personal data.
Data controllers must also use data processors who will provide sufficient guarantees about applying the technical and
organizational measures that must be adhered to when processing the data. Data controllers must also take reasonable steps to
verify that data processors comply with these measures.
BREACH NOTIFICATION
The PDPL contains a general requirement on the data protection officer to notify the Authority of any breach under the PDPL of
which that the data protection officer becomes aware.
Mandatory breach notification
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 86 | | | www.dlapiperdataprotection.com
Under the PDPL, there is no mandatory data breach notification provision requiring data controllers to notify the Authority or
data subject in the event that there is a breach of personal data held by the data controller.
ENFORCEMENT
The Authority can issue orders to stop violations, including emergency orders and fines. Civil compensation is also allowed for any
individual who has incurred damage arising from the processing of their personal data by the data controller, or arising from the
data protection officer’s violation of the PDPL Appeals can be made against decisions of the Authority.
The PDPL also carries a range of criminal penalties and administrative fines for violating certain provisions.
Criminal penalties of imprisonment of not more than one year and / or a fine between BHD 1,000 to BHD 20,000, can be issued
against any individual who:
processes sensitive personal data in violation of the PDPL;
transfers personal data outside Bahrain to a country or region in violation of the PDPL;
processes personal data without notifying the Authority;
fails to notify the Authority of any change made to the data of which they have notified the Authority;
processes certain personal data without prior authorization from the Authority;
submits to the Authority or the data subject false or misleading data to the contrary of what is established in the records,
data or documents available at their disposal;
withholds from the Authority any data, information, records or documents which they should provide to the Authority or
enable it to review them in order to perform its missions specified under the PDPL;
causes to hinder or suspend the work of the Authority’s inspectors or any investigation which the Authority is going to
make; and / or
discloses any data or information which they are allowed to have access to, due to their job or which they used for their
own benefit or for the benefit of others unreasonably and in violation of the provisions of the PDPL
ELECTRONIC MARKETING
Under the PDPL, data controllers must notify the data subject when data is collected directly or indirectly of whether data will be
used for direct marketing purposes. Notice is important because it alerts data subjects of their right to object to any direct
marketing relating to their personal data.
ONLINE PRIVACY
There is no specific online privacy regulation in Bahrain.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 87 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Mohamed Toorani
Legal Director – Head of Bahrain Office
T +973 I 755 0896
mohamed.toorani@dlapiper.com
Lulwa Alzain
Associate
T +973 I 755 089I
lulwa.alzain@dlapiper.com
Jenan Banahi
Associate
T +973 1755 0897
jenan.banahi@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bangladesh 88 | | | www.dlapiperdataprotection.com
BANGLADESH
Last modified 11 January 2022
LAW
Digital Security Act 2018 (“ ”).DSA 2018
DEFINITIONS
Definition of personal data
Section 26 of the DSA defines the term “identity information” as “any external, biological or physical information or any other
information which singly or jointly can identify a person or a system, such as name, photograph, address, date of birth, mother’s name,
father’s name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number,
driving license, e-TIN number [Tax identification Number], electronic or digital signature, username, credit or debit card number, voice print,
retina image, iris image, DNA profile, security related question or any other identification which are available for advance technology”.
Definition of sensitive personal data
The DSA 2018 does not define the term “Sensitive Personal Data” or any similar or equivalent term.
NATIONAL DATA PROTECTION AUTHORITY
Digital Security Agency.
REGISTRATION
No requirements.
DATA PROTECTION OFFICERS
No requirements.
COLLECTION & PROCESSING
There are no statutes that expressly allow the collection and processing of identification information.
The DSA 2018 came into force in full on 8 October 2018. Section 26 of the DSA 2018 has been drafted in very wide terms. The
contents of this provision would appear to provide, that if anyone collects, sells, keepsinter alia, without lawful authority
possession of, supplies or uses identification information of another person, it would constitute an offence . The punishment for1
a first-time offender would be imprisonment of a term not exceeding five years or a fine not exceeding Taka 5,00,000 (approx.
US$ 5,950 as at 19 January 2021) or both. The punishment for second-time offenders or repeat offenders would be imprisonment
of a term not exceeding 10 years or a fine not exceeding Taka 10,00,000 (approx. US$ 11,900 as at 19 January 2021), or both.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bangladesh 89 | | | www.dlapiperdataprotection.com
Please note that the DSA 2018 does not contain any exceptions to the Section 26 requirement. However, identification
information may be, among other things, collected and stored by a person if he has . The term “lawful authority”lawful authority
has not been defined in the DSA 2018. Due to the very recent enactment of this legislation, the Government of Bangladesh has
not yet issued any clarification as to what would constitute ‘lawful use’ and has provided no guidance on what would satisfy the
‘lawful authority’ requirement. It is for these reasons (among others) that the legislation has been widely criticised.
In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store
such identification information.
Note 1. Please note that this is an unofficial English translation of the wording of the provision in question.
TRANSFER
Bangladesh does not specifically regulate data transfers within Bangladesh or from Bangladesh to outside of Bangladesh. In our
opinion, transfers would be permitted provided consent of the data subject is obtained.
While there are no general restrictions on transfer of data outside Bangladesh, please note that there are certain industry specific
restrictions that are discussed below.
Banks
Section I2 of the Bank Companies Act, I 99 I has imposed a restriction upon bank companies with regard to removal of documents
and records outside Bangladesh without prior permission of Bangladesh Bank (i.e. the central bank of Bangladesh).
The requirement for obtaining prior written permission from Bangladesh Bank is upon the transferor, i.e. the bank company.
Banks must also maintain confidentiality in banking transactions.
Telecommunication companies
The Bangladesh Telecommunication Regulatory Commission (” “) is the authority that is responsible for regulatingCommission
telecommunications companies (” “) in Bangladesh and issuing licenses to telcos for providing mobile phone services.telcos
The license which is granted to the telcos contains a provision regarding subscriber confidentiality. The confidentiality requirement
applies to As such, telcos will be prohibited from sharing any subscriber information (to”all information provided by the subscriber”.
entities or persons located inside or outside Bangladesh) that does not come within the exemptions listed above. Furthermore, in
our opinion, subscribers would not have the option of giving consent to the telcos to share their data, instead for such sharing,
approval from the Commission will be required.
SECURITY
There are no data security requirements.
BREACH NOTIFICATION
There is no requirement to report data breaches to any individual or regulatory body.
ENFORCEMENT
There is no enforcement mechanism. Appropriate relief may be sought through courts of law having jurisdiction in the matter.
ELECTRONIC MARKETING
There is no regulation on electronic marketing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bangladesh 90 | | | www.dlapiperdataprotection.com
ONLINE PRIVACY
There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate
disclaimers.
KEY CONTACTS
Dr. Kamal Hossain and Associates
www.khossain.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sharif Bhuiyan
Partner and Deputy Head of Chambers – International and Commercial Practice
Dr. Kamal Hossain and Associates
T +88 02 9552946
sbhuiyan@khossain.com
Najeeb Huda
Associate
Dr. Kamal Hossain and Associates
T +88 02 9552946
nhuda@khossain.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 91 | | | www.dlapiperdataprotection.com
BARBADOS
Last modified 10 January 2022
LAW
The Data Protection Act (the ” ) was passed on August 12, 2019, and came into force in March 2021. The purpose of the ActAct”
is to regulate the collection keeping, processing, use and dissemination of personal data and to protect the privacy of individuals in
relation to their personal data.
DEFINITIONS
Definition of Personal Data
“Personal data” means data which relates to an individual who can be identified:
from that data; or
from that data together with other information which is in the possession of or is likely to come into the possession of
the data controller.
Definition of Sensitive Personal Data
“Sensitive personal data” means personal data consisting of information on a data subject’s:
racial or ethnic origin;
political opinions;
religious beliefs or other beliefs of a similar nature;
membership of a political body;
membership of a trade union;
genetic data;
biometric data;
sexual orientation or sexual life;
financial record or position;
criminal record; or
proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the
sentence of any court of competent jurisdiction in such proceedings.
NATIONAL DATA PROTECTION AUTHORITY
A Data Protection Commissioner (the ” “) is responsible for the general administration of the Act.Commissioner
REGISTRATION
A data controller must be registered in the Register of Data Controllers.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 92 | | | www.dlapiperdataprotection.com
A data processor must be registered in the Register of Data Processors.
DATA PROTECTION OFFICERS
The data controller and the data processor must designate a data privacy officer where:
the processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in their
judicial capacity;
the core activities of the data controller or the data processor consist of processing operations which, by virtue of their
nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal
data.
The data privacy officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data
protection law and practices and the ability to fulfil the duties and functions as set out under the Act.
COLLECTION & PROCESSING
Where personal data relating to a data subject is collected from the data subject, the data controller must, at the time when
personal data is obtained, provide the data subject with the following:
the identity and the contact details of the data controller and, where applicable, of the data controller’s representative;
the contact details of the data privacy officer, where applicable;
Processing must be lawful where:
the data subject has given consent to the processing of his personal data for one or more specific purposes; or
the processing is necessary
for the performance of a contract to which the data subject is a party;
for the taking of steps at the request of the data subject with a view to entering into a contract;
for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed
by contract;
in order to protect the vital interests of the data subject;
for the administration of justice;
for the exercise of any functions of either House of Parliament;
for the exercise of any functions conferred on any person by or under any enactment;
for the exercise of any functions of a public authority;
for the purposes of legitimate interests pursued by the data controller or by the third party to whom the data is
disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights
and freedoms or legitimate interests of the data subject; or
processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third
party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular where the data subject is a child.
TRANSFER
Transfer of personal data is unlawful unless certain conditions are satisfied. Where the data subject has given their consent to the
transfer of their personal data, the restrictions on the transfer of the data do not apply. The Act also sets out various other
exemptions for the restrictions where transfer of the personal data is necessary e.g. for the performance of a contract between
the data subject and the data controller, reasons of substantial public interest, for the purpose of obtaining legal advice, etc.
Personal data obtained must not be transferred to a country or territory outside Barbados unless that country or territory
provides for (a) an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of
personal data and (b) appropriate safeguards on condition that the rights of the data subject are enforceable and there are
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 93 | | | www.dlapiperdataprotection.com
available, effective legal remedies for data subjects.
The circumstances for determining an adequate level of protection as well as methods for providing appropriate safeguards
including the development of binding corporate rules must submitted to the Commissioner for authorisation.
The ” ” must specify (but not limited to) the following: binding corporate rules
the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity
and of each of its members;
the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the
type of data subjects affected and the identification of the third country or countries in question;
their legally binding nature, both in and outside of Barbados.
SECURITY
The data controller and the data processor must implement appropriate technical and organisational measures to ensure a level of
security appropriate to the risk.
BREACH NOTIFICATION
In certain circumstances, a data controller is required to report to the Commissioner data breaches which have affected a data
subject.
Mandatory breach notification
Where there is a personal data breach the data controller must without undue delay and, where feasible, not later than 72 hours
after having become aware of it, notify the personal data breach to the Commissioner, unless the personal data breach is unlikely
to result in a risk to the rights and freedoms of an individual.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must
communicate the personal data breach to the data subject without undue delay and, where feasible, not later than 72 hours after
having become aware of it.
ENFORCEMENT
Where the Commissioner is satisfied that a data controller or a data processor has contravened or is contravening this Act, the
Commissioner may serve him an “enforcement notice”.
In deciding whether to serve an enforcement notice, the Commissioner must consider whether the contravention has caused or is
likely to cause any person damage or distress.
ELECTRONIC MARKETING
There are no specific laws in respect of these matters.
ONLINE PRIVACY
There are no specific laws in respect of these matters.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 94 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Chancery Chambers
chancerychambers.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Angela R Robinson
Senior Associate
Chancery Chambers
T +246 431 0070
arobinson@chancerychambers.com
Giles A M Carmichael
Partner
Chancery Chambers
T +246 431 0070
gcarmichael@chancerychambers.com
https://www.dlapiperdataprotection.com
https://chancerychambers.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 95 | | | www.dlapiperdataprotection.com
BELARUS
Last modified 21 February 2022
LAW
The fundamental legal act regulating personal data protection in Belarus is the Law on Personal Data Protection of 7 May 2021
No. 99-Z which entered into force on 15 November 2021 (Data Protection Law). It is the first Belarusian legal act intended
specifically for regulation of personal data protection issues.
It worth also to take into consideration the acts implemented within the framework of the Eurasian Economic Union
(EEU), e.g. the Protocol on Information and Communication Technologies and Informational Interaction within the
Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of 29 May 2014. Following the
Decision of the Supreme Eurasian Economic Council of 11 October 2017 the member states of EEU are planning to
develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data
protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the
Digital Agenda of the Eurasian Economic Union until 2025.
DEFINITIONS
Definition of personal data
Data Protection Law defines “personal data” as any information relating to an identified or identifiable natural person.
In its turn, “individual who can be identified” means an individual who can be directly or indirectly determined, in particular
through the surname, proper name, patronymic, date of birth, identification number, or through one or more of characteristic
features of her/his physical, psychological, mental, economic, cultural or social identity.
The Law also defines “special personal data”, “biometric personal data”, “genetic personal data” and “publicly available personal
data”.
Definition of sensitive personal data
Data Protection Law defines “special personal data” which include information about race, nationality, political, religious and other
convictions, health and sexual activity; criminal conviction records; biometric and genetic personal data.
“Biometric personal data” means information describing the physiological and biological characteristics of a person, which is used
for her/his unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.), while “genetic personal
data” is defined as information related to the inherited or acquired genetic characteristics of a person, which contain unique data
on her/his physiology or health and can be identified, in particular, during the study of her/his biological sample.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 96 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
The National Personal Data Protection Centre (NPDPC) is the competent authority for the protection of personal data subjects’
rights. The main tasks of the NPDPC are taking measures to protect the rights of personal data subjects in the processing of their
personal data and organising training on personal data protection issues.
In accordance with these tasks NPDPC performs the following functions:
controls the processing of personal data by operators (authorised persons);
considers complaints of personal data subjects regarding the processing of personal data;
determines the list of foreign countries having proper level of data subjects’ rights protection;
issues permits for cross-border transfer of personal data, if the level of protection of personal data subjects’ rights in a
foreign country is not adequate, as well as establishes the procedure for issuing such permits;
makes proposals on the improvement of the personal data legislation, participates in the drafting of legal acts on personal
data;
provides explanations on the application of personal data legislation, carries out other explanatory work on personal data
legislation;
determines the cases in which it is not necessary to notify NPDPC of the breach of personal data protection systems;
establishes the classification of information resources (systems) containing personal data in order to determine the
technical and cryptographic protection requirements for personal data;
participates in the work of international organisations on personal data protection issues;
cooperates with authorities (organisations) for protection of rights of personal data subjects in foreign countries;
publishes annually by 15 March, the report in mass media on its activities;
implements educational programs of additional education for adults in accordance with the legislation on education;
exercises other authority established by the personal data legislation.
Contact information of NPDPC
Build. 24-3, K.Zetkin str., Minsk, 220036
T: + 375 17 367 07 90
e-mail: info@cpd.by
REGISTRATION
Since 1 January 2024 operators are obliged to enter information about information resources (systems) containing personal data
into Register of Personal Data Operators and ensure that the relevant information is kept up-to-date. Types of information
resources (systems), information about which is to be entered into the Register, as well as the list of information to be included
therein shall be determined by the Operational and Analytical Centre under the President of the Republic of Belarus (OAC) by
1 August 2022.
State information systems shall be registered under the separate procedure regardless whether any personal data are
processed in it or not. According to Belarusian legislation state information systems are information systems created and /
or acquired at the expense of state or local budgets, state off-budget funds, or by state legal entities.. Registration is
performed by specially authorised by the Ministry organisation – SERUE “Institute of Application Software Systems.” One
of the conditions for state registration of an information system is registration of all information resources included in
such an information system. Described registration can be performed for private owned information systems voluntarily.
According to the Edict of the President of the Republic of Belarus of 16 April 2013 No. 196 On Certain Measures for
Improvement of the Information (Information Protection Decree) organisations owning information systems intended for
processing of personal data are obliged to notify the OAC on the conditions of technical information protection of such
systems.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 97 | | | www.dlapiperdataprotection.com
DATA PROTECTION OFFICERS
Data Protection Law obliges operators to designate a structural unit or person responsible for the internal control of personal
data processing. This shall be an internal unit or employees of the organisation, i.e. it is not possible to outsource the control
functions. The legislation does not provide mandatory requirements for the person responsible for the internal control.
Consequently, the operator appoints such a person or structural unit at its discretion.
Persons responsible for the internal control of personal data processing shall complete training on issues related to personal data
protection at least once every five years. Depending on the type of organisation, the training may be organised at NPDPC or
other educational organisations. In addition, the operators shall annually by 15 November provide NPDPC with information on
the number of persons who shall complete training at NPDPC.
Moreover, a legal entity, including state body, processing personal data shall create information protection systems to
secure information in their information systems used for processing of such data. As a part of creation of such system the
entity should establish special department or appoint employee responsible to take required technical and cryptography
information protection measures. According to the amendments to the Information Protection Decree, the employees of
such department (responsible employee) are required to have higher education in the sphere of information protection
security or other higher or professional-technical education and undergo training on the issues of technical and
cryptographic information protection.
If for some reasons respective departments / employees cannot take such measures themselves, a special organisation
licensed to perform activities on technical and / or cryptography information protection may be involved.
COLLECTION & PROCESSING
Data Protection Law contains a wide range of legal bases for personal data processing:
data subject’s consent;
if the processing is required for:
administrative or criminal proceedings, operational-search activities;
administration of justice and the enforcement of court orders and other enforcement documents;
performing monitoring activities (supervision) in accordance with the legislation;
implementation of legislation on national security, on combating corruption, on preventing money laundering,
financing of terrorist activities and financing weapons of mass destruction proliferation;
the implementation of legislation on elections and referendum;
state social insurance purposes;
formalising employment relationships, in the process of employment activities;
notarial activities;
Belarusian citizenship issues;
assignment and payment of pensions, benefits;
the organisation and carrying out of national statistical observations;
scientific and other research purposes, on condition that the personal data are depersonalised;
accounting, calculation, charging of fees for housing and utility services, other services, taxes;
processing is based on a contract, that is concluded (being concluded) with data subject, and for the purpose of
performing actions stipulated by this contract;
if personal data are specified in a document addressed to the operator and signed by the data subject;
processing is essential for the performance of certain journalist’s activities;
processing is required to protect the subject’s life, health or other interests if obtaining of consent is not possible;
if personal data were previously disseminated;
in order to fulfil the duties/powers stipulated in legislation;
in other cases expressly provided in legislation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 98 | | | www.dlapiperdataprotection.com
Data Protection Law has different list of legal bases for processing of special personal data and for cross-border transfer of
personal data to the territories of states that do not ensure proper protection of data subjects rights.
The consent of the data subject can be obtained in writing, in the form of an electronic document or in another electronic form
(e.g. via tick-box at the website or SMS/email verification). Operator shall provide proof, if be required, that it has collected
proper consent for personal data processing.
Before obtaining consent, the operator shall provide the subject of personal data with the following information:
name (full name) and location (address of residence) of the operator;
purpose of personal data processing;
list of personal data to be processed;
consent validity term;
information about the persons authorised by operator to process personal data (if those are engaged);
what actions be done with personal data;
a general description of the processing methods;
other relevant information.
In addition, apart from other necessary information, the subject shall be informed of his/her rights, the mechanism for exercising
them, the consequences of giving and withdrawing consent.
Operator may collect surname, first name, middle name of data subject, date of birth, identification number (if not, the number of
the ID document) only if it is required for the purposes of processing. Such information shall be provided by data subject when at
the time he/she provides the consent.
Collection and processing of personal data shall be performed having implemented certain legal, organisational and
technical measures for personal data protection. The organisational measures may include establishing a special entrance
regime to the premises used for collection and processing, designation of employees who can have an access to such
premises and data, and differentiation of access levels to respective information. The technical measures may include using
cryptography, technical means and other possible measures of control over information protection.
TRANSFER
The general rule is that cross-border transfer is prohibited, unless a foreign state provides an appropriate level of protection of
the personal data subjects’ rights. NPDPC has established that the list of foreign states, which ensure appropriate level of
protection. The list includes foreign states that are parties to the Council of Europe Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data, adopted in Strasbourg on 28 January 1981.
However there are certain exceptions, when transfer to the jurisdictions with inappropriate level of protection will be allowed.
For example, upon respective consent of the personal data subject and informing of the possible risks or under the individual
permit for cross-border transfer issued by NPDPC.
SECURITY
The owners of the information systems should take appropriate technical, legal and organizational measures to secure personal
data processed in their information systems. The key technical measure is creation of the information protection system to secure
the information system of an entity intended for processing of personal data. The information protection system shall be attested
according to the procedure established by the OAC.
BREACH NOTIFICATION
Data Protection Law establishes an obligation to notify National Personal Data Protection Center on breach of systems used for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 99 | | | www.dlapiperdataprotection.com
personal data protection immediately, but not later than within three days of discovery in writing or in the form of an electronic
document. Exceptions to this requirement are cases where a breach of security systems has not resulted in the unlawful
dissemination, provision of personal data; modification, blocking or deletion of personal data without the possibility of restoring
access to it.
Certain additional requirements on the notification of the OAC are set for specific cases of information protection system
breaches or periodical reporting as required by Belarus law. The respective requirements are set forth in the Regulations on the
procedure for submitting information about information security events, the state of technical and cryptographic protection of
information to the OAC, as approved by the Order of the OAC of 2 February 2020 No. 66.
ENFORCEMENT
According to Data Protection Law, NPDPC supervises the processing of personal data by operators and authorised persons. In
the case of a breach of personal data legislation, NPDPC has the right to issue a demand to eliminate the detected violations
and/or to terminate personal data processing in the information resource (system). Term for elimination and/or termination is set
by the NPDPC, but shall not be longer than six months.
Violation of personal data protection legislation may result in civil, criminal and administrative liability. If the violation has led to
moral damages, the violator may be required by the court to reimburse such damages.
Since 1 March 2021 the Administrative Offences Code of Republic of Belarus stipulates specific sanctions for personal data
processing violations, including:
intentional illegal collection, processing, storage or transfer of personal data of an individual or violation of his/her rights
related to the processing of personal data may cause a fine up to 50 base units; intentional distribution – up to 200 base
units (as of 1 January 2022 one base unit equals BYN 32, approx. EUR 11);
non-compliance with requirements on data protection measures implementation may cause a fine ranging from 20
to 50 base units for legal entities.
