The Experts below are selected from a list of 14046 Experts worldwide ranked by ideXlab platform
Graham Greenleaf - One of the best experts on this subject based on the ideXlab platform.
-
china issues a comprehensive draft Data Privacy Law
Social Science Research Network, 2020Co-Authors: Graham GreenleafAbstract:The long-anticipated Law of the People's Republic of China on the Protection of Personal Information (Draft) (‘PPIL’) was released by the Standing Committee of the National People’s Congress (SC-NPC), the second-highest legislative body in China, on 21 October 2020. Its enactment will be the culmination of a decade-long evolution. The article analyses the draft PPIL and considers where it goes beyond the previous benchmark, the CyberSecurity Law (CSL) of 2016, and compares aspects of the EU’s GDPR. The article concludes that, while detailed conclusions await enactment, some things are clear enough. China’s draft Law is well within the normal global range of Data Privacy Laws, shows many GDPR influences, and goes beyond the GDPR on some points. It goes further in many respects than the 2016 CSL, and the 2017 PI Standard. The ‘enforcement toolkit’ is diverse, with ‘dissuasive’ sanctions, as the GDPR puts it. These apparently strong Data Privacy rights in the private sector must co-exist with a high level of government surveillance (including the ‘Social Credit’ system) but they are likely to be enforceable because China needs there to be public trust in its e-commerce sector, and aspects of e-governance, so credible Data Privacy Laws are necessary. Other than the absence of a DPA (specialised, or independent), the most important departure from ‘European’ norms is that the Data export restrictions are largely at the discretion of the CAC, with no objective criteria, and other forms of Data localisation are similar. Multiple risk points for foreign and local companies will result. For other countries attracted to ideologies of ‘Data sovereignty’, the ‘Chinese model’ (explained in the article) may prove an attractive one to emulate. Internationally, this will fit uncomfortably with both the EU’s GDPR and US laissez-faire. Disputes before international trade forums are likely to result.
-
jamaica adopts a post gdpr Data Privacy Law
Social Science Research Network, 2020Co-Authors: Graham GreenleafAbstract:Jamaica's Data Protection Act 2020, is the fifteenth Data Privacy Law in the Caribbean. Not yet in force, it provides for a transitional period of two years. The Jamaican Information Commissioner, once appointed, should be influential in the region. It is influenced strongly by the European Union’s General Data Protection Regulation (GDPR) of 2018, including in providing for extra-territorial jurisdiction, and in limiting Data exports through the concept of ‘adequacy’