The Criminal Code of Republic of Belarus envisages criminal liability for the following breaches:
unlawful collection or provision of information relating to the private life and (or) personal data of another person without
his/her consent (depending on the circumstances like volume on grave), a person could be sentenced to community work,
a criminal fine, arrest, or the restriction or deprivation of liberty for up to two years. For the unlawful distribution –
restriction or deprivation of liberty for up to three years with the criminal fine. Higher liability may apply if offence relates
to the victims performing public functions;
failure to comply with measures to ensure the protection of personal data by a person who processes personal data,
which has inadvertently resulted in their dissemination and causing serious consequences a person could be sentenced to
a criminal fine, deprivation of the right to occupy certain job positions or perform certain activities, corrective work for
up to one year, arrest, or the restriction of liberty for up to two years or deprivation of liberty for up to one year.
ELECTRONIC MARKETING
Electronic marketing is subject to the rules established by the Law on Advertising of 10 May 2007 No. 225-Z (Advertising Law)
and the Law on Mass Media of 17 July 2008 No. 427-Z (Mass Media Law).
According to the general rule of the Advertising Law it is not allowed to use in advertising names, pseudonyms, images or
statements of citizens of the Republic of Belarus without their consent or the consent of their legal representatives.
Distribution of advertisements by telecommunication means (e.g. telephone, telex, facsimile, mobile telephone communications,
email) can be performed only with the consent of respective subscriber or addressee. Such consent can be made as a text
document, including document in electronic form. The consent also can be a part of an agreement for telecom services. In this
case subscriber or addressee must be informed about her/his right to demand stopping placing (distributing) advertisement to
her/him, which shall be specifically confirmed by the subscriber (addressee).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 100 | | | www.dlapiperdataprotection.com
The advertisement distributor is obliged to immediately stop advertising to subscriber or addressee upon his / her demand within
one work day from receiving the demand.
Individuals whose rights have been violated as a result of creation and / or distribution of an advertisement are entitled to protect
their rights in court proceedings.
According to the Mass Media Law, information about person’s personal life or audio, video records and photos of a person can be
distributed in mass media as a general rule only with consent of such person or his / her authorised representative. As an
exception, distribution in the media of information messages and (or) materials prepared using audio or video recording, filming or
photo of an individual without her/his consent is allowed only if measures are taken against the possible identification of this
individual by unauthorized persons, and also provided that the dissemination of these information messages or materials does not
violate the constitutional rights and freedoms of the individual and is necessary to protect public interests (except to criminal
investigations or court proceedings).
ONLINE PRIVACY
Belarus law does not specifically regulate online privacy. General requirements on personal data protection apply.
Certain specific online privacy requirements can be established under the legislation. For example, personal data of a person, who
is a domain name administrator, can be disclosed in online WHOIS service of Belarusian domain zone only with consent of such
person. However, consent is not required if the domain name was registered in the name of an individual entrepreneur.
KEY CONTACTS
Sorainen
www.sorainen.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Kirill Laptev
Partner
Sorainen
T +375 17306 2102
kirill.laptev@sorainen.com
Pavel Lashuk
Associate
Sorainen
T +375 17 306 2102
pavel.lashuk@sorainen.com
https://www.dlapiperdataprotection.com
http://www.sorainen.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 101 | | | www.dlapiperdataprotection.com
BELGIUM
Last modified 30 December 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The GDPR has been integrated in Belgium through a few new laws. The ‘ of July 30, 2018 providesData Protection Act’
for the implementation of some of the GDPR provisions open to further definition, derogation or additional requirements.
It also includes the transposition of the 2016/680 Directive regarding the processing of personal data in the criminal justice
chain and the establishment of a Control body on police information (called ‘COC’). Additionally, it regulates the
authorities outside the scope of the EU law (including intelligence and security services).1
The Belgian Data Protection Authority, the successor of the Belgian Privacy Commission, was established by the Belgian
Federal Chamber of Representatives by the Act of December 3, 2017 (‘ ) . Several other laws have also beenDPA Act’ 2
adapted to align them with the GDPR (e.g. Video Surveillance Act).
The competent Secretary of State has announced legislative proposals for a reform of Belgian data protection law (i.e.
both the Data Protection Act and DPA Act) would be introduced before the Federal parliament in the course of 2022.
According to public statements made by the Secretary of State, this reform would address the functioning of theinter alia
Data Protection Authority and strengthen cooperation of the Data Protection Authority with other regulators.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 102 | | | www.dlapiperdataprotection.com
1. See .Data Protection Act
2. See .DPA Act
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Data Protection Act builds on the definitions contained in the GDPR and further clarifies some notions, such as the
notion of ‘public authority’ . It further adds the definitions of a ‘ ’, ‘1 trusted third party disclosure of personal data’
and ‘ ’ in the context of the research and statistical purposes exception. The Datadistribution of personal data
Protection Act also clarifies certain concepts such as ‘processing in the substantial public interest’ , the ‘processing for2
journalistic purposes’ and introduces new concepts such as ‘a joint database’ .3 4
1. Art. 5 Data Protection Act.
2. Article 8 para. 1 Data Protection Act.
3. Art. 24 para. 1 Data Protection Act.
4. Article 48 Data Protection Act.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
https://www.dlapiperdataprotection.com
http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&cn=2018073046&table_name=wet
http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&table_name=wet&cn=2017120311
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 103 | | | www.dlapiperdataprotection.com
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The DPA Act establishes the Data Protection Authority as the successor of the Privacy Commission which was
established under the old data protection legislation. The Data Protection Authority has the competences as set out in the
GDPR whenever that competence has not been explicitly assigned to another body.
The Data Protection Act appoints three more regulatory authorities at the federal level (COC , Committee I and1 2
Committee P ) with varying data protection related competences next to the general Data Protection Authority. In3
addition, there are also regional supervisory authorities who have been entrusted mainly with the supervision of the public
authorities of the regions.
The composition of the Data Protection Authority has proven controversial due to the involvement of some members in
government bodies. The European Commission has warned Belgium that it would start an infringement procedure before
the EU Court of Justice if the problems regarding the Data Protection Authority’s independence would not be resolved.
Therefore, a legislative proposal has been introduced before the Federal parliament at the end of 2021 to amend the DPA
Act by partially reforming the rules on the composition of the Data Protection Authority .4
1. Art. 231 Data Protection Act.
2. Art. 72 para. 2 °7 Data Protection Act.
3. Art. 26 °7, c) Data Protection Act.
4. Legislative proposal 26 November 2021, amending the Act of 3 December 2017 establishing the of the Data Protection
Authority, in order to modify the composition of the centre of expertise so that the independence of its members its members
can be guaranteed (Doc. No. 55-2347/001), www.lachambre.be/flwb/pdf/55/2347/55K2347001
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
The registration of processing activities through a notification has been abolished. However, in the public sector, the Data
Protection Act obliges the controller of processing activities in the context of police services to publish a protocol
detailing the transfer to a public authority or private body based on public interest and compliance with legal obligations .1
https://www.dlapiperdataprotection.com
https://www.lachambre.be/flwb/pdf/55/2347/55K2347001
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 104 | | | www.dlapiperdataprotection.com
1. Art. 20 Data Protection Act.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
In addition to the GDPR, the Data Protection Act requires the appointment of a DPO depending on the impact of the
processing activity, namely if it may entail a high risk as referred to in article 35 of the GDPR when (i) a private law body
processes personal data on behalf of a federal public authority or a federal public authority transfers personal data to this
private law body in the context of police services or (ii) the processing falls under the exception necessary for archiving1
purposes in the public interest, scientific or historical research purposes or statistical purposes . Some public authorities2
regulated by the Data Protection Act are also required to appoint a DPO .3
The Data Protection Authority has addressed the GDPR requirements for the appointment of DPOs and the exercise of
its tasks in several cases, including in relation to the position of the DPO and its independence, the obligation to directly
report to the highest management level and the requirement that a DPO must have “expert knowledge”.
1. Art. 21 Data Protection Act.
2. Art. 190 Data Protection Act.
3. The Center for Missing and Sexually Exploited Children (Child Focus) Art. 8 para. 3 Data Protection Act; Competent
authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 105 | | | www.dlapiperdataprotection.com
criminal penalties, including the safeguarding against and the prevention of threats to public security implementing Directive
2016/680 Art. 63 et seq Data Protection Act; Intelligence and security services Art. 91 Data Protection Act; Bodies for security
clearances, certificates and recommendations Art. 124 Data Protection Act; Coordination Unit for Threat Assessment Art. 157
Data Protection Act.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 106 | | | www.dlapiperdataprotection.com
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 107 | | | www.dlapiperdataprotection.com
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 108 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Data Protection Act adds only specificities to the general processing requirements. The age for consent of children
for the purposes of article 8.1 GDPR is 13 year . When processing genetic, biometric and health data, a controller needs1
to indicate who has access to these personal data, keep a list of the categories of people who have access to these data,
keep this list at the disposal of the DPA, and ensure that these people are bound by a legal, statutory or contractual
obligation of confidentiality . The Data Protection Authority has adopted specific guidelines regarding the processing of2
biometric data . 3
The Data Protection Act also provides a list of legal bases for processing data relating to criminal convictions and offences
and requires an access management list and confidentiality duties (as described here above) for processing such data .4
Data subject rights
The Data Protection Act provides further exceptions to data subject’s rights, including the right to be informed when
personal data is received from authorities under special regimes or when personal data is disclosed to these bodies .5 6
With respect to the special regimes addressed in the Data Protection Act, the Data Protection Act also sets out the
corresponding data subject rights (which are often more limited than those included in the GDPR) . 7
The Data Protection Act clarifies that data subject rights, including the right to information in judicial
proceedings/decisions, will be accommodated in accordance with the Judicial Code, the Code on Criminal proceedings
and any specific laws related to criminal law procedure .8
1. Art. 7 Data Protection Act.
2. Art. 9 Data Protection Act.
3. Data Protection Authority, Recommendation on the processing of biometric data (No. 1-2021, 1 December 2021).
4. Art. 10 Data Protection Act.
5. Art. 11, Art. 13 and Art. 14 Data Protection Act.
6. Art. 12 Data Protection Act.
7. Art. 36 et seq, Art. 79, Art. 105 (9), Art. 113, Art. 145, Art. 173 Data Protection Act.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 109 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
8. Art.16 Data Protection Act.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU – U.S. Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
No general additional requirements relating to transfers are introduced by the Data Protection Act. The Data Protection
Act only regulates the transfer of personal data under the special regimes, which in certain cases provides for less leeway
for transfers .1
1. Art. 66-70, Art. 93-94, Art. 126-127, Art. 159-160 Data Protection Act.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 110 | | | www.dlapiperdataprotection.com
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The Data Protection Act inserts no general additional requirements in relation to security measures. In the context
of archiving, scientific or historical research purposes or statistical purposes, the Data Protection Act sets out specific
rules including anonymization or pseudonymization requirements . 1
Security measures are also detailed for each special regime but resemble the GDPR .2
1. Art. 198 et seq Data Protection Act.
2. Intelligence and security services Art. 88-89 Data Protection Act, Bodies for security clearances, certificates and
recommendations Art. 121-122 Data Protection Act, Coordination Unit for Threat Assessment Art. 154-155 Data Protection Act,
Passenger Information Unit Art. 179-180 Data Protection Act.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
No general additional requirements are inserted in the Data Protection Act relating to data breaches.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 111 | | | www.dlapiperdataprotection.com
Data breach obligations are also detailed for each special regime, but they resemble those contained in the GDPR.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 112 | | | www.dlapiperdataprotection.com
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
In addition to the GDPR, the Data Protection Act introduces a specific procedure for actions for injunctions that can be
initiated by the data subject or by the Data Protection Authority (DPA) . These claims should be brought before the1
President of the Court of First Instance except when the personal data is processed in criminal investigations or
procedures . There is no single court territorially competent to hear these claims . 2 3
The Data Protection Act also contains a legal basis that allows a body, organisation or non-profit organisation to
represent the data subject upon its request when it:
was founded in accordance with Belgian law
has legal personality
has statutory objectives of public interest
has been active in the area of the protection of personal data for at least 3 years 4
The DPA can impose administrative fines under article 83 of the GDPR , but public authorities, their agents and5
authorised representatives are exempted insofar they are not offering goods or services on the market . A supervisory6
authority can exercise the corrective measures set out in article 58.2 GDPR but with regard public authorities, only over
the categories enumerated in the Data Protection Act . 7
Depending on the infringement and the infringer, the controller, processor, competent public authority or their agent can
be subjected to criminal sanctions, such as criminal fines between 800 EUR – 160.000 EUR and a publication of the
judgement . 8
The DPA consists of 6 different Committees. The of the DPA enjoys investigation powers, suchInspection Committee
as to identify persons, interview persons, conduct written interrogations, conduct on-site investigations, consult
information systems and copy the data they contain, consult information electronically, seize or seal goods or computer
systems and demand the identification of the subscriber or the normal user of an electronic communication service or of
the electronic means of communication used . Additionally, the inspector-general and the inspectors of the inspection9
committee may order the temporary suspension, restriction or freezing of the data processing activities that are the
subject of an investigation if this is necessary to avoid a serious, immediate and difficult to repair disadvantage. They can 10
also request further information . 11
The can follow-up on a complaint but also propose a settlement, formulate warnings andLitigation Chamber inter alia
reprimands, order compliance with data subjects’ requests to exercise their rights, order the suspension of cross-border
data flows and can also impose periodic penalty payments and/or administrative fines .12
Specific provisions according to Art. 85 to 87 and Art. 89 GDPR
The legislator has made use of the opportunity offered by the GDPR to provide exemptions or derogations from
certain obligations when the processing is carried out for journalistic purposes and the purposes of academic, artistic or
literary expression. For those purposes, the Data Protection Act exempts the controller not only from respecting certain
data subjects’ rights under the GDPR but also some obligations of the controller (e.g. notification in case of breaches,
transfer requirements, etc) and the investigative powers of the DPA . 13
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 113 | | | www.dlapiperdataprotection.com
The Data Protection Act also introduces two regimes for the derogations relating to the processing for archiving,
scientific or historical research purposes or statistical purposes:
general safeguards requiring among others register, information , contractual and security requirements, or14 15
compliance with a code of conduct 16
The Data Protection Act does not include other derogations relating to employment.
1. Art. 211 par. 3 Data Protection Act.
Art. 209 Data Protection Act.2.
Art. 209 par. 2 Data Protection Act.3.
Art. 220 par. 2 Data Protection Act.4.
Art. 101 DPA Act5.
Art. 221 par. 2 Data Protection Act.6.
Art. 221 par. 1 Data Protection Act.7.
Art. 222 et seq Data Protection Act.8.
Art. 66 DPA Act.9.
Art. 70 DPA Act.10.
Art. 76 DPA Act.11.
Art. 95 DPA.12.
Art. 24 Data Protection Act.13.
Art. 193 Data Protection Act.14.
Art. 194 Data Protection Act.15.
Art. 187 Data Protection Act.16.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon,
the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Data Protection Act applies to most electronic marketing activities, as there is likely to be processing of personal data
involved (e.g. an email address is likely to be ‘personal data’ for the purposes of the Data Protection Act). The Data
Protection Act does not contain additional rules to the GDPR for the use of personal data for the purposes of electronic
marketing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 114 | | | www.dlapiperdataprotection.com
However, specific rules are set out in the Belgian e-commerce legislation (Book XII of the Code of Economic Law)
regarding opt-in requirements:
These rules apply to all ‘electronic messages’, such as emails and text messages (Short Message Systems or SMS).
Other types of electronic communication such as instant messaging and chat may also fall within the scope of
these rules depending on the specific context. This covers not only clear promotional messages, but also
newsletters and similar communications. Indeed, any form of communication intended to directly or indirectly
promote goods, services, the image of a company, organisation or person which/who exercises a commercial,
industrial or workmanship activity or regulated profession falls within the scope of these rules.
As a general principle, the prior, free, specific and informed consent of the recipient of the message must be
obtained (‘opt-in principle’).
Two exceptions apply to the opt-in principle. No prior, free, specific and informed consent is to be obtained if:
the electronic marketing message is sent to existing customers of the service provider, or
the electronic message is sent to legal persons (e.g. to a general email address such as
info@company.com).
These exceptions are subject to compliance with strict conditions.
Furthermore, all electronic messages must contain a clear reference to the recipient’s right to opt out, including
means to exercise this right electronically.
Neither the Data protection Act nor the DPA Act include specific provisions on electronic marketing.
The Data Protection Authority has adopted specific guidelines regarding direct marketing .1
1. Data Protection Authority, Recommendation on the processing of personal data for direct marketing purposes (No. 1-2020, 17
January 2020).
ONLINE PRIVACY
Cookies
Article 5 (3) of the E-Privacy Directive has been implemented into Belgian Law by means of an amendment to article 129 of the
Belgian Electronic Communication Act.
The use and storage of cookies and similar technologies requires:
the provision of clear and comprehensive information, and
consent of the website user.
Consent is not required for cookies that are:
used for the sole purpose of carrying out the transmission of a communication over an electronic communications
network, or
strictly necessary for the provision of a service requested by the user.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 115 | | | www.dlapiperdataprotection.com
Neither the Data Protection Act nor the DPA Act include specific provisions on cookies.
The DPA has recently provided useful additional guidance related to topics such as cookie walls, social media plugins and the
validity of consent through browser settings.
Download . DLA Piper’s Guide on Cookies
Location data
As location data are personal data, the processing of these data must comply with the general rules stipulated by the GDPR, the
Data Protection Act and, depending on the context, article 129 of the Belgian Electronic Communication Act. Neither the Data
Protection Act nor the DPA Act include specific provisions on location data.
In addition, article 123 of the Belgian Electronic Communication Act stipulates that mobile network operators may process
location data of a subscriber or an end user only to the extent that the location data has been anonymised, or if the processing is
carried out in the framework of the provision of a service regarding traffic or location data.
The processing of location data in the framework of a service regarding traffic or location data is subject to strict conditions set
forth in article 123.
Traffic data
As traffic data constitute personal data, the processing of traffic data must comply with the general rules stipulated by the GDPR,
the Data Protection Act and, depending on the context, article 129 of the Belgian Electronic Communication Act. Neither the
Data Protection Act nor the DPA Act include specific provisions on traffic data.
However, in accordance with article 122 of the Belgian Electronic Communication Act, mobile network operators are required to
delete or anonymise traffic data of their users and subscribers as soon as such data is no longer necessary for the transmission of
the communication (subject to compliance with cooperation obligations with certain authorities).
Subject to compliance with specific information obligations and subject to specific restrictions, operators may process
certain traffic data for the purposes of:
invoicing and interconnection payments
marketing of the operator’s own electronic communication services or services with traffic or location data (subject to
the subscriber’s or end user’s prior consent), and
fraud detection
KEY CONTACTS
Kristof De Vulder
Partner
T +32 (0) 2 500 15 20
kristof.devulder@dlapiper.com
Heidi Waem
Counsel
T +32 2500 1614
heidi.waem@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/en/uk/insights/publications/2020/11/european-law-on-cookies/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 116 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 117 | | | www.dlapiperdataprotection.com
BENIN
Last modified 10 January 2022
LAW
The data protection regime in Benin is governed by two pieces of legislations namely the Law No. 2017-20 of April 20, 2018 on
the digital code and the Law No. 2009-09 of May 22, 2009 dealing with the Protection of Personally Identifiable Information.
The Law on the digital code deals with the collection, treatment, transmission, storage, and use of personal data by a person, the
state, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data
contained in files, or any processing of data for public security, defence, research, prosecution of criminal offenses, or the security
and essential interests of the state.
By contrast, the Law on the Protection of Personally Identifiable Information relates to the digital processing of personally
identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and
biometric information processed alongside a national ID number.
DEFINITIONS
Definition of Personal Data
The personal data is defined as any information relating to an identified or identifiable natural person. It makes a direct reference
to sound and image (Article 1 of the Digital Code).
Definition of Sensitive Personal Data
Pursuant to Article 1 of the Digital Code, the following personal data is considered ‘sensitive’ and is subject to specific processing
conditions: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade union
membership; genetic data; and health-related data; data concerning a person’s sex life or sexual orientation, prosecution to
criminal and administrative penalties.
NATIONAL DATA PROTECTION AUTHORITY
The APDP (The Beninese data protection authority) is the regulator for data in the Republic of Benin. It is an independent and
administrative body with a legal personality as it ensures the application of the provisions of the Digital Code and the right to
privacy.
The APDP’s powers and responsibilities which include:
raising public awareness of the risks, rules, and rights surrounding the processing of personal data;
authorising or denying requests for processing;
receiving and investigating complaints about the misuse of personal data;
conducting necessary inspections regarding personal data processing, and obtaining all information and documents needed;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 118 | | | www.dlapiperdataprotection.com
informing data controllers of alleged violations of the law and issuing mandatory measures for remedying these violations;
imposing administrative sanctions on data controllers in the case of noncompliance;
informing the public prosecutor of offenses committed under the law;
keeping a public register of personal data processing operations;
issuing public opinions on the state of data protection law;
proposing amendments to simplify and improve data protection legislation, where necessary; and
cooperating with international data protection authorities to share information and assistance, as well as participating in
international negotiations.
Data controllers are required to file an annual report with the APDP concerning compliance with the processing.
REGISTRATION
The is no country-wide system of registration in the Republic of Benin. However, the law imposes an obligation of notification and
requires the controller to keep a register of processing activities carried out under its responsibility.
Pursuant to Article 405 of the Digital Code, automated or non-automated processing carried out by public or private bodies and
involving personal data must, prior to their implementation, be the subject of a prior declaration to the Authority or be entered in
a register kept by the person designated for that purpose by the controller.
All processing of personal data is subject to a reporting obligation to the Authority, except for the exemptions provided for in
Book V of the Digital Code (see Articles 408, 410, 411, and 417 of the Digital Code).
In terms of Article 435 of the Digital Code, each controller and, where applicable, the controller’s representative shall keep a
register of the processing activities carried out under their responsibility.
This register shall include all of the following information:
the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative
and the data protection officer;
the purposes of the processing;
a description of the categories of data subjects and categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third
countries or international organisations;
where applicable, transfers of personal data to a third country or to an international organisation, including the
identification of that third country or international organisation;
the time limits for the deletion of the different categories of data;
a general description of technical and organisational security measures.
Each processor and, where applicable, the processor’s representative shall also maintain a record of all categories of processing
activities performed on behalf of the controller including:
the name and contact details of the sub-processor(s) and of each controller on whose behalf the processor is acting and,
where applicable, the names and contact details of the controller’s or processor’s representative and of the data
protection officer;
the categories of processing carried out on behalf of each controller;
where applicable, transfers of personal data to a third country or to an international organisation, including the
identification of that third country or international organisation and, in the case of transfers, the documents attesting to
the existence of appropriate safeguards;
a general description of the technical and organisational security measures.
The above-mentioned records must be in written form, including electronic form.
The controller or processor and, if applicable, their representative shall make the register available to the Authority upon
request.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 119 | | | www.dlapiperdataprotection.com
The obligation to keep a register does not apply to small and medium-sized enterprises except in the following cases:
if the processing they carry out is likely to involve a risk to the rights and freedoms of the data subjects;
if it is not occasional or if it concerns in particular the special categories of data referred to in article 394 paragraph 1 of
the numerical code, or personal data relating to criminal convictions and offences.
DATA PROTECTION OFFICERS
According to the Article 430 of the Digital Code, a Data Protection Officer (DPO) must be appointed when the data controller is
a state-owned organisation or when the activities of the data controller or data processor involve monitoring individuals or
processing of sensitive data on a large scale.
Although the Digital Code does not impose a strict duty for the appointment of a DPO, organisations with a DPO are exempt
from notifying the APDP of data processing (Article 408 of the Digital Code).
COLLECTION & PROCESSING
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 383):
processed lawfully, fairly and transparently;
collected for specific, explicit, and legitimate purposes and not subsequently processed in a manner inconsistent with
those purposes;
processed appropriately, in a manner relevant and not excessive with regard to the purposes for which they are collected
and processed;
accurate and, if necessary, updated. All reasonable steps must be taken to ensure that inaccurate or incomplete data is
erased or corrected;
kept in a form that allows the identification of data subjects for a period not exceeding that necessary to achieve the
purposes for which they are collected or for which they are processed;
processed in a manner that ensures appropriate security of personal data.
Notwithstanding the above, the overriding principle governing the processing of personal data in Benin is the prior consent of the
data subject (see Articles 6 of the Data protection Law and 389 of the Digital Code.)
There are some exceptions to this principle. The prior consent of a data subject is not required when processing the data is meant
to:
comply with a legal obligation to which the controller is subject to
perform a task in the public interest or a task falling within the exercise of public authority, which is entrusted to the
controller or the third party to whom the data are shared
perform a contract to which the data subject is a party or perform pre-contractual measures taken at the request of the
data subject
protect fundamental interests or rights
perform certain activities in the framework of journalism, research or artistic or literary expression in compliance with
the ethical rules of these professions
When the processing is entrusted to a subcontractor, the controller or, where appropriate, his representative in the Republic of
Benin, must:
choose a subcontractor providing sufficient guarantees sufficient guarantees with regard to technical and organisational
security and organisational measures relating to the processing
conclude a contract with the processor either in writing or via electronic means
define among other things the responsibility of the processor with regard to the data controller and their incumbent
obligations in the privacy and security of the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 120 | | | www.dlapiperdataprotection.com
Under the applicable data protection law in Benin, individuals possess the following rights:
right to obtain all their personal data in a clear format, as well as any available information as to their origin;
right to withdraw consent for personal data processing at any time;
the right to object, for lawful reasons, to the processing of their personal data;
right to oppose the processing of their personal data for marketing purposes;
right to rectify or erase personal data when it is deemed inaccurate or incomplete;
right to not be subject to decisions made on the sole basis of an automated processing that would produce significant risks
or harm;
right to be forgotten, or to have information made public about themselves deleted from records; and
right to obtain damages from data controllers when a breach occurs, leading to a material or non-pecuniary damage to a
person.
Right to be informed
Data controllers must provide data subjects with information describing, among other things:
the processing activities, such as data category;
the purpose of processing;
data recipients;
the existence of profiling activities; and
identification and contact details of the data controllers, or data subject rights.
Right to access
Any natural person whose personal data is processed may request from the controller information making it possible to know and
contest the processing of their personal data, communication in intelligible form of data to personal character that concerns them
as well as any available information as to their origin.
Right to rectification
Any natural person may require the data controller to correct, complete, update, block, or delete personal data concerning him,
which is inaccurate, incomplete, ambiguous, out of date, or irrelevant, as the case may be, and as soon as possible, or whose
collection, use, disclosure, or retention is prohibited. To exercise their right of rectification or deletion, the interested party sends
a request, by post or electronically, dated and signed to the controller, or his representative.
Within 45 days following receipt of the request provided for in the previous paragraph, the controller communicates the
rectifications or erasures of the data made to the data subject himself as well as to the persons to whom they are inaccurate,
incomplete, equivocal, outdated, irrelevant or whose collection, use, communication, or storage is prohibited, have been
communicated.
Right to erasure
See section above.
Right to object/opt-out
Any natural person has the right to object, at any time, for legitimate reasons, to the processing of personal data concerning him.
It has the right, on the one hand, to be informed before data concerning it is communicated for the first time to third parties or
used on behalf of third parties for purposes of prospecting, in particular commercial, charitable or political, and, on the other
hand, to be expressly offered the right to oppose, free of charge, said communication or use.
Right to data portability
Data subjects have the right to receive the personal data concerning them that they have provided to a controller, in a structured,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 121 | | | www.dlapiperdataprotection.com
commonly used and machine-readable format, and have the right to transmit this data to another controller processing without
the controller to whom the personal data has been communicated obstructing it, when:
the processing is based on consent or on a contract; and
the processing is carried out using automated processes.
When the data subject exercises his right to data portability in application of the first paragraph, he has the right to obtain that the
personal data are transmitted directly from one controller to another, when this is technically possible.
This right does not apply to processing necessary for the performance of a task of public interest or relating to the exercise of
public authority vested in the controller. The right referred to in the first paragraph does not infringe the rights and freedoms of
third parties.
TRANSFER
A personal data processor may transfer data to a foreign country if the receiving country ensures an adequate level of protection
for the privacy and human rights and freedoms of the persons concerned.
The level of protection will be assessed according to:
the data protection laws of the recipient country;
the safety measures; and
the processing characteristics (end, duration, nature, origin, destination of processed data).
It is worth noting that a country may not provide sufficient data protection, but if a recipient country is not deemed ‘safe’ in
protecting data, but a data transfer is followed by protective measures such as contractual clauses or internal rules, assent could
be provided by the APDP.
For instance, some data, such as biometric data, health data, data related to serious infringements, and data regarding crime, will
be considered as involving specific risks for human rights and freedom of individuals’ data. These data will need to be approved
under Article 41 of the Law on the Protection of Personally Identifiable Information.
SECURITY
The Law on the Digital Code adopts a proportionate, context-specific approach to security.
Article 426 of this Law states that in order to guarantee the security of personal data, the controller and/or its processor must
implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction
or accidental loss, alteration, unauthorised disclosure or access, interception, in particular where the processing involves the
transmission of data over a network, and against all other forms of unlawful processing.
These measures must ensure, taking into account the state of the art and the costs associated with their implementation, an
appropriate level of security, taking into account, on the one hand, the state of the art in the field and the costs involved in
applying these measures and, on the other hand, the nature of the data to be protected and the potential risks.
It is also the responsibility of the data controller, his representative and the sub-processor to ensure compliance with these
security measures.
The Law on the Digital Code does require controllers and processors to consider the following when assessing what might
constitute adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 122 | | | www.dlapiperdataprotection.com
ensuring the security of the processing.
No specific requirements other than those set forth in the Law.
BREACH NOTIFICATION
A data controller must notify the Commissioner of the APDP of any breach to the security safeguards of personal data, without
delay (Article 427 of The Law on the Digital Code).
The notification must, at a minimum:
describe the nature of the security breach that affected personal data including, if possible, the categories and approximate
number of individuals affected by the breach and the categories and approximate number of personal data records
affected;
provide the name and contact information of the Data Protection Officer or other point of contact from whom additional
information can be obtained;
describe the likely consequences of the security breach;
describe the steps taken or proposed to be taken by the controller to remedy the security breach, including, if applicable,
steps to mitigate any adverse consequences.
ENFORCEMENT
Not applicable.
ELECTRONIC MARKETING
The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an
email address which includes the recipient’s name).
The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 245 of the Law No.
2017-20 of April 20, 2018 on the digital code in the Republic of Benin).
Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 334 of
the Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin.
The data subject has the right to object at any time to the use of his/her personal data for such marketing.
This right to object must be explicitly brought to the attention of the data controller.
However, the data controller may not respond favorably to a request to exercise the right to object if it demonstrates the
existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data
subject.
ONLINE PRIVACY
Not applicable.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 123 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sangare Mouhamoud
Associate
Geni & Kebe
T +2250779107541
m.sangare@gsklaw.sn
Dr. Francky Lukanda
Senior Associate
Geni & Kebe
T +2250584344660
f.lukanda@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bermuda 124 | | | www.dlapiperdataprotection.com
BERMUDA
Last modified 24 January 2022
LAW
The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the
form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA are not yet in force but are
expected to come into force in 2022.
Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.
DEFINITIONS
Definition of use
PIPA applies to the “use” of personal information, and defines “use” as carrying out any operation on personal information,
including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting,
disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.
Definition of personal data
PIPA provides for a definition of “personal information” as meaning “any information about an identified or identifiable individual”.
At common law, information is generally to be regarded as ‘confidential’ if it has a necessary quality of confidentiality and has been
communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if
obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party
who is subject to a duty of confidentiality.
Definition of sensitive personal data
PIPA provides for a definition of “sensitive personal information” as meaning “any personal information relating to an individual’s
place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental
disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric
information or genetic information”.
NATIONAL DATA PROTECTION AUTHORITY
Alexander White, a US lawyer, has been appointed Privacy Commissioner with effect from 20 January 2020. He will be responsible
for setting up the Privacy Commissioner’s Office, hiring and training staff, undertaking investigations, providing reports and
developing public awareness of the rights of individuals and the obligations of organisations under PIPA.
REGISTRATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bermuda 125 | | | www.dlapiperdataprotection.com
There is no system of registration and none provided for in PIPA.
DATA PROTECTION OFFICERS
There is currently no requirement to appoint a data protection officer. Once PIPA is fully in force, organisations covered by the
legislation will be required to appoint a “privacy officer” for the purposes of compliance with PIPA.
COLLECTION & PROCESSING
Once fully in force, PIPA will regulate the collection and processing of personal information and will apply to any individual, entity
or public authority collecting, storing and using personal information in Bermuda either electronically or as part of a structured
filing system. The use to which sensitive personal information can be put by an organisation is much more restrictive.
The common law, which will continue to apply in parallel with PIPA, will in certain cases consider it a breach of confidence to
misuse or threaten to misuse confidential information. The concept of ‘misuse’ is a broad one, but will often include any
unauthorised disclosure, examination, copying or taking of confidential information. The precise scope of the term however will
depend largely on the specific circumstances, including the relevant relationship and the nature of the information.
TRANSFER
Once fully in force, PIPA will regulate the transfer of personal information to an overseas third party. The legislation provides that
the Privacy Commissioner can designate jurisdictions as providing comparable protection to Bermuda law. In other cases, the
organisation subject to PIPA will be required to employ contractual mechanisms, corporate codes of conduct or other means to
ensure that the overseas third party provides comparable protection for the personal information.
SECURITY
Once fully in force, PIPA will make provision for the implementation of proportional security safeguards against risk including loss,
unauthorised access, destruction, use, modification or disclosure. In addition, a person who misuses or divulges confidential
information (deliberately or otherwise) may be liable at common law.
BREACH NOTIFICATION
Once fully in force, PIPA will require notification of a breach of security leading to the loss or unlawful destruction or
unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual to (a) the individual
concerned; and (b) the Privacy Commissioner.
The notice to the Commissioner must describe the nature of the breach, its likely consequences for the individual concerned, and
the measures the organisation is taking to address the breach.
ENFORCEMENT
Once fully in force, PIPA will make provision for investigations and inquiries by the Privacy Commissioner and for a range of
remedial orders that may be imposed by the Commissioner. It also provides for a claim for compensation for financial loss or
emotional distress for failure to comply with the legislation (subject to a reasonable care defence). In addition, PIPA makes
provision for criminal offences and penalties (including imprisonment) for misuse of personal information. In addition, a breach of
the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction. These
remedies are to be sought through, and enforced by, the Bermuda courts.
An individual convicted of an offence under PIPA will be liable to a fine of up to BMD 25,000 and/or to imprisonment for up to
two years. An organisation convicted of an offence under PIPA will be liable to a fine of up to BMD 250,000. Proceedings can be
brought against company directors and other officers in a personal capacity.
ELECTRONIC MARKETING
The Electronic Transactions Act 1999 provided that the Minister responsible for electronic commerce had the power to issue a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bermuda 126 | | | www.dlapiperdataprotection.com
standard to apply to intermediaries or e-commerce service providers and such a standard was issued by the Minister on 5 May
2000 and came into force on 3 July 2000 (Standard). The definition of “e-commerce service provider” is “a person who uses
electronic means in providing goods, services or information” while an “intermediary” (with respect to an electronic record)
means “a person who, on behalf of another person, sends, receives or stores that electronic record or provides other services
with respect to that electronic record”. The Standard set out certain “Safe Harbour Guidelines” which included certain privacy
requirements and the prohibition on the sale or transfer of personal data or business records of customers to another person for
the purposes of sending bulk, unsolicited electronic records.
ONLINE PRIVACY
Once fully in force, PIPA will make special provision based on parental consent for certain uses of personal information about a
child under the age of 14. Subject to this, there are no specific restrictions addressing online privacy of confidential information
beyond those generally applicable to the use of confidential information.
KEY CONTACTS
Carey Olsen
www.careyolsen.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Michael Hanson
Managing Partner
Carey Olsen
T +1 441 542 4501
michael.hanson@careyolsen.com
Keith Robinson
Partner
Carey Olsen
T +1 441 542 4502
keith.robinson@careyolsen.com
https://www.dlapiperdataprotection.com
https://www.careyolsen.com/
https://www.dlapiperdataprotection.com/scorebox/
https://www.careyolsen.com/
https://www.careyolsen.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bolivia 127 | | | www.dlapiperdataprotection.com
BOLIVIA
Last modified 24 January 2022
LAW
Bill of Personal Data Protection;
The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.
Any individual or collective person who believes to be unduly or illegally prevented from knowing, objecting or obtaining the
deletion or rectification of the data registered by any physical, electronic means, magnetic or computer, in public or private files or
databases, or that affect their fundamental right to personal or family privacy, or in their own image, honor and reputation, may file
a Private Protection Action.
DEFINITIONS
Definition of personal data
Any information about a natural person identified or identifiable, expressed by numbers, alphabetic letters, graphics, photographs,
alphanumeric symbols, acoustic forms or any other type of data. It is considered that a person is identified when his identity can be
determined directly or indirectly as long as this do not require terms or disproportionate activities.
Definition of sensitive personal data
Data that refers to the intimate sphere of the individual, or whose inappropriate use can cause discrimination of any type or high
risk to the particular individual.
NATIONAL DATA PROTECTION AUTHORITY
The Personal Data Authority, is the Agency of the electronic government and information technologies and communication
(AGETIC).
REGISTRATION
It is not established in the Bill of Personal Data Protection, in a prescriptive manner, however, it establishes that personal data can
only be processed with the , unless it is by court order issued for reasons of public interest. It is not yetconsent of its owner
established whether entities or persons interested in the personal data of a third party must request authorization from the
Personal Data Protection Authority.
DATA PROTECTION OFFICERS
The President of the Personal Data Authority is the principal officer and has an Executive Council with three members:
the general Director of the electronic government and information technologies and communication Agency; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bolivia 128 | | | www.dlapiperdataprotection.com
two designated members from the Ejecutive Council.
The Ejecutive Council of the Personal Data Protection Authority will be assisted by a Consultive Council integrated by six
members:
a person with human rights experience;
a judicial organ representative;
an electoral organ representative;
a Public Ministry representative;
an academic area representative; and
a private sector representative.
COLLECTION & PROCESSING
Under the legitimation principle, the person responsible within the Personal Data Protection Authority may only process personal
data when the owner grants his consent for one or more specific purposes, when necessary for the fulfilment of a court order,
for the defence or recognition of the rights of the holder/owner before a public authority, to protect the vital interests of the
holder/owner or of another natural person; among other legitimate and informed reasons.
TRANSFER
Nothing in the Bill of Personal Data Protection is established concerning transfer.
SECURITY
The person responsible for the personal data bank must adopt technical, organizational and legal measures that guarantee its
security and prevents its alteration, loss, treatment or unauthorized access.
The requirements and conditions that personal data banks must meet regarding security are established by the National Authority
for the Protection of Personal Data, except for the existence of special provisions contained in other laws.
The processing of personal data in data banks that do not meet the requirements and security conditions is prohibited.
BREACH NOTIFICATION
When the person in charge is aware of a breach of security of personal data that occurs at any stage of the treatment, understood
as any damage, loss, alteration, destruction, access, and in general, any illegal or unauthorized use of personal data even when it
occurs accidentally, it will notify the control authority and the affected owners of such suffering immediately.
The foregoing will not be applicable when the person in charge can prove, according to the principle of proactive responsibility,
the impossibility of the security breach that has occurred, or, which does not represent a risk to the rights and freedoms of the
owners involved.
The notification made by the person responsible to the affected owners will be written in a clear and simple language.
The notification should contain at least the following information:
the nature of the incident;
the Personal data compromised;
coercive actions carried out immediately;
recommendations to the holder about the measures that can help protect their interests; and
the means available to the holder to obtain more information.
The person responsible shall document any breach of the security of the data that occurred at any stage of the treatment,
identifying, but not limited to, the date on which they discovered the reason for the breach, the related facts, their effects and the
corrective measures implemented immediately and definitively, which will be available to the supervisory authority.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bolivia 129 | | | www.dlapiperdataprotection.com
The Regulation on the Right to Protection of Personal Data contemplates the effects of the notifications of security breaches made
by the person in charge of the Control Authority in regard to the procedures, form and conditions of its intervention in order to
safeguard the interests, rights and freedoms of the affected owners.
There is no mandatory breach notification requirement under the Data Protection Law.
ENFORCEMENT
The competent authority for the enforcement of Data Protection Law is the Personal Data Authority, the Agency of the
electronic government and information technologies and communication (AGETIC). However, considering that Authority is not
yet created, the level of enforcement may be distributed to other legislative organs in the future.
ELECTRONIC MARKETING
There is nothing legally established in Bolivia concerning electronic marketing.
ONLINE PRIVACY
There is nothing established about online privacy, or cookies, or location data.
KEY CONTACTS
Guevara & Gutierrez
gg-lex.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Marcos Mercado Delgadillo
Guevara & Gutierrez
mmercado@gg-lex.com
Jorge Luis Inchauste Comboni
Guevara & Gutierrez
jinchauste@gg-lex.com
https://www.dlapiperdataprotection.com
http://gg-lex.com/
https://www.dlapiperdataprotection.com/scorebox/
http://gg-lex.com/
http://gg-lex.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 130 | | | www.dlapiperdataprotection.com
BONAIRE, SINT EUSTATIUS AND SABA
Last modified 7 January 2022
LAW
Personal Data Protection Act BES (“Personal Data Protection Act BES”);(Wet bescherming persoonsgegevens BES)
General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on
May 25, 2018.
DEFINITIONS
Definition of Personal Data
Personal Data Protection Act BES
Article 1 paragraph 2 of the Personal Data Protection Act BES stipulates personal data as any data concerning an identified or
identifiable natural person.
GDPR
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
Definition of Sensitive Personal Data
Personal Data Protection Act BES
A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade
union.
GDPR
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic
data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
NATIONAL DATA PROTECTION AUTHORITY
Personal Data Protection Act BES
The Personal Data Protection Committee as referred to in article 44 of Personal Data Protection Act BES.
GDPR
An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The
authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of
natural persons in relation to processing and to facilitate the free flow of personal data within the EU.
REGISTRATION
Personal Data Protection Act BES
No registration required.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 131 | | | www.dlapiperdataprotection.com
GDPR
Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data
processing activities carried out by the company.
DATA PROTECTION OFFICERS
Personal Data Protection Act BES
Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and
organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee
an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks
associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing
unnecessary gathering and further processing of personal data.
Besides the measures above, the Personal Data Protection Act BES does not contain any clauses on any type of registration, filings
of documents to any public agency or having a mandatory data protection officer in place.
GDPR
The appointment of a data protection officer under the GDPR is only mandatory in three situations:
When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal
convictions.
COLLECTION & PROCESSING
Personal Data Protection Act BES
Collecting and processing: any act or set of acts relating to personal data, including in any case the collection, recording,
organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other
form of making available, bringing together , as well as data blocking, erasure or destruction of data.
GDPR
Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain
purposes, like a website that markets to users based on their online behaviour.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the
controller. Processors act on behalf of the relevant controller and under their authority.
TRANSFER
Personal Data Protection Act BES
Article 42 of Personal Data Protection Act BES stipulates that personal data that is subject to processing or that are intended to
be processed after its transfer may only be transferred to a country outside the European Union if, without prejudice to
compliance with the law, that country guarantees an adequate level of protection.
GDPR
The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the
rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions
applies.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 132 | | | www.dlapiperdataprotection.com
SECURITY
Personal Data Protection Act BES
Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and
organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee
an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks
associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing
unnecessary gathering and further processing of personal data.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32
GDPR).
BREACH NOTIFICATION
Personal Data Protection Act BES
Contains no specific clauses.
GDPR
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55
GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
ENFORCEMENT
Personal Data Protection Act BES
Pursuant to the Personal Data Protection Act BES the committee is authorized to impose an order under administrative coercion
to enforce the obligations laid down by or pursuant to the Personal Data Protection Act BES.
GDPR
The GDPR holds a variety of potential penalties for businesses.
For example, article 77 of GDPR states that:
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data
relating him or her infringes this Regulation.”
Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the
data subject has his or her habitual residence.”
Penalties
Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,
for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”
suffered.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 133 | | | www.dlapiperdataprotection.com
Fines
Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the
level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur
administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is
greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional
penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only
guidelines in article 84 of GDPR are that and that “Such penalties shall be effective, proportionate and dissuasive” “Each Member State
shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
ELECTRONIC MARKETING
Personal Data Protection Act BES
N/A.
GDPR
Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.
Companies can only send email marketing to individuals if:
The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
ONLINE PRIVACY
Personal Data Protection Act BES
Contains no specific clauses.
GDPR
Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do
have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a
person.
If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is
processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from
others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address
etc. are not known.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 134 | | | www.dlapiperdataprotection.com
KEY CONTACTS
HBN Law & Tax
hbnlawtax.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maarten Willems
Senior Associate
HBN Law & Tax
T +297 588 6060
maarten.willems@hbnlawtax.com
Misha Bemer
Partner
HBN Law & Tax
T +297 588 6060
misha.bemer@hbnlawtax.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 135 | | | www.dlapiperdataprotection.com
BOSNIA AND HERZEGOVINA
Last modified 12 January 2021
LAW
The Law on Protection of Personal Data (‘Official Gazette of BIH’, nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law
regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended
on October 3, 2011.
Due to the deficiencies and non-alignment of the DP Law with the GDPR, in 2018, the competent authorities initiated the
procedure for adoption of a new GDPR compliant data protection law in BiH. According to the publicly available information the
draft of the new data protection law (Draft Data Protection Law), was forwarded to the BiH Ministry of Civil Affairs and the
adoption procedure before the BiH Parliament should have been initiated. However, due to the complex political situation as well
as the Covid-19 pandemic, the Draft Data Protection Law is not adopted to date. However, we expect the Draft Data Protection
Law to be adopted in its current text within 2021.
DEFINITIONS
Definition of personal data
The DP Law defines personal data as any information relating to an identified or identifiable natural person. Data subjects are
natural persons whose identity can be determined or identified, directly or indirectly, in particular by reference to a personal
identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social
identity.
Definition of sensitive personal data
The DP Law defines sensitive personal data as any data relating to any of the following:
Racial, national or ethnic origin
Political opinion, party affiliation, or trade union affiliation
Religious, philosophical or other belief
Health
Genetic code
Sexual life
Criminal convictions
Biometric data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 136 | | | www.dlapiperdataprotection.com
Definitions of sensitive personal data stipulated by Draft Data Protection Law correspond to the definitions prescribed by GDPR.
NATIONAL DATA PROTECTION AUTHORITY
The Personal Data Protection Agency (DPA) is the national data protection authority in BiH. The DPA is seated in
Dubrovaka 6
Sarajevo
www.azlp.gov.ba
The DPA remains the national data protection authority under Draft Data Protection Law.
REGISTRATION
Each data controller (defined as a person or legal entity which processes personal data) must provide the DPA with specific
information on the database containing personal data (“Database”) established and maintained by the controller. The DPA
maintains a publicly available register of data controllers and Databases.
The Database’s registration includes two phases:
First, the controller must register as a data controller (this registration as a controller is to be performed only once).
Second, the controller must report to the Database’s establishment, which has to be done within 14 days.
Registration of the Database is made by submitting the application in the prescribed form to the DPA. The DPA form includes
information regarding:
Data controller
Name
Address of its registered seat
The Database itself
Processing purpose
Legal ground for its establishment
Identification of exact processing activities
Types of processed data
Categories of data subjects, and
Transfer of data abroad
If there is a subsequent change in the registered data, for example changing initial processing activities, the change needs to be
reported to the DPA within 14 days from the date the change occurred.
Unlike the DP Law, the Draft Data Protection Law foresees the obligation of data controllers and data processors to keep records
of their data processing activities identically as the GDPR, however it does not oblige data controllers to register their data
processing activities/databases with the Agency.
DATA PROTECTION OFFICERS
There is no statutory obligation that the entity which processes personal data has a data protection officer. The Rules on the
https://www.dlapiperdataprotection.com
http://www.azlp.gov.ba/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 137 | | | www.dlapiperdataprotection.com
Manner of Keeping and Special Measures of Personal Data Technical Protection (Official Gazette of BiH no. 67/09) (Rules)
stipulate that a controller can have an administrator of the Database. Such administrator is a natural person authorized and
responsible for managing the Database and ensuring privacy and protection of personal data processing, in particular regarding
implementation of security measures, storage and protection of data.
Unlike DP Law, the Draft Data Protection foresees the obligation of data controller and processor to ensure properly and timely
involvement of the data protection officer in all issues related to the protection of personal data. Position and tasks of data
protection officer envisaged by Draft Data Protection Law correspond to those prescribed by GDPR.
COLLECTION & PROCESSING
Collection and processing of personal data is permissible if carried out pursuant to the data subject’s consent and in compliance
with the basic principles of personal data protection.
The form of the data subject’s consent depends on the type of personal data collected and processed. While the collection and
processing of sensitive personal data requires explicit written consent from the data subject, the consent for the collection and
processing of personal data falling within a category of general personal data does not have to be in writing. However, at the
request of the competent authority, the controller has to be able to prove, at any time, the existence of a data subject’s consent
for processing of both personal and sensitive personal data. Therefore, having a written consent for collection of any personal data
is advisable. When required, written consent must contain at minimum elements prescribed by the DP law.
Apart from the consent, there are also other conditions which must be met for the collection and processing to be regarded as
legitimate, including:
Processing must be done in a fair and lawful way
The type and scope of processed data must be proportionate to the respective purpose
Other principles regarding the legitimate reasons for personal data processing
The DP Law provides an exception when a data subject’s personal data may be processed without the data subject’s consent. This
is the case where the processing is necessary for the fulfillment of a data controller’s statutory obligations or for preparation or
realization of an agreement concluded between a data controller and a data subject (Exceptional Cases). These conditions are
considered the basic principles of personal data protection and are applicable to each case of personal data processing.
The legal grounds as well as the data processing requirements envisaged by the Draft Data Protection Law fully correspond to
those envisaged by the GDPR.
TRANSFER
Under the transfer rules set out in the DP Law, processed personal data may be transferred to countries where an adequate level
of personal data protection is ensured. In that regard, preferential status is given to the member states of the Council of Europe
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention”), as members of
the Convention ensure an adequate level of personal data protection.
Personal data transfer to countries that do not provide for an adequate level of personal data protection is allowed in certain
cases stipulated by the DP Law, for example:
When the data subject consented to the transfer and was made aware of possible consequences of such transfer
When it is required for the purpose of fulfilling the contract or legal claim
When it is required for the protection of public interest
In addition, the DPA may exceptionally approve the transfer to a country that does not ensure adequate an level of personal data
protection if the controller in the country where the data is to be transferred can provide for sufficient guarantees in regard to
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 138 | | | www.dlapiperdataprotection.com
the protection of privacy and fundamental rights and freedoms of the data subject.
The Draft Data Protection Law prescribes a set of mechanisms based on which a legitimate transfer of data out of BiH is possible.
This means that the Draft Data Protection Law tends, the same as the GDPR, to enable legitimate transfer of personal data
whenever there are some safeguards that transferred data will be processed in line with the law.
Aforementioned means the following:
It should firstly be checked whether a particular country to which the data is to be transferred is regarded as a country
with an adequate data protection system (“Adequate Country”)
If a country to which the data is to be transferred from BiH is the Adequate Country or if there is a data transfer related
international treaty entered into between BiH and that country, a transfer is possible without any approval of the Agency
(“Transfer Approval”)
On the other hand, if a country to which the data is to be transferred is not the Adequate Country, a transfer is still
possible without the Transfer Approval if the adequate data protection measures are undertaken (e.g., if appropriate
standard contractual clauses have been entered into between a data exporter and a data importer) (“Adequate
Safeguards”)
However, even if there are no Adequate Safeguards, there is still a possibility for transferring the data without the
Transfer Approval. Such possibility exists in so-called special situations, explicitly prescribed by the Draft Data Protection
Law, the same as under the GDPR (e.g., a data subject has consented to a particular transfer, a transfer is necessary for
the realization of an agreement between a data subject and data controller, etc.)
Finally, even if none of the aforementioned special situations is applicable, a data transfer is still allowed without the
Transfer Approval if certain conditions (linked to a data controller’s legitimate interest) explicitly prescribed by the Draft
Data Protection Law are cumulatively fulfilled.
SECURITY
The DP Law requires data controllers and processors to:
Take care of data security and to undertake all technical and organizational measures
Undertake measures against unauthorized or accidental access to personal data, their alteration, destruction or loss,
unauthorized transfer, other forms of illegal data processing, as well as measures against misuse of personal data
Adopt a personal data security plan (“Security Plan”) which specifies technical and organizational measures for the security
of personal data
As provided by the Rules (as defined in the section “Data Protection Officers”), the Security Plan includes the categories of
processed data and the list of instruments for protection of the data to ensure confidentiality, integrity, availability, authenticity,
possibility of revision and transparency of the personal data.
The Rules prescribe that the controller is required to undertake more stringent technical and organizational measures when
processing sensitive personal data. Such measures aim at enabling recognition of each authorized access to the information system,
operation with the data during the controller’s regular working hours and cryptographic protection of the data transmission via
telecommunications systems with appropriate software and technical measures.
The Rules also closely regulate the manner of personal data keeping and personal data protection in automatic processing.
Security measures envisaged by Draft Data Protection Law correspond to the measures prescribed by GDPR.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 139 | | | www.dlapiperdataprotection.com
The DP Law does not impose data security breach notification duty on the controller. However, the Rules do impose a duty on
the Database’s administrator, processor and performer to inform the controller on any attempt of unauthorized access to
information system for the Database’s management.
However, the regulations issued by the Communication Regulatory Agency (RAK) should be considered. The Regulation on
Carrying out the Activities of the Publicly Available Electronic Communication Networks (‘Official Gazette of BiH’ no. 66/12)
(Regulation A) stipulates that the operator of publicly available electronic communication networks (Operator) is required to
inform RAK about its activities, operations and other applicable information required for RAK’s regulatory competences. Since
RAK’s Regulation on Conditions for Providing the Telecommunications Services and Relation with End Users (‘Official Gazette of
BiH’ no. 28/13) (Regulation B) prescribes for the Operator’s obligation to undertake such methods which will protect the privacy
of users and others, in a manner that will ensure the integrity and confidentiality of data, it can be concluded that the Operator is
required to notify RAK of any breach of security and integrity of public telecommunication services that resulted in violation of
protection of personal data or privacy of the respective services’ s users.
When it comes to the notification duty towards the users, the Regulation B obliges the Operator to inform the users adequately (
, in user agreement, in its terms and conditions or in the appropriate technical way) about the possibility of privacy oreg
telecommunication facilities violations.
Pursuant to the Draft Data Protection Law in case of a personal data breach the controller is obliged to undue delay and where
feasible not later than 72 hours after having become aware of it, which fully correspond to the obligation prescribed by GDPR.
ENFORCEMENT
The DPA enforces the DP Law. The DPA is authorized and obliged to monitor implementation of the DP Law, both , andex officio
upon a third-party complaint. If the DPA finds that a particular person or entity processing personal data acted in violation of data
processing rules, it may request that the controller discontinue such processing and order specific measures to be carried out
without delay.
When acting upon the complaints, the DPA may also issue a decision by which it can order blocking, erasing or destroying of data,
adjustment or amendment of data, temporary or permanent ban of processing, issue warning or reprimand to the controller. The
decision of the DPA may not be appealed; however, a party may initiate administrative dispute before the Court of BiH.
The DPA can initiate a misdemeanor proceeding against the respective data controller before the competent court, depending on
the gravity of the particular misconduct and the data controller’s behavior with respect to the same. The offenses and sanctions
are explicitly prescribed by the DP Law, which includes monetary fines for a controller in the amount between €2,550 and
€51,100, as well as for the controller’s authorized representative in the amount between €100 and €7,700.
The Draft Data Protection Law, although still not as strict as the GDPR, foresees fines which are significantly higher than the ones
foreseen by the Current Data Protection Law. Specifically, the Draft Data Protection Law introduces fines in the amount of up to
BAM 200,000 (approx. EUR 100,000) or 4% of the total worldwide annual turnover of the preceding financial year (whichever is
higher).
Breach of personal data protection regulations represents a criminal offense of unauthorized collection of personal data by all
criminal codes applicable in BiH (Criminal Code of BiH, Criminal Code of the Republic of , Criminal Code of the FederationSrpska
of BiH and Crimes Code of ). Prescribed sanctions are monetary fines (in amount to be determined by the court) orBrko Distrikt
imprisonment up to six (6) months (Criminal Code of BiH; Criminal Code of the Federation of BiH; Criminal Code of the Brko
) or up to one (1) year (Criminal Code of the Republic of ).Distrikt Srpska
ELECTRONIC MARKETING
Although electronic marketing is not governed by the DP Law, the respective law regulates protection of personal data used in
direct marketing. In that regard, the controller is not allowed to disclose personal data to a third party without the data subject’s
consent. However, when that is necessary for the protection of the controller’s rights and interests and when it is not in
contradiction with the data subject’s right to the protection of personal privacy and personal life, the personal data may be used
for direct marketing purposes without consent. The DPA is of the opinion that previous provision could be used only in explicit
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 140 | | | www.dlapiperdataprotection.com
cases, when the controller is offering products or services to regular client in order to limit possible future damages for which he
could be held responsible.
Under Regulation B, the Operator is prohibited from using user personal data for purposes of its business or other promotions,
unless it obtains explicit consent from the user to whom such data relates.
ONLINE PRIVACY
The general data protection rules, as introduced by the DP Law, are relevant for online privacy as well, as there are no specific
regulations that explicitly govern online privacy. This includes obligation to act in accordance with the basic principles of personal
data protection set out in the DP Law as well as acting on the basis of the data subject’s informative consent.
KEY CONTACTS
Karanovic & Nikolic
www.karanovic-nikolic.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Nihad Sijercic
Attorney-at-law in cooperation with Karanovic & Nikolic
T +387 33 844 000
nihad.sijercic@karanovicpartners.com
Amina Dugum
Attorney-at-law in cooperation with Karanovic & Nikolic
T +387 33 844 000
amina.djugum@karanovicpartners.com
https://www.dlapiperdataprotection.com
http://www.karanovic-nikolic.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 141 | | | www.dlapiperdataprotection.com
BOTSWANA
Last modified 10 December 2021
LAW
The Data Protection Act – Act No. 32 of 2018, (“the DPA”) is an Act which was assented to by Parliament on the 3rd August
2018 and came into effect on the 15th of October 2021.
The DPA regulates the protection of personal data and ensure that the privacy of individuals in relation to their personal data is
maintained.
DEFINITIONS
Definition of personal data
Under the DPA, personal data means information relating to an identified or identifiable individual, which the individual can be
identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the
individual’s physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
Sensitive Personal Data is defined to mean personal data which reveals a data subject’s:
racial or ethnic origin;
political opinions;
religious beliefs or philosophical beliefs;
membership of a trade union;
physical or mental health or condition;
sexual life;
affiliation; or
personal financial information,
and includes:
any commission or alleged commission by him or her of any offence;
any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such
proceedings, or the sentence of any Court in such proceedings; and
genetic data, biometric data and the personal data of minors.
NATIONAL DATA PROTECTION AUTHORITY
A body known as the Information and Data Protection Commission (“the Commission”) as established under the DPA is yet to be
formed and will be the designated body tasked with data protection and ensuring the effective application of, and compliance with
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 142 | | | www.dlapiperdataprotection.com
the DPA, and in particular, the right to protection of personal data, access rectification, objection and cancellation of such data.
REGISTRATION
The Commission will be responsible for creating and maintaining a public register of all data controllers. There is, however, no
prescribed method of registration.
A data controller is a person who alone or jointly with others determines the purpose and means of which personal data is to be
processed, regardless of whether or not such data is processed by such person or agent on that person’s behalf. Additionally, a
data controller may engage a data processor, being a person who processes data on behalf of the data controller.
In terms of the DPA, data controllers are required to notify the Commissioner of the Commission (“the Commissioner”) before
carrying out any wholly or partially automated processing operation or set of such operations which are intended to serve a single
purpose or serve several related purposes. Notification is not required where a data protection representative has been
appointed.
The notification should include the following details:
The name and address of the data controller and of its representative;
The purpose of the processing;
A description of the data subjects and of the personal data relating to the data subject;
The recipients to whom personal data can be disclosed to;
Proposed transfers of personal data to a third country; and
A general description to allow the Commission to assess the appropriateness of the security measures.
The requirement for notification does not apply to operations which have the sole purpose of keeping a register that is intended
to provide information to the public by virtue of any law, and for which the register is open for public inspection. In addition, the
notification will not be required where a data controller has appointed a data protection representative.
Data controllers are further required to immediately notify the Commissioner of any breach to the technical or organizational
security safeguards for processing of personal data.
The Commission will have the authority to grant an exemption for notification.
DATA PROTECTION OFFICERS
A data controller has the option to appoint a data protection representative who holds the requisite qualifications, their role being
to independently ensure that personal data is processed in a correct and lawful manner, and in accordance with good practice.
The data protection representative is responsible for keeping a list of the processing carried out and the list should be immediately
accessible to any person applying for access. Upon identifying any inadequacies, the data protection representative should bring
such inadequacies to the attention of the data controller and assist in ensuring that the data subject’s rights under the DPA are
protected.
Where a data protection representative has been appointed, the notification to the Commissioner regarding wholly or partially
automated processing operations is not required.
If a data protection representative has reason to suspect that the data controller is contravening the rules applicable for
processing personal data, and if rectification is not implemented as soon as practicable after the contravention is pointed out, the
data protection representative must then notify the Commissioner.
The appointment and removal of a data protection representative must be notified to the Commissioner.
COLLECTION & PROCESSING
Processing means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 143 | | | www.dlapiperdataprotection.com
automatic means, and includes the collection, recording, organization, storage, alteration, retrieval gathering, use, disclosure by
transmission, dissemination or otherwise making information available, alignment, or combination, blocking, erasure or destruction
of such data.
Processing personal data
Prior to undertaking the processing of personal data, data controllers are generally required to obtain written consent from the
data subjects. Consent is not required in instances authorised by any written law. In addition, a data subject who has given consent
for processing of personal data may at any time, in writing, revoke the consent for legitimate, reasonable, and compelling reasons
at that particular time.
Alternatively to where written consent is obtained, personal data may further be processed where the processing is necessary
for:
the performance of a contract to which the data subject is party or in order to take steps at the request of the data
subject entering into a contract;
compliance with a legal obligation to which the data controller is subject;
protecting the vital interests of the data subject;
for performing an activity that is carried out in the public interest or in the exercise of an official authorization vested in
the data controller, or of a third party to whom the data is disclosed; or
for a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is
provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the
data subject and in particular, the right to privacy.
Where personal data is processed for historical, statistical or scientific purposes, the data controller must ensure that there are
appropriate security safeguards in place in instances where the personal data may be kept for a period longer than necessary,
having regard to the purpose for which it is processed or the personal data kept is not used for any decision concerning the data
subject.
In the event that processing is for direct marketing, the data controller must, at no cost, inform the data subject of the right to
oppose the processing. Processing for such purposes will be prohibited where the data subject has given a notice of objection to
the processing of the personal data. A data controller who processes the data despite the objection made by the data subject
commits an offence which is punishable by fine not exceeding BWP500 000 or to imprisonment for a term not exceeding nine
years, or to both.
Processing sensitive personal data
Processing sensitive personal data is heavily restricted thereby requiring the data controller to ensure that appropriate security
safeguards have been adopted. Sensitive personal data is generally be prohibited save for where:
the processing is specifically provided for under the DPA;
the data subject has given consent in writing;
the data subject has made the data public;
the processing is necessary for national security, for the purposes of exercising or performing any right or obligation
which is conferred or imposed by law on the data controller in connection with employment, or where the processing is
authorized by any other written law for any reason of substantial interest to the public; or
the processing is necessary to protect the vital interest of a data subject and another person in a case where consent
cannot be given by or on behalf of the data subject, the data controller cannot be reasonably expected to obtain consent
or the consent by or on behalf of the data subject has been unreasonably withheld.
Bodies or entities which have political, philosophical, religious or trade union objects are allowed to process sensitive personal
data relating to the political, philosophical, religious or trade union objects concerning the members of that body or entity, or any
other person who the body or entity regularly exchanges information with. Such processing by an entity or body is allowed if it is
done in the course of its legitimate activities and with appropriate guarantees. It should also be noted that this sensitive personal
data may be provided to a third party only where the data subject has given written consent.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 144 | | | www.dlapiperdataprotection.com
Furthermore, processing of sensitive personal data for health or medical purposes is allowed where the processing is done by a
health professional and is necessary for preventative medicine as well as protection of public health, medical diagnosis, health care
or the management of health and hospital care services.
Processing sensitive personal data is also allowed where it is for research, scientific and statistics purposes so long as the
processing is compatible with specified, explicitly stated and legitimate purposes. In the case of research and scientific purposes,
the Commissioner must have approved the processing on the advice of a committee responsible for research and scientific ethics,
whilst in the case of statistics, the processing must be necessary for the purposes provided under the Statistics Act (Cap 17:01).
There is a general prohibition against processing genetic and biometric data for what it reveals or contains. The prohibition does
not apply where such data is processed in accordance with the general requirements for processing sensitive personal data as
outlined above. Where genetic and biometric data is processed for medicinal purposes and the consent of the data subject has
been granted, the processing must only be effected where a unique patient identification number is given to the data subject. This
patient number must be different from any other identification number possessed by the data subject.
Sensitive personal data may also be processed for legal purposes where it is necessary in connection with any legal proceedings
including prospective proceedings, for the purposes of obtaining legal advice, for establishing, exercising or defending legal rights,
or for the administration of justice.
With respect to a data subject’s identity card number, processing in the absence of the data subject’s consent is only allowed
where the processing is clearly justifiable having regard to the purpose of the processing, the importance of a secure identification
or any valid reason as may be prescribed.
During the processing operation where personal data is obtained directly from the data subject, the data controllers and data
processors are required to furnish to the data subject the following information:
The identity and habitual residence or principal place of business;
The purpose of the processing;
The existence of the right to object to the intended processing if the processing is for purposes of direct marketing;
Any other additional information if it will ensure fair processing, which may include the recipient or category of recipients,
whether the reply to any question posed is obligatory or voluntary and the possible consequences of failure to reply as
well as the existence of the right to access, rectify, delete the data concerning the data subject; or
Any other information necessary for the specific nature of the processing, to guarantee fair processing in respect of the
data subject.
A person who has access to personal data and is acting under the authorisation of the data controller or the data processor must
process personal data only as instructed and without prejudice to any duty or restriction imposed by law. A contravention of this
amounts to an offence which is punishable by a fine not exceeding BWP20 000 or to imprisonment for a term not exceeding three
years, or to both.
Where personal data is processed without the required authorisation, such processing amounts to an offence which is punishable
by a fine not exceeding BWP100 000 or to imprisonment for a term not exceeding three years, or to both.
It is mandatory to safeguard the security of personal data by taking appropriate technical and organisational security measures
necessary to protect the personal data from negligent or unauthorised destruction, negligent loss or the alteration, unauthorised
access and any other unauthorised processing of personal data.
When taking appropriate technical and organisational security measures necessary to protect the personal data, the person doing
so must ensure an appropriate level of security by taking into account:
technological developments of processing personal data, and the costs for implementing the security measures; and
the nature of the personal data to be protected and the potential risks involved.
Additionally, when outsourcing processing of personal data, the data processor to be chosen must be one who gives sufficient
guarantees regarding the technical and organisational security measures in place for the processing to be done. The data controller
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 145 | | | www.dlapiperdataprotection.com
or processer who outsources must ensure that the said measures are complied with.
TRANSFER
The transfer of personal data from Botswana to another country is prohibited save for transborder transfers to countries that
have been designated by the Minister through an Order published in the Government Gazette.
Transborder transfers of personal data require prior authorisation to be granted by the Commissioner so as to assess and ensure
that adequate levels of protection are provided by the country receiving the personal data. The assessment is in light of all the
circumstances surrounding the data transfer operation and particular consideration is given to:
the nature of the data;
the purpose and duration of the proposed processing operation;
the country of origin and the country of final destination;
the rule of law, both general and sectoral, in force in the third country in question; and
the professional rules and security safeguards which are complied with in that country.
Notwithstanding the above, transborder transfers to countries which do not offer an adequate level of protection are allowed
where the data subject consents to the proposed transfer or, where the transfer is:
necessary for the performance of a contract between the data subject and the data controller, or the implementation of
pre contractual measures taken in response to the data subject’s request;
necessary for the performance or conclusion of a contract in the interests of the data subject between the data controller
and a third party;
necessary for the public interest, or for the establishment, exercise or defence of a legal claim;
necessary to protect the vital interests of the data subject; or
made from a register that is intended to provide the public with information and is open to public inspection.
Regardless of the above mentioned restrictions, transborder flow of personal data to a country without adequate levels of
protection may be authorised where the data controller provides adequate safeguards which may be by means of appropriate
contractual provisions, with respect to the protection of the privacy and fundamental rights and freedoms of individuals.
SECURITY
Data controllers are required to take appropriate technical and organisational security measures necessary to protect personal
data from negligent or unauthorised destruction, negligent loss, as well as unauthorised access, alteration and processing of
personal data.
The measures are influenced by technological developments of processing personal data and the costs for implementing the
security measures, as well as the nature of the personal data and the potential risks involved.
Failure to implement the security safeguards amounts to an offence and will render the data controller liable to a fine not
exceeding BWP100 000 or to imprisonment for a term not exceeding three years, or to both.
BREACH NOTIFICATION
Data controllers and data processors are required to immediately notify the Commissioner of any breach to the security
safeguards of personal data. A failure to do so amounts to an offence punishable by a fine not exceeding BWP100 000 or to
imprisonment for a term not exceeding three years, or to both.
ENFORCEMENT
As mentioned earlier, the Commission is the competent authority that will be tasked with protection of personal data through
effective application and compliance with the DPA. However, since the Commission is yet to be formed, there is currently no
enforcement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 146 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
Marketing by means of electronic communication is governed by the Electronic Communications and Transactions Act – Act No
14 of 2014 (“ECTA”).
An originator, who carries out marketing by means of electronic communication must provide the addressee with the originators’
identity and contact details including the place of business, e-mail, addresses and telefax number, as well as a valid and operational
opt-out facility from receiving similar communications in future, and additionally, the identifying particulars of the source from
which the originator obtained the addressee’s personal information.
In terms of the ECTA, unsolicited commercial communication must only be sent where the opt in requirement has been met and
this includes:
the addressee’s email address and other personal information was collected by the originator of the message in the course
of a sale or negotiations for a sale;
the marketing relates to similar products or services;
when the personal information and address was collected by the originator, the originator offered the addressee the
opportunity to opt-out, free of charge except for the cost of transmission, and the addressee declined to opt- out; and
the opportunity to opt-out is provided with every subsequent message.
Failure to provide the addressee with an optional opt-out facility is an offence which is punishable by a fine not exceeding
BWP10 000, or to imprisonment for a term not exceeding five years, or to both. Furthermore, an originator who persists in
sending unsolicited commercial communications to an addressee who has opted-out from receiving such through the originator’s
opt out facility commits an offence and is liable to a fine not exceeding BWP50 000, or to imprisonment for a term not exceeding
eight years, or to both.
Also noteworthy is the DPA requirement that where personal data is processed for direct marketing purposes, the data
controller must, at no cost, inform the data subject of the right to oppose the processing. Processing for such purposes will be
prohibited where the data subject has given a notice of objection to the processing of the personal data. A data controller who
processes the data despite the objection made by the data subject, commits an offence which is punishable by fine not exceeding
BWP500 000 or to imprisonment for a term not exceeding nine years, or to both.
ONLINE PRIVACY
There is currently no specific online privacy legislation and no provision in the DPA and the ECTA regarding such.
KEY CONTACTS
Minchin & Kelly (Botswana)
Isaac Ntombela
Partner
Minchin & Kelly (Botswana)
T +267 391 2734
intombela@minchinkelly.bw
Namie Modiri
Associate
Minchin & Kelly (Botswana)
T +267 391 2734
nmodiri@minchinkelly.bw
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 147 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 148 | | | www.dlapiperdataprotection.com
BRAZIL
Last modified 24 January 2022
LAW
After several discussions and postponements, the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018,
entered into force on September 18, 2020. The LGPD is Brazil’s first comprehensive data protection regulation, and it broadly
aligns with the EU General Data Protection Act (GDPR).
Although the law has been in force since 2020, the penalties issued by the LGPD only became enforceable on August 1, 2021.
However, public authorities (such as consumer protection bodies and public prosecutors) and data subjects could enforce their
rights under the LGPD as of September 18, 2020.
Before the enactment of the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian
legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act)
imposed requirements regarding security and the processing of personal data and other obligations on service providers,
networks, and applications providers, and provided rights for Internet users.
The following laws also contain general provisions and principles applicable to data protection:
The Federal Constitution
The Brazilian Civil Code, and
Laws and regulations that address
Certain types of relationships ( , Consumer Protection Code and employment laws);g. [1]
Regulated sectors ( , financial institutions, health industry, or telecommunications); andg.
Particular professional activities ( , medicine and law).g.
Additionally, there are laws that regulate the processing and safeguarding of documents and information handled by governmental
entities and public bodies.
The LGPD applies to any processing operation carried out by a natural person or a legal entity (of public or private law),
irrespective of (1) the means used for the processing, (2) the country in which its headquarter is located, or (3) the country where
the data are located, provided that:
The processing operation is carried out in Brazil;
The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals
located in Brazil; or
The personal data was collected in Brazil.
On the other hand, the law does not apply to the processing of personal data that is:
Carried out by a natural person exclusively for private and non-economic purposes;
Performed for journalistic, artistic, or academic purposes;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 149 | | | www.dlapiperdataprotection.com
1.
Carried out for purposes of public safety, national security, and defense or activities of investigation and prosecution of
criminal offenses (which will be the subject of a specific law);
Originated outside the Brazilian territory and are not the object of communication; or
Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is
not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that
established in the Brazilian law.
In addition, on October 20, 2021, the Brazilian Senate unanimously approved the Proposed Amendment to the Constitution
(“PEC”) no. 17/2019, which aims to include in the Federal Constitution the protection of personal data, including in digital media,
as a fundamental right, and to refer privately to the Union (federal government) the responsibility to legislate on this subject.
However, this amendment will only be valid when the National Congress enacts the PEC, which is still pending.
Due to a broad interpretation established in case law, practically every Internet user is considered a ‘consumer’ for the
purposes of the consumer protection.
DEFINITIONS
Definition of personal data
The LGPD defines as any information related to an identified or identifiable natural person.personal data
Anonymized data is not considered personal data, except when the process of anonymization has been reversed or if it can be
reversed applying reasonable efforts.
Definition of sensitive personal data
The LGPD defines as any personal data concerning: sensitive personal data
Racial or ethnic origin
Religious belief
Political opinion
Trade union
Religious, philosophical or political organization membership
Health or sex life
Genetic or biometric data
NATIONAL DATA PROTECTION AUTHORITY
The LGPD established the National Data Protection Authority (ANPD). The ANPD is part of the federal public administration,
(pertaining to the Presidency of the Republic), and is given technical and decision-making autonomy with jurisdiction over the
Brazilian territory. The ANPD isheadquartered in the Federal District. The legal nature of ANPD is transitory and may be
amended by the Public Authority into an entity of the indirect federal public administration, subject to special autarchic regime and
linked to the Presidency of the Republic, within two (2) years of its regimental structure coming into force.
The ANPD is now in operation. Its structuring process started on August 27, 2020, with the publication of Decree No.
10,474/2020, which approved and regulated the regulatory structure of the ANPD, and its board of commissioned positions and
nominated trust functions. On November 6, 2020, this Decree entered into force with the appointment of the Director-President
and the members of the Board of Directors of the ANPD, after having been approved by the plenary of the Federal Senate. On
March 9, 2021, the ANPD’s Internal Regulations were published, establishing the competencies and organization of the National
Authority.
The ANPD is composed of:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 150 | | | www.dlapiperdataprotection.com
A Board of Directors
A national council for Personal Data and Privacy Protection (Council)
Bodies of direct and immediate assistance to the Board of Directors (General Secretariat, General Coordination of
Administration, General Coordination of Institutional and International Relations)
An Internal Affairs Office (inspection body)
An ombudsman
Its own legal advisory body, and
Administrative and specialized units for the enforcement of the LGPD ( , General Coordination of Standardization;ie
General Coordination of Supervision; and General Coordination of Technology and Research)
The ANPD has the authority to issue sanctions for violations of the LGPD. This sanctions authority came into force on August 1,
2021. In August 2021, the President of the Republic appointed representatives of the National Council for Personal Data and
Privacy Protection (Council). The Council contributes to the performance of the ANPD and has the authority to, among other
things:
Oversee the protection of personal data
Issue regulations and procedures related to personal data protection
Deliberate, at an administrative level, upon the interpretation of the LGPD and matters omitted in its redaction
Supervise and apply sanctions in the event of data processing performed in violation of the legislation
Implement simplified mechanisms for recording complaints about the processing of personal data in violation of the LGPD
In addition, the ANPD Council is responsible for, among other functions:
Proposing strategic guidelines and allowance for the creation of the National Policy for the Protection of Personal Data
and the operation of ANPD
Suggesting actions to be carried out by the ANPD
Preparing studies and conducting public debates and hearings about the protection of personal data
Since the ANPD started its operations, several actions have already been implemented to protect personal data, including:
Publishing guidance on reporting a security incident with personal data and its assessment to the ANPD
Explaining availability of a claim by the data subject against controller
Providing educational materials on data protection, such as (1) guidelines for defining personal data processing agents and
the DPO, (2) how consumers should protect their personal data, and (3) information security for small processing agents.
However, there are still several provisions of the LGPD requiring further regulation and interpretation by the ANPD, which
stakeholders should monitor for future compliance.
REGISTRATION
There is currently no requirement to register with the National Data Protection Authority under Brazilian law.
DATA PROTECTION OFFICERS
The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data
processing operations. The DPO is responsible for the following:
Accepting complaints and communications from data subjects and the National Authority
Providing guidance to employees about good practices and carrying out other duties as determined by the controller or
set forth in complementary rules
The LGPD provides the National Data Protection Authority the power to further establish supplementary rules concerning the
definition and the duties of the DPO, including scenarios in which the appointment of such person may be waived, according to
the nature and the size of the entity or the volume of data processing operations.
Currently, and until the ANPD provides more detailed instructions on the subject, it is assumed that every company (public or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 151 | | | www.dlapiperdataprotection.com
private) should appoint a DPO. This general obligation extends to all types of activities and volumes of data processing subject to
the LGPD (as set out in the “Guidance on Processing Agents and DPO” published by ANPD in May 2021). In any case, all
companies should monitor this space for future guidance.
On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the
LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the
exemption of these companies from appointing a DPO. However, this is still a draft Resolution and needs to be further confirmed
and published.
There is no prohibition against companies using an external DPO or against DPOs performing the same function for more than
one company simultaneously. Likewise, the LGPD does not distinguish whether the DPO must be an individual or a legal entity.
Due to the absence of legal or regulatory requirements, there is no need to communicate or record the identity and contact
information of the DPO with the ANPD.
COLLECTION & PROCESSING
Under the LGPD, collection and processing is referred to as “data treatment”, and defined as all operations carried out with
personal data, such as:
Collection
Production
Reception
Classification
Utilization
Access
Reproduction
Transmission
Distribution
Processing
Filing
Storage
Elimination
Evaluation
Control
Modification
Communication
Transfer
Diffusion, or
Extraction
The processing of personal data may only be carried out based on one of the following legal bases:
With data subject consent
To comply with a legal or regulatory obligation by the controller
By the public administration, for the processing and shared use of data which are necessary for the execution of public
policies provided in laws or regulations or contracts, agreements or similar instruments
For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party
For the regular exercise of rights in judicial, administrative or arbitration procedures
As necessary for the protection of life or physical safety of the data subject or a third party
For the protection of health, exclusively, in a procedure carried out by health professionals, health services or sanitary
authorities
To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 152 | | | www.dlapiperdataprotection.com
and freedoms of the data subject, and
For the protection of credit
Notwithstanding the above, personal data processing must be carried out in good faith and based on the following principles:
Purpose
Suitability
Necessity
Free access
Quality of the data
Transparency
Security
Prevention
Nondiscrimination, and
Accountability
As for the processing of sensitive personal data, the processing can only occur when the data subject or their legal representative
consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:
As necessary for the controller’s compliance with a legal or regulatory obligation
Shared data processed as necessary for the execution of public policies provided in laws or regulations by the public
administration
For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
For the regular exercise of rights, including in a contract or in a judicial, administrative or arbitration procedure
Where necessary for the protection of life or physical safety of the data subject or a third party
The protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary
authorities, or
To prevent fraud and protect the safety of the data subject
The controller and operator must keep records of the data processing operations they carry out, mainly when the processing is
based on a legitimate interest.
In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data,
including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial
secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for
ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and
mechanisms of risk mitigation.
On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the
LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the
exemption of these companies from maintaining records of data processing activities and flexibility in conducting Data Protection
Impact Assessments (“DPIA”). However, this is still a draft Resolution, which must be confirmed and published further.
TRANSFER
The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD.
Prior specific and informed consent is needed for such transfer, unless:
The transfer is to countries or international organizations with an adequate level of protection of personal data
There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form
of
Specific contractual clauses for a given transfer
Standard contractual clauses
Global corporate norms, or
Regularly issued stamps, certificates and codes of conduct
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 153 | | | www.dlapiperdataprotection.com
The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial
agencies
The transfer is necessary to protect the life or physical safety of the data subject or a third party
The ANPD has provided authorization
The transfer is subject to a commitment undertaken through international cooperation
The transfer is necessary for the execution of a public policy or legal attribution of public service
The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary
procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures
SECURITY
Controllers and processors must adopt technical and administrative security measures designed to protect personal data from:
Unauthorized accesses, and
Accidental or unlawful situations of:
Destruction
Loss
Alteration
Communication, or
Any improper or unlawful processing
The LGPD grants the ANPD authority to establish minimum technical standards for companies to implement.
On 4 October 2021, the ANPD launched information security guidelines aimed at small data processing agents (such as
microenterprises, small businesses, and startups) to assist them with good practices in implementing technical and administrative
information security measures for the protection of personal data. The guidelines also contain a checklist to facilitate the
visualization of suggestions, such as awareness and training programs, agreements management, access controls, data storage
guidelines, and vulnerability management.
The Brazilian Internet Act further establishes that service providers, networks and applications providers should keep access
records (such as IP addresses and logins) confidential and in a secured and controlled environment. Guidelines issued under the
Internet Act established guidelines on appropriate security controls, including:
Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access
privileges to certain users
Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure
individualization of the controller records
Creation of detailed inventory of access to connection records and access to applications containing the time, duration,
the identity of the employee or the responsible person for the access designated by the company and the accessed file
Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective
measures
BREACH NOTIFICATION
The controller must report to ANPD and the data subject within a reasonable timeframe if the breach is likely to result in risk or
harm to data subjects. The LGPD itself does not set a specific deadline for notifying the ANPD in the event of security incidents.
However, according to guidance published by the National Authority on February 22, 2021, the communication must be made
within two (2) working days, counted from the date of receiving knowledge of the incident.
In addition, according to this guideline, the company or person responsible for the data must internally assess the incident and
ascertain the nature, category, and number of data subjects affected. The National Authority must also be communicated in the
event of relevant risk or damage to data subjects, using a form available on the ANPD’s page.
The notice must contain, at least, the following:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 154 | | | www.dlapiperdataprotection.com
Description of the nature of the affected personal data
Information regarding the data subjects involved
Indication of the security measures used
The risks generated by the incident
The reasons for a delay in communication (if any)
The measures that were or will be adopted
Additionally, the ANPD must verify the seriousness of the incident and may, if necessary to safeguard the data subject’s rights,
order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures
to reverse or mitigate the effects of the incident.
On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the
LGPD to small businesses, startups, and innovative companies. The Resolution includes exemptions and flexibilities, such as the
exemption or flexibility in the communication of security incidents, as well as the flexibility regarding deadlines for responding to
data subjects’ requests, for communicating severe security incidents to the ANPD and affected data subjects, and for responding
to ANPD’s requests. However, this is still a draft Resolution, which must be confirmed and published further.
ENFORCEMENT
The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject
to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues
of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.
Other sanctions can include:
Warning
Publicizing of the violation
Blocking the personal data to which the infraction refers to until its regularization
Deletion of the personal data to which the infraction refers
Partial suspension of the database operation to which the infringement refers for a maximum period of six (6) months,
extendable for the same period, until the processing activity is corrected by the controller;
Suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6)
months, extendable for the same period;
Partial or total prohibition of activities related to data processing.
Although the LGPD became effective September 18, 2020, the penalties provided by the law were only enforceable from August 1,
2021. In addition, the ANPD is now in operation and, on October 29, 2021, published the Regulation of the Inspection Process
and the Sanctioning Administrative Process, which establishes the procedures applicable to ANPD’s inspection process and the
rules to be observed during the administrative sanctioning process. However, so far, the ANPD still has not imposed sanctions
regarding violations to the LGPD, so its level of enforcement activity is still uncertain.
Public authorities (such as consumer protection bodies and public prosecutors) are already monitoring data protection matters
and applying penalties based on the LGPD obligations and other applicable laws. Additionally, data subjects may file lawsuits if any
of the rights provided by the LGPD are violated. Under the law, a controller or processor that causes material, moral, individual,
or collective damage to others is liable to individuals for such damages, including through a class action.
Exceptions to the obligation to remedy a violation exist only if:
The agent ( , controller or the processor) did not carry out the data processingie
There was no violation of the data protection legislation in the processing, or
The damage arises due to exclusive fault of the data subject or a third party
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 155 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
Brazil has no specific law regulating electronic marketing communications. However, it is important to point out that, according to
the LGPD, all processing of consumers’ personal data (which includes the collection, storage, and sending of marketing
communications) can only occur upon the appropriate legal basis for such purpose. Under this scenario, two available legal bases
could be used, depending on the analysis of the concrete case: (1) the data subject’s consent, or (2) the controller’s legitimate
interest.
Despite the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights, also
apply to electronic marketing. Therefore, the sender should immediately cease sending any electronic marketing if the consumer
requests (i.e., offering an opt-out option to electronic marketing).
ONLINE PRIVACY
The Brazilian Internet Act has several provisions concerning the storage, use, disclosure, and other processing of data collected on
the Internet. The established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile
devices and the Internet. Violations of these rights may also be subject to civil enforcement.
Furthermore, as explained in prior sections, identifiable data are also encompassed under the scope of protection of the LGPD.
Thus, if cookies and location data are associated with a natural person, their collection should also observe the same obligations
provided by the Brazilian data protection law. However, the obligation does not apply to anonymized data, which is not
considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed using
reasonable efforts.
That said, a proper legal basis is needed when using cookies and similar technologies that involve the processing of a user’s
personal data from (e.g., the information is linked or linkable to a particular user, IP address, a device, or other particular
identifier). Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: the data
subject’s consent or the controller’s legitimate interest (in the case of essential cookies, for example).
KEY CONTACTS
Campos Mello Advogados
www.camposmello.adv.br/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Paula Mena Barreto
Partner
Campos Mello Advogados
T +55 21 3262 3028
paula.menabarreto@cmalaw.com
Manoela Quintas Esteves
Associate
Campos Mello Advogados
T +55 21 3262 3042
manoela.esteves@cmalaw.com
https://www.dlapiperdataprotection.com
http://www.camposmello.adv.br/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 156 | | | www.dlapiperdataprotection.com
BRITISH VIRGIN ISLANDS
Last modified 24 January 2022
LAW
The British Virgin Islands’ Data Protection Act, 2021 (DPA) came into force on 9 July 2021.
The DPA is the primary legislation and the first legislative framework of its kind in the British Virgin Islands to govern how public
and private bodies may process personal data. The law strives to promote transparency and accountability, bringing the British
Virgin Islands in line with the UK and EU data protection standards.
DEFINITIONS
Definition of personal data
Personal data means any information in respect of commercial transactions which: (i) is being processed wholly or partly by
means of equipment operating automatically in response to instructions given for that purpose; (ii) is recorded with the intention
that it should wholly or partly be processed by means of such equipment; or (iii) is recorded as part of a relevant filing system or
with the intention, and in each case, that it should form part of a relevant filing system, that relates directly or indirectly to a data
subject, who is identified or identifiable from that information, or from that or other information in the possession of a data user,
including any sensitive personal data and expression of opinion about the data subject
Definition of sensitive personal data
Sensitive personal data means any personal data about a data subject’s:
physical or mental health;
sexual orientation;
political opinions;
religious beliefs or other beliefs of a similar nature;
criminal convictions, the commission or alleged commission of, an offence; or
any other personal data that may be prescribed as such under the DPA, from time to time.
Other key definitions
commercial transactions means any transaction of a commercial nature, whether contractual or not, which includes any
matters relating to the supply or exchange of goods or services, agency, investments, financing, banking, and insurance
data processor, in relation to personal data, means a person who processes data on behalf of a data controller but does not
include an employee of the data controller
data subject means a natural person, whether living or deceased
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 157 | | | www.dlapiperdataprotection.com
data controller means a person who, either alone or jointly, or in common with other persons, processes any personal data, or
has control over, or authorises the processing of any personal data, but does not include a data processor
processing, in relation to personal data, means collecting, recording, holding, or storing the personal data or carrying out any
operation or set of operations on the personal data, including the: (i) organisation, adaptation, or alteration of personal data; (ii)
retrieval, consultation or use of personal data; (iii) disclosure of personal data by transmission, transfer, dissemination or
otherwise making available; or (iv) alignment, combination, correction, erasure or destruction of personal data, and
NATIONAL DATA PROTECTION AUTHORITY
The supervisory authority under the DPA is the Office of the Information Commissioner.
Given the recent enactment of the DPA, the Office of the Information Commissioner has not yet been staffed.
REGISTRATION
There is currently no requirement for a data controller or a data processor to notify the Information Commissioner of their role
or complete any registration.
DATA PROTECTION OFFICERS
There is no requirement under the DPA for a data protection officer to be appointed.
COLLECTION & PROCESSING
Data controllers are responsible for compliance with certain privacy and data protection principles applicable to the personal data
it processes. Data controllers are also responsible for ensuring that the principles are complied with, where personal data is
processed on the data controller’s behalf (e.g., by its vendors).
Under these principles:
a data controller shall not process personal data (other than sensitive personal data) without the express consent of the
data subject, or transfer personal data outside of the British Virgin Islands without proof of adequate data protection
safeguards or consent from the data subject, unless either of the Exceptions defined under the heading “Transfer” exists
(the )General Principle
a data controller must inform a data subject of: (a) the purposes for processing; (b) information as to the source of the
personal data; (c) the rights to request access to and correction of the personal data; (d) how to contact the data
controller; (e) the class of third parties to whom the personal data will be disclosed; and (f) whether the data is obligated
to supply the personal data, and if so, the consequences of not supplying same (the )Notice and Choice Principle
no personal data shall be disclosed without the consent of the data subject for any purposes other than the purpose for
which the personal data was to be disclosed at the time of collection or to any party other than a third party of the class
of third parties noted above (the )Disclosure Principle
a data controller must take practical steps to protect personal data from any loss, misuse, modification, unauthorised or
accidental access or disclosure, alteration, or destruction by having regard to (a) the nature of the personal data and the
harm that would result from any loss, misuse, etc.; (b) the place or location where the personal data is stored; (c) any
security measures incorporated into any storage equipment; (d) the measures taken for ensuring the reliability, integrity,
and competence of personnel having access to the personal data; and (e) the measures taken for ensuring the secure
transfer of the personal data (the )Security Principle
personal data shall not be kept longer than is necessary for the fulfillment of the purpose of processing, and data
controllers must take all reasonable steps to ensure that personal data is destroyed or permanently deleted if no longer
required for the purpose for which it was to be processed (the )Retention Principle
a data controller shall take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept
current (the ), andData Integrity Principle
data subjects shall be given access to their personal data and be able to request corrections where the personal data is
inaccurate, incomplete, misleading, or not current (the “ ”)Access Principle
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 158 | | | www.dlapiperdataprotection.com
TRANSFER
As set out under the , transfers of personal data by a data controller or a data processor to countries orGeneral Principle
territories outside the British Virgin Islands are only permitted where that country or territory ensures an adequate level of
protection of data protection safeguards in relation to the processing of personal data. This transfer restriction endeavors to
ensure that the level of protection provided by the DPA is not circumvented by transferring personal data abroad.
The DPA also includes the following exceptions where the General Principle will not apply to a transfer:
if the data subject has consented to the transfer (where consent must be freely given, specific, informed, and unambiguous
and must be capable of being withdrawn at any time)
where the transfer is necessary for the performance of a contract between the data subject and the data controller, or
the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data
controller
the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data
subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject, or
for the performance of such a contract;
the transfer is necessary for reasons of substantial public interest
the transfer is for a lawful purpose directly related to an activity of the data controller, is necessary for, or directly related
to, that purpose, and the personal data is adequate but not excessive in relation to that purchase
the transfer is necessary in order to protect the vital interests of the data subject
the transfer is necessary for the administration of justice, or
the transfer is required for the exercise of any functions conferred on a person by law.
SECURITY
While the DPA does not specify any technical standards for data controllers to implement, the DPA requires a data controller,
when processing personal data, to take practical steps to protect the personal data from any loss, misuse, modification,
unauthorized or accidental access, or disclosure, alteration or destruction (together, ‘ ) by having regard to theSecurity Breach’
following matters:
the nature of the personal data and the harm that would result from a Security Breach
the place or location where the personal data is stored
any security measures incorporated into any equipment in which the personal data is stored
the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data,
and
the measures taken for ensuring the secure transfer of the personal data
The DPA also requires, where a data processor carries out the processing of personal data on behalf of the data controller, the
data controller (for the purpose of protecting the personal data from Security Breach) to ensure that the data processor:
provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to
be carried out, and
take reasonable steps to ensure compliance with the above measures
BREACH NOTIFICATION
The DPA does not require data controllers to notify the Information Commissioner or the data subjects of personal data
breaches.
However, notice requirements apply to data controllers that receive enforcement notices from the Information Commissioner.
The DPA requires a public or private body to, as soon as practicable, and in any event within 30 days of complying with an
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 159 | | | www.dlapiperdataprotection.com
enforcement notice from the Information Commissioner: (i) notify the data subject(s) concerned; and (ii) any person to whom the
personal data was disclosed within the twelve months preceding the date of service of the enforcement notice (as determined by
the Information Commissioner).
ENFORCEMENT
A breach of the DPA constitutes a criminal offence. Upon conviction, violators may be subject to a fine of up to US$100,000,
imprisonment of up to five years, or both. A body corporate is punishable on conviction to a fine of up to US$500,000.
The Information Commissioner has broad investigative and corrective powers under the DPA, including the power to request and
obtain information from parties subject to the law and to issue orders to carry out specific remediation activities.
The DPA provides for a private right of action where data subjects suffer damage or distress due to a breach of the DPA by a
public or private body.
In addition, the DPA explicitly provides for personal liability in respect of offences committed by a body corporate where the
offence is proven to have been committed with the consent or connivance of, or to be attributable to neglect on the part of, any
director, secretary, or similar officer, or any person purporting to act in such capacity. Where the affairs of a body corporate are
managed by its members, this personal liability also applies to the acts and defaults of a member in connection with the member’s
function of management.
ELECTRONIC MARKETING
The DPA applies to “direct marketing”, which is the communication, by whatever means, of any advertising or marketing material
that is directed to particular individuals and therefore includes electronic marketing.
Prior express consent is not required for the purposes of direct marketing. However, a data subject has an unconditional right to
require the date controller to stop, or not to commence, the processing of any of their personal data for the purposes of direct
marketing (i.e., an “opt-out” right).
ONLINE PRIVACY
There are no specific restrictions on online privacy in the DPA. However, the provisions of the DPA apply where a private body is
a website operator that collects personal data.
KEY CONTACTS
Carey Olsen
www.careyolsen.com
Clinton Hempel
Partner
Carey Olsen
T +27 76 412 6091
clinton.hempel@careyolsen.com
Jude Hodge
Counsel
Carey Olsen
T +1 284 394 4034
jude.hodge@careyolsen.com
https://www.dlapiperdataprotection.com
http://www.careyolsen.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 160 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 161 | | | www.dlapiperdataprotection.com
BRUNEI
Last modified 17 December 2021
LAW
At present there are no statutory or common law obligations that protects the privacy of information upon which an individual
can be directly or indirectly identified, save in respect of banker-customer relationship where banks are under a legal duty to keep
customer information confidential.
However, with the publication of the Public Consultation Paper on Personal Data Protection for the Private Sector in Brunei
Darussalam by the Authority for Info-communications Technology Industry of Brunei Darussalam on 20 May 2021 (“Public
”), it is anticipated that the Personal Data Protection Order (“ ”) will be enacted and come into forceConsultation Paper PDPO
in the near future. Premise on the Public Consultation Paper, which sets out in general terms the data protection framework
under the PDPO, it is anticipated that the PDPO will introduce obligations on the part of private sector organizations with respect
to collection, use, disclosure or other processing of individuals’ personal data and the rights of individuals in relation to the
processing of their personal data.
DEFINITIONS
Definition of personal data
At present there is no legal definition.
It is anticipated that under the PDPO “personal data” will refer to data, whether true or not, about an individual who can be
identified (a) from that data; or (b) from that data and other information to which the organization has or is likely to have access.
Definition of sensitive personal data
At present there is no legal definition.
It is anticipated that the PDPO will not make a distinction between sensitive and non-sensitive personal data or define a category
of “sensitive personal data”.
NATIONAL DATA PROTECTION AUTHORITY
At present nil.
It is anticipated that the PDPO will establish a national data protection authority referred to as the Responsible Authority.
REGISTRATION
At present no legal requirement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 162 | | | www.dlapiperdataprotection.com
It is anticipated that the PDPO will not have any registration requirements.
DATA PROTECTION OFFICERS
At present no legal requirement.
It is anticipated that the PDPO will require an organization to appoint a data protection officer who shall be responsible for
ensuring that the organization complies with the PDPO and develops and implement policies and practices that are necessary to
meet its obligations under the PDPO including a process to receive complaints.
COLLECTION & PROCESSING
At present not a regulated activity.
Under the PDPO framework set out in the Public Consultation Paper, organizations may collect, use or disclose personal data
about an individual for purposes that a reasonable person would consider appropriate in the circumstance.
It is anticipated that under the PDPO organizations may collect, use or disclose personal data where –
they have the prior consent of the individual; or
unless otherwise required or authorized by law; or
an exception in the PDPO applies.
Where consent is required, it is anticipated that the PDPO will not specifically prescribe the manner in which consent may be
given and that the PDPO will recognize that consent may be explicit or implicit through an individual’s actions or inactions,
depending on the circumstances, and thereby allowing organizations flexibility as to how they obtain consent. That said, it is
anticipated that the PDPO would require organizations to look to express consent as the first port of call and only rely on
deemed consent or the exceptions to consent if obtaining consent is impractical or if they have otherwise failed to obtain express
consent.
It is anticipated that under the PDPO consent must be validly obtained and consent would not be valid where:
consent is obtained as a condition of providing a product or service and such consent is beyond what is reasonable to
provide the product or service to the individual; the principle being that organizations should not collect more personal
data than is reasonable and necessary; and
where false or misleading information was provided in order to obtain or attempt to obtain the individual’s consent for
collecting, using or disclosing his personal data.
As part of obtaining valid consent, it is anticipated that the PDPO will require organizations to provide the individual with
information on:
the purposes for the collection, use or disclosure of his personal data, on or before collecting the personal data; and
any other purpose for the use or disclosure of personal data that has not been notified to the individual, before such use
or disclosure of personal data.
Further, it is anticipated that fresh consent would be required where personal data collected is to be used for a different purpose
from which the individual originally consented.
TRANSFER
At present not a regulated activity.
It is anticipated that under the PDPO, an organization shall not transfer personal data to a country outside Brunei Darussalam
except in accordance with requirements prescribed under the PDPO to ensure that the transferred personal data will be
accorded a standard of protection that is comparable to that under the PDPO. It is not anticipated that such requirement
prescribed by the PDPO will be as stringent and prescriptive as in other jurisdiction, for example the EU, and it is anticipated that
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 163 | | | www.dlapiperdataprotection.com
the PDPO will place the onus on organizations to ensure that appropriate measures are taken to protect personal data
transferred out of Brunei Darussalam through the imposition of contractual obligations or otherwise.
SECURITY
At present not a regulated activity save in relation to a “Financial Institution” – see .Mandatory Breach Notification
It is anticipated that under the PDPO, an organization must protect personal data in its possession or under its control by making
reasonable security arrangements to prevent:
unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks; and
the loss of any storage medium or device on which personal data is stored.
It is anticipated that under the PDPO data intermediaries will also be subjected to the same obligation to protect personal data in
their possession.
It is anticipated that the PDPO will provide for a reasonable standard for such security measures taking into account factors such
as the nature and sensitivity of the data, the form in which personal data is stored and the impact to the individual if the personal
data is subject to unauthorized access, disclosure or other risks. But it is not anticipated that the PDPO will stipulate specific
security measures to be adopted and implement by organizations and data intermediaries.
BREACH NOTIFICATION
Mandatory Breach Notification
At present no legal requirement save in relation to a “Financial Institution” (i.e. banks, insurance companies, moneylenders,
pawnbrokers, moneychangers and securities service providers licensed in Brunei Darussalam).
It is anticipated that under the PDPO, organizations are required to, as soon as practicable, but in any case no later than 3
calendar days after the assessment, notify the Responsible Authority of a data breach that:
results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach
relates; or
is or is likely to be, of a significant scale.
Organizations are also anticipated to be required to notify the affected individuals on or after notifying the Responsible Authority
if the data breach results in, or is likely to result in, significant harm to an affected individual.
Further, it is anticipated that unreasonable delays in reporting breaches that cannot be justified will be considered a breach of the
data breach notification obligation.
Where a data breach is discovered by a data intermediary, it is anticipated that under the PDPO, the data intermediary will be
under a duty to notify the organization or the Responsible Authority of the data breach.
A Financial Institution is obliged to report to the Brunei Darussalam Central Bank, no later than 2 hours after confirmation of all
instances of cyber intrusion, disruption, malfunction, error or cybersecurity issues on a Financial Institution’s system, server,
network or end-point which has a severe or widespread impact on the operations and service delivery or has a material impact on
the Financial Institution.
ENFORCEMENT
At present no enforcement authority.
It is anticipated that under the PDPO the Responsible Authority will administer and enforce the PDPO and will have the powers
to do any of the following:
issue directions to organizations to:
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/brunei/breach-notification.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 164 | | | www.dlapiperdataprotection.com
stop collecting, using or disclosing personal data in contravention of the PDPO;
destroy personal data collected in contravention of the PDPO; or
provide access to or correct personal data.
impose a financial penalty of up to BND1 million or 10% of the annual turnover of on an organization for negligent or
intentional breach of the PDPO.
ELECTRONIC MARKETING
No legal requirement to have privacy policies.
ONLINE PRIVACY
No legal requirement to have privacy policies.
KEY CONTACTS
Abraham, Davidson & CO.
www.adcobrunei.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Linus Tan
Associate
Abraham, Davidson & CO.
T +673 2242840
linus_tan@adcobrunei.com
Elaiza Hanum Merican
Associate
Abraham, Davidson & CO.
T +673 2242840
elaiza@adcobrunei.com
https://www.dlapiperdataprotection.com
http://www.adcobrunei.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 165 | | | www.dlapiperdataprotection.com
BULGARIA
Last modified 22 December 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
Bulgaria implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act (In Bulgarian:
), promulgated in the State Gazette No. 1 of January 4, 2002, as amendedЗакон за защита на личните данни
periodically (Act). The Act came into force on January 1, 2002.
In view of the entry into force of Regulation (EU) 2016/679 (General Data Protection Regulation – ‘GDPR’), the Personal
Data Protection Act was amended by a law for amendment and supplementation which was promulgated in the State
Gazette No. 17 of February 26,2019.
The Personal Data Protection Act as amended (hereinafter referred to as the ‘Personal Data Protection Act) serves a
twofold purpose – it effectively implements the GDPR into national legislation and also transposes Directive (EU)
2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with
regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such
data, and repealing Council Framework Decision 2008/977/JHA.
The Personal Data Protection Act complements the GDPR by providing regulation to matters in the field of personal data
processing that have not been explicitly covered by the GDPR, or where the GDPR has left room for the exercise of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 166 | | | www.dlapiperdataprotection.com
legislative discretion. As the regulation has direct effect and is applicable in all EU member-states without the need of
adopting a designated legislative act, the Bulgarian legislator has adopted the approach of directly referring to and
implementing the GDPR without repeating the core provisions of the regulation in the Personal Data Protection Act.
Under the Personal Data Protection Act the role of supervising authority is shared between the Commission for Personal
Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having competence only with regards to
data processing by courts, prosecution offices and criminal investigative bodies in their capacity as judicial authorities. The
Personal Data Protection Act further regulates the legal remedies in cases of violation of personal data law, the
accreditation and certification in the field of personal data protection, the administrative liability and the administrative
measures in cases of violations of its provisions.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
Definition of personal data
The definition of personal data set forth before by the Personal Data Protection Act was repealed following the
implementation of the GDPR and it explicitly refers to the definition of personal data under art. 4 of the GDPR (§1 of the
Supplementary provisions of the Personal Data Protection Act).
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable
natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.
Definition of sensitive personal data
The Personal Data Protection Act refers explicitly to the definitions under the GDPR which applies following its direct
effect in all EU member states.
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 167 | | | www.dlapiperdataprotection.com
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Bulgarian data protection authority (DPA) is the Personal Data Protection Commission (In Bulgarian: Комисия за
, the ‘Commission’).защита на личните данни
2 Professor Tsvetan Lazarov, Sofia 1592
Bulgaria
kzld@cpdp.bg
www.cpdp.bg
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
The requirement for registration of data controllers before the Commission for Personal Data Protection was repealed
with the implementation of the GDPR.
Pursuant to the Personal Data Protection Act, the Commission for Personal Data Protection maintains the following
public registers:
register of data controller and data processors who have appointed data protection officers containing the name
of the data controller/ data processor, the name of the appointed data protection officer and its contact details;
register of the accredited certifying bodies under art. 14 containing information on the name and the contact
details of the certifying body and on the period of validity of its accreditation;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 168 | | | www.dlapiperdataprotection.com
register of codes of conduct which includes the name of the code, the name of the editor and the relevant
certification body, information about the sector concerned and its content.
The Commission shall also support (a) an internal register of established breaches of the GDPR and the Personal Data
Protection Act, (b) a register of the measures taken in accordance with art. 58, para 2 of the GDPR, and (c) a register of
the personal data destroyed on a monthly basis by providers of public electronic communication networks and / or
services in accordance with art. 251g of the Electronic Communications Act. These registers however, are not public.
In accordance with the Rules of Procedure of the Commission for Personal Data Protection and its Administration, the
above-mentioned registers are held in electronic format and should be updated regularly.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Personal Data Protection Act does not set an explicit requirement to appoint a data protection officer, thus the
general requirement pursuant to the GDPR applies. Pursuant to the Personal Data Protection Act, data controllers are
obliged to communicate the personal details and contact details of the DPO, as well as any subsequent replacements,
before the Commission for Personal Data Protection, and will also have to publish their contact details. An approved
notification form, which was recently updated by the Commission for Personal Data Protection, is available at the
(only in Bulgarian language).following website
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
https://www.cpdp.bg/userfiles/file/Documents_2020/UVEDOMLENIE_DLZD-KZLD
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 169 | | | www.dlapiperdataprotection.com
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 170 | | | www.dlapiperdataprotection.com
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 171 | | | www.dlapiperdataprotection.com
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 172 | | | www.dlapiperdataprotection.com
a.
b.
c.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where:affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Personal Data Protection Act does not repeat the core provisions of the GDPR relating to collection and processing
of personal data in its body. However, following the direct effect of the GDPR in all EU member states, the provisions of
the regulation in this respect shall be applied in all cases of data collection and processing.. The Personal Data Protection
Act explicitly previews that in case the data subject provides his / her personal data to a data controller or a data
processor in breach of Art. 6, para (1) (legal grounds for processing) and Art. 5 (principles for data processing) GDPR, the
data controller / data processor should have to immediately return the data or delete / destroy the data within one month
of becoming aware of the breach (art. 25a of the Personal Data Protection Act).
The Personal Data Protection Act also introduces additional rules relating to specific data processing situations:
Conditions applicable to child’s consent in relation to information society services – The Personal Data Protection
Act introduces a lower age of the data subject, under which the consent of a parent or a guardian would be
required for the lawful processing of personal data of a child in cases of direct provision of information society
services. Under the Personal Data Protection Act if the data subject is under 14 years old, a consent by a parent
exercising the parental rights or by guardian of the data subject is required for the lawful processing of the data.
Processing of personal identification number – Under the Personal Data Protection Act, public access to personal
identification number / personal identification number of a foreigner (‘PIN/PINF’) shall be granted only if required
by law. Data controllers providing electronic services should undertake appropriate technical and organizational
measures to prevent the PIN/PINF from being the sole identifier for the use of their services.
Processing and freedom of expression and information – Where personal data is processed for the exercise of
freedom of expression and information, including for journalistic purposes and for the purposes of academic,
artistic or literary expression, the data controller should assess the lawfulness of such processing in each
particular case. The Personal Data Protection Act sets a number of assessment criteria to be used by data
controllers/processors in the assessment of the lawfulness of processing such as the type of the personal data
processed, the impact of the public disclosure on the privacy of the data subject and his/her reputation etc.
However, the Bulgarian Constitutional Court (Decision Nr.8 dated November 15,2019) declared the assessment
criteria set forth by the Personal Data Protection Act to be unconstitutional. More particularly, the criteria were
found to be unclear and therefore creating unpredictability and legal uncertainty and restricting disproportionally
the freedom of expression and information. Based on this decision, the above-mentioned criteria do no longer
apply. The balancing test between the freedom of expression and the right to information and the protection of
personal data shall me made on a case-by-case basis taking into consideration the specific circumstances and
interests in presence. Further guidance in this respect was provided in a recent decision of the Supreme
Administrative Court (Decision Nr. 11636 dated November 16, 2021), which clarified how the balance between
these competing rights shall be assessed in each individual case.
Processing in the context of employment – The Personal Data Protection Act regulates explicitly certain matters
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 173 | | | www.dlapiperdataprotection.com
related to personal data processing in the context of an employment relationship. Employers may take copy of
employee’s identification documents, driving license or residence document only if required by law. In addition,
according to a statement by the Commission for Personal Data Protection information for the criminal
background of the employees can also be processed by employers only if explicitly provided for by law. Other
legal grounds, such as consent or the legitimate interest cannot be applied for the processing of criminal records
information. Most recently, the Commission for Personal Data Protection has adopted several opinions
concerning the processing of employee health data by employers in the context of Covid-19; in particular, the
latter provide that employers:
cannot request information from a remote-working employee whether he/she (or any of his/her family
members) has tested positive for Covid-19; such information can only be disclosed voluntarily by the
employee;
may provide anonymized information to their employees about established Covid-19 cases in the
company (i.e. without revealing the identity of the infected employee(s));
can order/organize Covid-19 group testing of employees, without processing or having access to the test
results – since the latter contain sensitive health data, they can only be processed by competent health
authorities;
may process only aggregated data for the vaccination status of the employees, gathered voluntary and on
anonymous basis by the appointed Labour Medicine Office (a third party service provider in the field of
occupational medicine, that each employer shall appoint) for the purposes of risk assessment of the health
and safety conditions at the workplace.
Employers should adopt rules and procedures for:
the use of breach reporting system;
restrictions on the use of internal company resources;
introduction of systems for control access, working time and labor discipline.
These rules and procedures shall contain information on the scope, obligations and methods with respect to their
application. The Personal Data Protection Act recognizes that the business purpose of the employer and the nature
of the related work processes shall have to be taken into account upon the adoption of the rules and procedures.
The rules and procedures will have to be brought to the attention of the employees.
Employers shall have to further determine a retention period for the personal data collected during the recruitment
process, which however may not be longer than six months, unless the candidate consented to a longer period.
Where the employer has, for recruitment purposes, requested original or notarized copies of documents certifying
the physical and mental fitness of the applicant, the required degree, or the length of service for the previous
positions occupied, the employer should return the submitted documents within six months of the conclusion of
the recruitment procedure unless otherwise provided by specific law.
Personal data processing by way of large-scale surveillance of publicly accessible areas – Under the Personal Data
Protection Act data controllers and data processors shall adopt internal rules for the processing of personal data
through systematic large-scale surveillance of publicly accessible areas, including via video surveillance. These rules
should put in place appropriate technical and organizational measures to ensure the protection of data subjects’
rights and freedoms. The Personal Data Protection Act provides a definition for ‘large-scale’ – a systematic
monitoring and / or processing of personal data of an unlimited number of data subjects. The rules for personal
data processing through large-scale surveillance of publicly accessible areas shall define the legal grounds and
objectives for the introduction of a monitoring system, the location, scope and means of monitoring / surveillance,
retention periods for the information records and their deletion, the right of review by the persons being subject
to surveillance, the means of informing the public about the monitoring carried out, as well as the restrictions on
granting access to such information to third parties. The minimum requirements for data controllers / data
processors with respect to the aforementioned obligations shall be published on the website of the Commission
for Personal Data Protection.
Processing of personal data of deceased persons
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 174 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
The Personal Data Protection Act stipulates, that when processing the personal data of deceased persons data controllers
shall have to take appropriate measures to prevent the rights and freedoms of others and the public interest from being
adversely affected. In such cases, the data controller may retain the data only if there is a legal basis therefor. In addition,
data controllers shall provide upon request access to the personal data of a deceased person, including a copy thereof, to
his / her heirs or other persons with legal interest.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Korea, the United Kingdom, Eastern Republic of Uruguay
and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The
appropriate safeguards include among others binding corporate rules and standard contractual clauses. The EU – US Privacy Shield
Framework was invalidated by the European Court of Justice with the so called Schrems II Decision, thus it can no longer be used
by data controllers and processors as a mechanism for cross-border data transfers from the EU to the US. On 4 June 2021 the
European Commission adopted new set of standard contractual clauses for transfers outside the EU/EEA. Data controllers and
processors have term until 27 December 2022 to renegotiate their existing data processing agreements based on the old set of
standard contractual clauses in order to reflect the new clauses adopted by the European Commission.
The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek
prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data transfer and does
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 175 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all EU
member states, the provisions of the regulation relating to this matter shall be applied in all cases of data transfer.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding security of personal data
and does not introduce any additional rules or requirements in this respect.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data breach notification
and does not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 176 | | | www.dlapiperdataprotection.com
EU member states, the provisions of the regulation relating to this matter shall be observed. The Commission for
Personal Data Protection has recently adopted a template of data breach notification, which controllers may use. The
template is in Bulgarian language only.available online
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
https://www.dlapiperdataprotection.com
https://www.cpdp.bg/userfiles/file/Documents_2021/UVEDOMLENIE%20po%20chl_%2033%20GDPR
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 177 | | | www.dlapiperdataprotection.com
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The functions of supervision and control of the compliance with the GDPR in Bulgaria are shared between the
Commission for Personal Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having
competence only with regards to data processing by courts, prosecution offices and criminal investigative bodies in their
capacity as judicial authorities.
The competences of the Commission are further defined by reference to art. 57 and 58 of the GDPR. Apart from
performing the powers under the GDPR, the Commission is also entitled to:
analyze and carry out overall supervision and ensure compliance with the GDPR, the Personal Data Protection
Act and the legislative acts in the area of personal data protection;
issue secondary legislation in the area of personal data protection;
ensure the implementation of the decisions of the European Commission on the protection of personal data and
the implementation of binding decisions of the European Data Protection Supervisor
participate in international cooperation between data protection authorities and international organizations on
personal data protection issues;
participate in the negotiation and conclusion of bilateral or multilateral agreements on matters within its
competence;
organize, coordinate and conduct training in the field of personal data protection;
issue administrative acts related to its authority in the cases provided for by law;
adopt criteria for the accreditation of certification bodies;
bring proceedings before the court for breach of the GDPR;
issue mandatory instructions, give instructions and recommendations regarding the protection of personal data;
impose coercive administrative measures.
The internal Rules of Procedure of the Commission further clarify its tasks, procedures and rules for work of its
administration, as well as rules for the proceedings before the Commission.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding administrative sanctions,
but directly refers to the amounts of fines and pecuniary sanctions set out by the GDPR and the respective criteria for
their determination. The Personal Data Protection Act specifies that all sanctions shall be imposed in the BGN equivalent
of the EUR amounts set by the GDPR.
For other violations under the Personal Data Protection Act the data controller / data processor shall be subject to a fine
or a pecuniary sanction of up to BGN 5000.
The Commission’s decisions are subject to appeal before the Administrative Court Sofia within 14 days of receipt.
Decisions of the Administrative Court are subject to appeal before the Supreme Administrative Court which decisions are
final.
In case of a violation of his / her rights under the GDPR and the Personal Data Protection Act, every data subject is
entitled to refer the matter to the Commission for Personal Data Protection within one year of becoming aware of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 178 | | | www.dlapiperdataprotection.com
breach, but no later than five years from the breach taking place. In addition, data subjects shall be entitled to appeal the
actions and acts of the data controller / data processor directly before the administrative courts or the Supreme
Administrative Court, except where there are pending proceedings before the Commission for the same matter if a
decision regarding the same breach has been appealed and there is not yet a court decision in force. The transfer or
distribution of computer or system passwords which results in the illegitimate disclosure of personal data constitutes a
crime under the Bulgarian Criminal Code (promulgated in the State Gazette No. 26 of April 2, 1968, as amended
periodically) and the penalty for such a crime includes imprisonment for up to three years.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Personal Data Protection Act does not introduce any rules relating specifically to e-marketing. As the legal grounds
for processing of personal data under the GDPR are also applicable in the area of e-marketing, the explicit consent of the
data subject is likely to be the most suitable ground for the purposes of e-marketing. In certain cases, such processing may
also be justified by legitimate interest – according to Recital 47 of the GDPR, direct marketing could be based on
legitimate interest, to the extent that: (i) it is targeted only to existing customers; and (ii) the customers can reasonably
expect to receive direct e-marketing communications. Still, the possibility to rely on legitimate interest for the purposes of
e-marketing would need to be assessed on a case-by-case basis.
In addition, although the repeal of the provision of the Personal Data Protection Act regulating the right of the data
subject to object to any data processing for the purposes of direct marketing and does not explicitly refer to the
respective provision of the GDPR, following the direct effect of the regulation, data subjects shall still be entitled to object
before the data controller or the data processor to their personal data being processed for the purposes of e-marketing.
The Bulgarian Electronic Communications Act explicitly requires, when it comes to direct marketing to natural persons,
the opt-in mechanic to be mandatorily applied. After the natural person’s consent is provided, the person shall always be
given the opportunity to opt out from the direct marketing network and refuse his / her personal data to be further
processed for such purposes.
ONLINE PRIVACY
Directive 2002/58 (E-Privacy Directive) is transposed into the Bulgarian Electronic Commerce Act. In 2011 the intention of the
legislator was to introduce the amendments of Art. 5(3) under Directive 2009/136. However, the final adopted text still replicates
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 179 | | | www.dlapiperdataprotection.com
the old wording before Directive 2009/136. The amendment itself was widely interpreted as implementing the text of Directive
2009/136 without, however, introducing the updated text.
Currently, instead of requiring the user’s consent, the relevant text in the Electronic Commerce Act states that users should be
provided with clear and comprehensive information in accordance with Art.13 of the GDPR and they must be given the
opportunity to refuse the storage or access to such information (i.e. opt-out regime).
KEY CONTACTS
Wolf Theiss
www.wolftheiss.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Anna Rizova
Partner
Wolf Theiss
T +359 2 8613703
anna.rizova@wolftheiss.com
https://www.dlapiperdataprotection.com
http://www.wolftheiss.com/
https://www.dlapiperdataprotection.com/scorebox/
https://www.dlapiperdataprotection.comwww.wolftheiss.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 180 | | | www.dlapiperdataprotection.com
BURKINA FASO
Last modified 10 January 2022
LAW
The data protection regime in Burkina Faso is governed by the following laws and regulations:
Law No. 001-2021 of March 30, 2021 on the protection of persons with regard to the processing of personal data.
Law 010-2004/AN on the protection of personal data.
Decree No. 2007-283/PRES/PM/MPDH of 18 May 2007 regarding the organisation and functioning of the Commission de
l’Informatique et des Libertés;
Decree No. 2007-757/PRES/PM/MPDH/MEF appointing the members of the Commission de I’Informatique et des Libertés
; and
Order No. 2008/001/CIL fixing the internal regulations of the Commission de I’Informatique et des Libertés.
The Burkina Faso has also adopted on 22 November 2013 the Marrakech resolution issued by the French-speaking association of
data protection authorities relating to the procedure for the supervision of personal data transfers of personal data in the
French-speaking world by means of binding corporate rules.
DEFINITIONS
Definition of Personal Data
Any information that allows, in any form whatsoever, directly, or indirectly, the identification of natural persons, in particular by
reference to an identification number or to several characteristics specific to their physical, psychological, mental, economic,
cultural or social identity (Article 5 of the Law).
Definition of Sensitive Personal Data
Any personal data relating to the data subject’s health or that reveal racial or ethnic origins, political, philosophical or religious
opinions, union membership, morals, investigation and prosecution of offenders, criminal or administrative penalties, related
security measures or other measures of a similar nature (Article 5 of the Law).
NATIONAL DATA PROTECTION AUTHORITY
The Burkina Faso’s data protection authority is the Commission de l’Informatique et des Libertés (‘ ‘). CIL
The CIL draws its membership from various segments of society. It is charged with:
making individual or regulatory decisions in cases provided for under the law
assisting with data processing inspections and obtaining all information and documents needed for its mission
issuing model rules to ensure security; and where appropriate, prescribing safety measures including the destruction of
information
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 181 | | | www.dlapiperdataprotection.com
issuing enforcement notices to data controllers and sharing with the prosecutor’s office the offenses of which the body is
aware
ensuring that the implementation of the right of access and rectification indicated in the acts and declarations do not
impede the free exercise of this law
receiving complaints and petitions
staying informed of the latest technological developments, and keeps abreast of their effects on the right to the protection
of privacy, the exercise of freedoms, and the functioning of democratic institutions
advising individuals and organisations that use automated processing, or who carry out tests or experiments likely to lead
to such processing
responding to requests for public opinion
proposing legislation or regulations to the Government to adapt the protection of freedoms to technological evolution
REGISTRATION
The is no country-wide system of registration in Burkina Faso. However, the law imposes an obligation of notification and annual
reporting to the National Data Protection Authority. These annual reports provide information on those responsible of personal
data’s activity throughout the concerned year.
DATA PROTECTION OFFICERS
We have not identified any obligation to appoint a data protection officer (‘ ‘) or any other equivalent role in the law.DPO
COLLECTION & PROCESSING
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. These
include:
consent and legitimacy: unless otherwise provided by law, data controllers are obligated to obtain consent from the
data subject
purpose: personal data can only be collected and processed for a specific and legitimate purpose
proportionality and relevance: personal data must only be processed in a relevant and necessary manner regarding
the purpose and objectives of the processing
lawfulness and fairness: data controllers must collect and process data in a fair, lawful, and not fraudulent manner
data retention: a specified period of time should be determined in advance depending on the purpose of processing to
ensure that personal data is not stored indefinitely.
security and confidentiality: all responsible persons for processing personal data must not only ensure the security of
data or files to prevent their destruction, or alteration; but also prevent unauthorised access to personal data contained in
a file or intended to form part of the files
preliminary formalities: without exception or exemption provided by law, all data controllers shall, depending on the
nature of personal data processing, namely notify the CIL or ask his opinion or obtain approval, etc.
Except where provided otherwise by the law, any processing of personal data shall be carried out with the express consent of the
data subject(s).
The processing of personal data can legally be carried out without the consent of the data subject(s), when it is necessary for:
the performance of a contract to which the data subject is a party; or
pre-contractual measures taken at the request of the data subject;
compliance with a legal obligation to which the controller is subject and when the processing is essential to protect the life
of the data subject or that of a third party;
the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of
health services, provided that it is carried out by a member of a health profession or by another person who, by reason of
his/her duties, is bound by professional secrecy;
the establishment of an offence, a right, or the exercise or defence of a right in a court of law and when the said
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 182 | | | www.dlapiperdataprotection.com
processing relates to data made public by the data subject.
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller. It may require inaccurate or incomplete personal data to be corrected
or completed without undue delay.
Data subjects may request erasure of their personal data. It has the right to object to processing on the legal basis of the
legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend
processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the
rights of the data subject.
Unless an authorisation is required, the law provides that controllers should notify all processing to the CIL. The following are
exempt from the notification requirement to CIL:
temporary copies that are made as part of the technical activities of transmission and provision of access to a digital
network for the purpose of automatic intermediate and transitory storage of data for the sole purpose of allowing other
recipients of the service the best possible access to the information;
processing carried out by a natural person for the exercise of exclusively personal or domestic activities;
disclosed to third parties and not used to support actions or decisions against an individual;
automated processing of personal data for the purpose of research in the field of health;
automated processing of personal data carried out on behalf of the State, a public institution, a local authority or a legal
person under private law managing a public service.
With respect to day-to-day processing of data which do not infringe on privacy or freedoms, the Law provides that the CIL
establishes and publishes ‘simplified norms,’ which shall include certain information, including:
the date of the declaration;
the full name and address or the name and headquarters of the person making the request and the person who has the
power to decide on the creation of the data processing (data controller) or, if he or she resides abroad, his or her
representative in Burkina Faso;
the characteristics, purpose and, if applicable, the name of the data processing operation;
the department or departments responsible for carrying out the processing;
the department to which the right of access is to be exercised and the measures taken to facilitate the exercise of this
right
the categories of persons who, by reason of their functions or for the needs of the service, have direct access to the
information recorded;
the personal information processed, its origin and the length of time it is kept, as well as the recipients or categories of
recipients authorized to receive this information;
the reconciliation, interconnection or any other form of linking of this information as well as its transfer to third parties;
the measures taken to ensure the security of data and information processing and the guarantee of secrets protected by
law;
if the data processing is intended for the dispatch of personal data between the territory of Burkina Faso and abroad in
any form whatsoever, including when it is the object of operations partially carried out on the territory of Burkina Faso
from operations previously carried out outside Burkina Faso.
When processing complies with a simplified norm issued by the CIL, no authorisation or notification is required, but only a
‘simplified declaration of conformity,’ to the said norm is required. The simplified declaration of conformity shall be sent to the
CIL. Unless otherwise decided by the CIL, a receipt is issued without delay after the simplified declaration of conformity has been
sent to the CIL. As from receiving this receipt, the applicant can start carrying out the processing.
Except in cases where they are to be authorised by law, automated processing of personal data carried out on behalf of the State,
or on behalf of any public institution, local authority, or on behalf of a private legal person operating a public service, must be
authorised by decree after the CIL’s approval. In the case of a negative opinion by the CIL, an appeal can be lodged to the
Administrative Supreme Court (Conseil d’Etat).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 183 | | | www.dlapiperdataprotection.com
TRANSFER
The provisions of the Law pertaining to international transfers are broadly drafted.
According to said provisions, international transfers cannot be made without the respect of the following conditions:
To request the authorisation of the CNIL;
To sign with the contracting party, a data confidentiality clause and a data reversibility clause in order to facilitate the
complete migration of the data at the end of the contract;
Implement technical and organisational security measures.
Additionally, the transfer can only be made to a foreign country or an international organisation if the beneficiary country or
international organisation ensures an adequate level of protection equal to the one ensured in Burkina Faso (Article 42 of the
law).
As a signatory to the Marrakech Resolution of 22 November 2013, Burkina Faso recognizes the application of the French-speaking
RCE, which consist in a code of conduct by which a group of companies defines its internal policy on the transfer of personal data.
The RCE are based and designed on the model of the European Commission’s binding corporate rules (‘ ‘). BCR
In practice, the RCE mechanism concerns the authorities of the AFAPDP member countries that have adopted the cooperation
protocol and the resolution on the framework for data transfers in the French-speaking area. These concerns at least the
following 13 countries: Albania, Andorra, Belgium, Benin, Burkina Faso, France, Gabon, Luxembourg, Mauritius, Morocco, Senegal,
Switzerland and Tunisia.
The RCE cover intra-group transfers of personal data carried out by a company established in an AFAPDP member country, to
other companies of the group, whether the latter are located in an AFAPDP member country or not.
SECURITY
The personal data Act is not prescriptive about specific technical standards or measures.
However, the Article 24 states that the data controller shall take all necessary measures in view of the nature of the data and the
architecture of the processing, in particular to prevent them from being distorted, damaged, lost, stolen or accessed by
unauthorised parties.
BREACH NOTIFICATION
Not applicable.
Mandatory breach notification
We have not identified, in the law, any general obligation to notify the data subject in the case of a security breach. However,
Article 21 of the law provides that in the event where ‘information has been transmitted by mistake to a third party, its
rectification or cancellation shall be notified to that third party, unless an exemption is granted by the control authority’ (i.e. the
CIL).
ENFORCEMENT
As of 14 December 2021, we have not identified any notable enforcement decision issued by the CIL pertaining to the law.
ELECTRONIC MARKETING
The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an
email address which includes the recipient’s name).
The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 49 of law No.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 184 | | | www.dlapiperdataprotection.com
045-2009/AN of November 10, 2009 regulating electronic services and transactions in Burkina Faso and Article 14 of the personal
data Act).
Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 20 of
the Personal Data Act.
The data subject has the right to object at any time to the use of his/her personal data for such marketing.
This right to object must be explicitly brought to the attention of the data controller.
However, the data controller may not respond favourably to a request to exercise the right to object if it demonstrates the
existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data
subject.
ONLINE PRIVACY
The Law does not provide any specific rules governing cookies and location data.
However, pursuant to Article 10 of the data controller must implement all appropriate technical and organisational measures to
preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction,
accidental loss, alteration, distribution or access by unauthorised persons.
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sangare Mouhamoud
Associate
Geni & Kebe
T +2250779107541
m.sangare@gsklaw.sn
Dr. Francky Lukanda
Senior Associate
Geni & Kebe
T +2250584344660
f.lukanda@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burundi 185 | | | www.dlapiperdataprotection.com
BURUNDI
Last modified 28 January 2019
LAW
Burundi does not have a law that specifically regulates personal data protection. However, several laws and regulations currently in
force contain data protection provisions or impose confidentiality obligations on specific types of personal information. For
example, employment, banking, telecommunications and health sector laws impose some data protection requirements. Such
provisions generally require covered entities to maintain the confidentiality of personal information.
Under Law n° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, healthcare
institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases
provided for by law.
Law No. 1/17 of August 22, 2017 governing banking activities: Article 133 imposes confidentiality obligations on customer
and account information. This article provides that any person who contributes to the operation, control or supervision
of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions without
prejudice to disciplinary proceedings.
Several Ministerial Orders applicable to the telecommunications sector have been adopted to protect the privacy of and
restrict access to and interception of the contents of communications (Legislative Decree No. 100/153 of June 17, 2013
on the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi;
Decree-Law No. 100/112 of April 5, 2012 on the Reorganization and Operation of the Telecommunications Regulatory
and Control Agency ‘ARCT’; Ministerial Ordinance No. 730/1056 of November 7, 2007 on the interconnection of
telecommunications networks and services opened to the public).
DEFINITIONS
Definition of personal data
Not specifically defined.
Definition of sensitive personal data
Not specifically defined.
NATIONAL DATA PROTECTION AUTHORITY
There is no national data protection authority in Burundi.
REGISTRATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burundi 186 | | | www.dlapiperdataprotection.com
There is no requirement to register databases.
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer.
COLLECTION & PROCESSING
Most sector specific laws and regulations that impose confidentiality and data protection requirements apply to covered entities
under the law or regulation, and require such entities to maintain the confidentiality of personal information during processing.
TRANSFER
No geographic transfer restrictions apply in Burundi. Certain sector specific provisions require companies to obtain consent prior
to third party transfers of personal information. Notably, under Article 16 of Law n ° 1/012 of May 30, 2018 on the Code of
Health Care and Health Services Provision in Burundi, “every patient has the right to decide on the use of the medical information
concerning him and the conditions under which they may be transmitted to third parties.”
SECURITY
There are no specific data security requirements in Burundi.
BREACH NOTIFICATION
There are no breach notification requirements in Burundi.
ENFORCEMENT
The relevant sector specific agency or regulator is generally authorized to enforce violations of confidentiality requirements.
ELECTRONIC MARKETING
There are no specific electronic marketing requirements in Burundi.
ONLINE PRIVACY
There are no specific online privacy requirements in Burundi.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Claver Nigarura
Managing Partner
Rubeya & Co-Advocates
T +257 22 24 89 10
claver@rubeya.bi
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 187 | | | www.dlapiperdataprotection.com
CAMBODIA
Last modified 17 December 2021
LAW
Cambodia has not yet enacted any comprehensive data protection legislation.
The most recent update to the country’s data protection landscape has come in the form of the E-Commerce Law, which contains
provisions for the protection of consumer data that has been gathered over the course of electronic communications. The
E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.
Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the
Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, and the Criminal Code of the Kingdom of
Cambodia 2009.
DEFINITIONS
Definition of Personal Data
Cambodian law does not specifically define the term “personal data,” or discuss what specific information constitutes personal
data.
The E-commerce Law defines the term “data” as “a group of numbers, characters, symbols, messages, images, sounds, videos,
information or electronic programs that are prepared in a form suitable for use in a database or an electronic system”.
Due to the absence of a definition of “personal data”, it remains plausible that any data of a data subject may be viewed by the
regulatory and enforcement authorities as personal data of that data subject. Therefore, conventional data, such as full names,
national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses,
biometric data, IP addresses, and other network identifiers, etc., may arguably constitute personal data.
Definition of Sensitive Personal Data
There is no express definition of what constitutes sensitive personal data. That said, based on laws applicable to persons and
entities in other sectors (such as doctors and banks), the types of data below are generally considered to be of a more sensitive
nature, and thus should be handled with more stringent data protection mechanisms:
medical data
financial data
personal data of children, and
personal identifiers (e.g., national identification cards and passport details).
As there is no clear limit as to the scope of what may be considered sensitive data, any data of a data subject should be prudently
treated as sensitive data to the greatest extent possible.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 188 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
NATIONAL DATA PROTECTION AUTHORITY
Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are
specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia.
That said, the following governmental bodies may have substantial powers over data protection matters:
the Ministry of Commerce (“ ”)MOC
the Ministry of Post and Telecommunications (“ ”), andMPTC
the Ministry of Interior (“ ”).MOI
REGISTRATION
Since Cambodia does not have any dedicated laws on data protection, there are no specific registration requirements for data
protection. However, “Electronic Commerce Service Providers” and “Intermediaries” (in an e-commerce context), who would
likely store, process and transfer the data of the data subjects, must register with the MOC and MPTC.
Under the E-Commerce Law, “Electronic Commerce Service Providers” are defined as persons who use electronic means to
supply goods and/or services, except insurance institutions, and an “Intermediary” is broadly defined as a person who provides
services of sending, receiving, transmitting or storing, either on a temporary or permanent basis, electronic communications, or
other services relating to electronic communications, including persons who represent the originators; persons providing means of
seeking any data in an electronic system; persons providing online marketing and online commercial services; and other persons as
specified under the E-Commerce Law.
DATA PROTECTION OFFICERS
Since Cambodia does not have any dedicated laws on data protection, there are no specific requirements in Cambodia to appoint
data protection officers who are specifically tasked with handling, overseeing or implementing data protection matters in
Cambodia.
COLLECTION & PROCESSING
As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations in Cambodia
that explicitly and specifically discuss the concept of collection and processing of data.
Based on Cambodia’s existing legal framework for data privacy, seven data protection obligations are either implied or explicitly
imposed. Those obligations are discussed below.
Consent Obligation: Obtain consent from the individual before collecting, using, or disclosing his/her personal data for a
purpose. Organizations should allow an individual who previously gave consent to withdraw his/her consent.
Purpose Limitation Obligation: Collect, use, or disclose personal data about an individual only for purposes that are
reasonable and that have been disclosed/notified to the individual concerned.
Disclosure/Notification Obligation: Disclose to or notify the individual of the purpose(s) for which the organization
intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the
personal data. The purposes notified must be reasonable.
Correction Obligation: Correct any incorrect or inaccurate personal data of a data subject that is in the possession or
under the control of the organization upon request of the data subject.
Access Obligation: Allow data subjects to access their personal data in the possession or under the control of an
organization for correcting the information under the Correction Obligation.
Protection Obligation: Protect personal data in its possession or under its control by taking necessary measures to
prevent loss, unauthorized access, use, alteration, leak, disclosure, or otherwise.
Retention Obligation: Retain all personal data that is in its system, and that may give rise to civil and criminal liability.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 189 | | | www.dlapiperdataprotection.com
While Cambodian law does not explicitly prohibit an organization from transferring data, it implies a disclosure/notification
obligation under its existing legal framework for data protection. Personal data can only be collected, used, or disclosed for
purposes that the individual understands and has given consent to at the time of giving initial consent or a new consent. Such
purposes must be disclosed or notified to data subjects in a reasonable manner based on the circumstances.
Where the use and disclosure of the personal data is for a purpose different from that for which it was initially collected, it is
necessary to notify the individual of the new purpose and obtain a new consent unless:
the new purpose is within the scope of the original consent, or
implied consent can be established.
Implied consent refers to any act that is generally recognized as consent under applicable trade practices. However, it is
recommended that a new consent that is express and written be obtained once service providers use or disclose personal data for
a purpose different from that for which it was collected.
When a service provider is seeking consent from the data subject, the service provider must disclose or notify the data subjects of
the purpose(s) for which it intends to collect, use or disclose the data subjects’ personal data before such collection, use or
disclosure of the personal data. Cambodia’s laws related to data protection do not prescribe how an organization should notify
individuals. Organizations must determine what would be the most appropriate form of notification. The form of the
disclosure/notification to obtain each data subject’s consent should be as close to a formal contract as possible. Moreover,
requirements such as clicking on the consent button, typing a full legal name for the signature, and/or scrolling through all terms of
the disclosure/notification should be implemented. Furthermore, disclosures/notifications to the individuals regarding the purpose
of the collection, use, and disclosure of personal data must not be too vague or broad in scope; an appropriate level of specificity
should be provided.
Therefore, where the organization will be disclosing or transferring personal data to third parties, the organization should notify
the individuals of such disclosure or transfer. Any consent provided by the individual without first being disclosed or notified of the
purposes would not be valid.
SECURITY
Article 32 of the E-Commerce Law directly addresses matters of data protection in the course of electronic communication.
Service providers that electronically store consumers’ private information must take all reasonable security measures to avoid
loss, modification, leakage, and/or unauthorized disclosure of all consumer data. The E-Commerce Law notes, however, that
disclosures are allowable with the consent of authorities, or with the consent of the individual whose data is being disclosed. The
E-Commerce Law does not provide specific guidelines as to how or what mechanisms are required. It is simply required that any
measures could be used as long as they could reasonably protect the data from loss, or unauthorized access, use, alteration, or
disclosure without authorization or illegally.
The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This
obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation.
The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic
system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in
bad faith or without authorized permission.
In case the service provider is not under the scope of the E-Commerce Law, the obligations under the laws of general application
that require consent of data subjects when collecting, using, disclosing, and processing data would imply that the service provider
still needs to protect data from any unauthorized acts.
BREACH NOTIFICATION
There is no breach notification requirement under Cambodian law.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 190 | | | www.dlapiperdataprotection.com
ENFORCEMENT
Since there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing
personal data protection matters in Cambodia, the enforcement of the data protection would generally fall under the auspice of
authorities across various sectors:
the Ministry of Commerce
the Ministry of Post and Telecommunications, and
the Ministry of Interior.
ELECTRONIC MARKETING
Since Cambodia does not have any dedicated laws on data protection, there are no special requirements when obtaining consent
for marketing purposes. The E-commerce Law suggests that it is not necessary to obtain consent from the individual to send
marketing communications as long as each marketing communication has clear and straightforward opt-out instructions and the
individual has not previously exercised his/her opt-out right. Electronic marketing in Cambodia is subject to the general laws
relating to digital marketing issues including:
Law on Consumer Protection, which prohibits “unfair practices” in relation to consumer transactions. Unfair practices
include unfair sales; bait advertising; unfair solicitation sales; demanding or accepting payments without intention to supply
goods or services per the purchase order; making a false claim or representation of some business activity; coercion by
force and mental threats; pyramid schemes; selling goods bearing a false trade description; and any other unfair practices.
Law Concerning Marks, Tradenames and Acts of Unfair Competition, is relevant to comparative advertising. The following
acts are considered acts of unfair competition: all acts that create confusion with the establishment, the goods, or the
industrial, commercial or service activities of a competitor; false allegations in the course of trade of such a nature as to
discredit the establishment, the goods, or the industrial, commercial or service activities of a competitor; and indications
or allegations of the use of marks which, in the course of trade, misleads the public as to the nature, manufacturing
process, characteristics, suitability for their purpose, or quantity of the goods.
Telecommunications Law, prohibiting all activities against the principles of fair, free, equal, and effective competition.
Other regulations on the Management of Advertisement on Website, Social Network, Mass Media and Mobile Phone
Operators.
ONLINE PRIVACY
As mentioned under , personal data can only be collected, used, or disclosed for purposes that the individual understandsTransfer
and has given consent to at the time of giving initial consent or a new consent. Such purposes must be disclosed or notified to data
subjects in a reasonable manner based on the circumstances. That said, any personal data, including location data, can only be
collected and shared online through website cookies after the organization obtains consent from the data subject.
For obtaining consent from the data subject, please refer to the .Transfer section
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/cambodia/transfer.html
https://www.dlapiperdataprotection.com/countries/cambodia/transfer.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 191 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Jay Cohen
Partner and Director of Cambodian Office
Tilleke & Gibbins (Cambodia) Ltd
T (+855) 17 87 57 238
jay.c@tilleke.com
Sochanmalisphoung Vannavuth
Associate
Tilleke & Gibbins (Cambodia) Ltd
T (+855) 10 61 65 91
sochanmalisphoung.v@tilleke.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 192 | | | www.dlapiperdataprotection.com
CANADA
Last modified 24 January 2022
LAW
In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under
other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in
the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and enforcement
provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.
The summary below focuses on Canada’s private sector privacy statutes:
Personal Information Protection and Electronic Documents Act (‘PIPEDA’)
Personal Information Protection Act (Alberta) (‘PIPA Alberta’)
Personal Information Protection Act (British Columbia) (‘PIPA BC’)
An Act Respecting the Protection of Personal Information in the Private Sector (‘Quebec Privacy Act’), (collectively,
‘Canadian Privacy Statutes’)
We expect PIPEDA to be significantly amended or replaced by a new federal statute sometime during this session of Parliament
(before October 2025). In the previous session of Parliament, the federal government introduced Bill C-11, which would have
replaced PIPEDA with the Consumer Privacy Protection Act (‘CPPA’). The CPPA made it to second reading, but died on the
order paper when the 2021 Federal Election was called. The CPPA would have provided additional rights to data subjects (e.g.
portability of data), expanded the requirements for valid data subject consent, and set out new monetary penalties of up to 5% of
annual global revenue. Bill C-11 faced significant debate, but we expect a new version of the bill to be introduced at some point
during this session of Parliament as the Federal Government seeks to align Canadian privacy law with that of California and the
European Union.
PIPEDA applies to all of the following:
Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work,
undertaking or business’ ( , banks, telecommunications companies, airlines, railways, and other interprovincialeg
undertakings)
Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place
within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec
Privacy Act have been deemed ‘substantially similar’)
Inter provincial and international collection, use and disclosure of personal information in connection with commercial
activity
PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of
organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.
The province of Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 193 | | | www.dlapiperdataprotection.com
Royal Assent on September 22, 2021, and its various provisions will be coming into force gradually between 2022 and 2024. With
Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.
DEFINITIONS
Definition of personal data
‘Personal information’ includes any information about an identifiable individual (business contact information is expressly “carved
out” of the definition of ‘personal information’ in some Canadian privacy statutes).
The Quebec Privacy Act, as modified by Bill 64, has broadened the definition of “personal information” to include any information
that allows an individual to be identified indirectly as well as directly.
Definition of sensitive personal data
Not specifically defined in Canadian Privacy Statutes, except for the Quebec Privacy Act.
The Quebec Privacy Act, as modified by Bill 64, defines “sensitive personal information” as any information that, by virtue of its
nature (e.g. biometric or medical), or because of the context in which it is used or communicated, warrants a high expectation of
privacy. The Quebec Privacy Act has stricter consent requirements in certain situations for the use and communication of
personal information qualified as sensitive.
Definition of anonymized information
The Quebec Privacy Act, as modified by Bill 64, defines “de-personalized information” as any information which no longer allows
the concerned individual to be identified directly.
Definition of biometric information
The Quebec CAI defines “biometric information” as information measured from a person’s unique physical, behavioural or
biological characteristics.
NATIONAL DATA PROTECTION AUTHORITY
In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under
other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in
the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and
enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.
The summary below focuses on Canada’s private sector privacy statutes:
Personal Information Protection and Electronic Documents Act (‘PIPEDA’)
Personal Information Protection Act (Alberta) (‘PIPA Alberta’)
Personal Information Protection Act (British Columbia) (‘PIPA BC’)
An Act Respecting the Protection of Personal Information in the Private Sector (‘Quebec Privacy Act’), (collectively,
‘Canadian Privacy Statutes’)
We expect PIPEDA to be significantly amended or replaced by a new federal statute sometime during this session of Parliament
(before October 2025). In the previous session of Parliament, the federal government introduced Bill C-11, which would have
replaced PIPEDA with the Consumer Privacy Protection Act (‘CPPA’). The CPPA made it to second reading, but died on the
order paper when the 2021 Federal Election was called. The CPPA would have provided additional rights to data subjects (e.g.
portability of data), expanded the requirements for valid data subject consent, and set out new monetary penalties of up to 5% of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 194 | | | www.dlapiperdataprotection.com
annual global revenue. Bill C-11 faced significant debate, but we expect a new version of the bill to be introduced at some point
during this session of Parliament as the Federal Government seeks to align Canadian privacy law with that of California and the
European Union.
PIPEDA applies to all of the following:
Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work,
undertaking or business’ (e.g. banks, telecommunications companies, airlines, railways, and other interprovincial
undertakings)
Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place
within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec
Privacy Act have been deemed ‘substantially similar’)
Inter provincial and international collection, use and disclosure of personal information in connection with commercial
activity
PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of
organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.
The province of Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received
Royal Assent on September 22, 2021, and its various provisions will be coming into force gradually between 2022 and 2024. With
Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.
REGISTRATION
There is no general registration requirement under Canadian Privacy Statutes.
Some registration requirements exist under Quebec privacy laws:
Personal information agents, defined as “any person who, on a commercial basis, personally or through a representative,
establishes files on other persons and prepares and communicates to third parties credit reports”, must be registered with
the CAI
Databases of biometric information must be disclosed to and registered with the CAI
DATA PROTECTION OFFICERS
PIPEDA, PIPA Alberta, and PIPA BC expressly require organizations to appoint an individual responsible for compliance with the
obligations under the respective statutes.
Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require organizations to appoint a person
responsible for the protection of personal information, who is in charge of ensuring compliance with privacy laws within the
organization. By default, the person with the highest authority within the organization will be the person responsible for the
protection of personal information, however this function can be delegated to any person, including a person outside of the
organization.
This person’s responsibilities are broadly defined in the law and include:
Approval of the organization’s privacy policy and practices
Mandatory privacy assessments
Responding to and reporting security breaches, and
Responding to and enacting access and rectification rights
The contact information of the person responsible for the protection of personal information must be published online on the
website of the organization.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 195 | | | www.dlapiperdataprotection.com
Canadian Privacy Statutes set out the overriding obligation that organizations only collect, use and disclose personal information
for purposes that a reasonable person would consider appropriate in the circumstances.
Subject to certain limited exceptions prescribed in the Acts, consent is required for the collection, use and disclosure of personal
information. Depending on the sensitivity of the personal information, consent may be opt in or opt out. Under the Quebec
Privacy Act, consent must be “manifest, free, and enlightened”, and implicit or opt-out consent is generally not considered valid.
Organizations must limit the collection of personal information to that which is necessary to fulfil the identified purposes and only
retain such personal information for as long as necessary to fulfil the purposes for which it was collected.
Each of the Canadian Privacy Statutes have both notice and openness/transparency requirements. With respect to notice,
organizations are generally required to identify the purposes for which personal information is collected at or before the time the
information is collected. With respect to openness/transparency, generally Canadian Privacy Statutes require organizations make
information about their personal information practices readily available.
All Canadian Privacy Statutes contain obligations on organizations to ensure personal information in their records is accurate and
complete, particularly where the information is used to make a decision about the individual to whom the information relates or if
the information is likely to be disclosed to another organization.
Each of the Canadian Privacy Statutes also provides individuals with the following:
A right of access to personal information held by an organization, subject to limited exceptions;
A right to correct inaccuracies in/update their personal information records; and
A right to withdraw consent to the use or communication of personal information.
In addition to these rights, the Quebec Privacy Act, as modified by Bill 64, will create a right for individuals to have their personal
information deindexed (coming into force September 2023) and to data portability (coming into force September 2024).
Finally, organizations must have policies and practices in place that give effect to the requirements of the legislation and
organizations must ensure that their employees are made aware of and trained with respect to such policies.
TRANSFER
When an organization transfers personal information to a third party service provider ( , who acts on behalf of the transferringie
organization — although Canadian legislation does not use these terms, the transferring organization would be the “controller” in
GDPR parlance, and the service provider would be a “processor”), the transferring organization remains accountable for the
protection of that personal information and ensuring compliance with the applicable legislation, using contractual or other means.
In particular, the transferring organization is responsible for ensuring (again, using contractual or other means) that the third party
service provider appropriately safeguards the data, and would also be required under the notice and openness/transparency
provisions to reference the use of third party service providers in and outside of Canada in their privacy policies and procedures.
These concepts apply whether the party receiving the personal information is inside or outside Canada. Transferring personal
information outside of Canada for storage or processing is generally permitted so long as the requirements discussed above are
addressed, and the transferring party notifies individuals that their information may be transferred outside of Canada and may be
subject to access by foreign governments, courts, law enforcement or regulatory agencies. This notice is typically provided
through the transferring party’s privacy policies.
With respect to the use of foreign service providers, PIPA Alberta specifically requires a transferring organization to include the
following information in its privacy policies and procedures:
The countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur, and
The purposes for which the third party service provider outside Canada has been authorized to collect, use or disclose
personal information for or on behalf of the organization
Under PIPA Alberta, specific notice must also be provided at the time of collection or transfer of the personal information and
must specify:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 196 | | | www.dlapiperdataprotection.com
The way in which the individual may obtain access to written information about the organization’s policies and practices
with respect to service providers outside Canada, and
The name or position name or title of a person who is able to answer on behalf of the organization the individual’s
questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for
or on behalf of the organization.
In addition, under the Quebec Privacy Act, an organization must take reasonable steps to ensure that personal information
transferred to service providers outside Quebec will not be used for other purposes and will not be communicated to third
parties without consent (except under certain exceptions prescribed in the Act). The Quebec Privacy Act also specifically provides
that the organization must refuse to transfer personal information outside Quebec where it does not believe that the information
will receive such protection.
Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require all organizations, before transferring
personal information outside of the province of Quebec, to conduct data privacy assessments and enact appropriate contractual
safeguards to ensure that the information will benefit from adequate protection in the jurisdiction of transfer. These assessments
must take into account the sensitivity of the information, the purposes, the level of protection (contractual or otherwise) and the
applicable privacy regime of the jurisdiction of transfer. Quebec has decided not to implement a system of adequacy decisions, and
therefore assessments will likely be required prior to any cross-jurisdiction transfer.
SECURITY
Each of the Canadian Privacy Statutes contains safeguarding provisions designed to protect personal information. In essence, these
provisions require organizations to take reasonable technical, physical and administrative measures to protect personal
information against loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. These laws do not
generally mandate specific technical requirements for the safeguarding of personal information.
BREACH NOTIFICATION
Currently, PIPEDA and PIPA Alberta are the only Canadian Privacy Statutes with breach notification requirements. Bill 64 added
breach notification requirements to the Quebec Privacy Act, which will come into force on September 22, 2022.
In Alberta, an organization having personal information under its control must, without unreasonable delay, provide notice to the
Commissioner of any incident involving the loss of or unauthorized access to or disclosure of personal information where a
reasonable person would consider that there exists a real risk of significant harm to an individual as a result.
Notification to the Commissioner must be in writing and include:
A description of the circumstances of the loss or unauthorized access or disclosure
The date or time period during which the loss or unauthorized access or disclosure occurred
A description of the personal information involved in the loss or unauthorized access or disclosure
An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure
An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or
unauthorized access or disclosure
A description of any steps the organization has taken to reduce the risk of harm to individuals
A description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure,
and
The name and contact information for a person who can answer, on behalf of the organization, the Commissioner’s
questions about the loss of unauthorized access or disclosure
Where an organization suffers a loss of or unauthorized access to or disclosure of personal information as to which the
organization is required to provide notice to the Commissioner, the Commissioner may require the organization to notify the
individuals to whom there is a real risk of significant harm. This notification must be given directly to the individual (unless
specified otherwise by the Commissioner) and include:
A description of the circumstances of the loss or unauthorized access or disclosure
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 197 | | | www.dlapiperdataprotection.com
The date on which or time period during which the loss or unauthorized access or disclosure occurred
A description of the personal information involved in the loss or unauthorized access or disclosure
A description of any steps the organization has taken to reduce the risk of harm, and
Contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized
access or disclosure
The breach notification provisions under PIPEDA are very similar to the breach notification provisions under PIPA Alberta. The
main difference is that PIPEDA requires organizations to notify both the affected individuals and the federal regulator if the breach
creates a real risk of significant harm to the individuals (whereas PIPA Alberta requires the initial notice only to the regulator, and
then to the individuals if the regulator requires it. In practice, many organizations notify affected Albertans regardless of whether
the Alberta Commissioner requires (and the Commissioner typically does require it for most reported breaches in any event).
Further, under PIPEDA, organizations must also keep a record of ALL information security breaches, even those which do not
meet the risk threshold of a “real risk of significant harm.”
The new Quebec Privacy Act, as modified by Bill 64, will introduce a number of new obligations in connection with “confidentiality
incidents”, which are defined as unauthorized access, use, or communication of personal information, or the loss of such
information. These include:
A general obligation to prevent and remedy security incidents
The obligation to notify the CAI and the person affected whenever the incident presents a risk of “serious injury.” Factors
to consider when evaluating the risk of serious injury include the sensitivity of the information concerned, the anticipated
consequences of the use of the information and the likelihood that the information will be used for harmful purposes, and
The obligation on to keep a register of security incidents, with the CAI having extensive audit rights for the CAI
ENFORCEMENT
Privacy regulatory authorities have an obligation to investigate complaints, as well as the authority to initiate complaints.
Under PIPEDA, a complaint must be investigated by the Commissioner and a report will be prepared that includes the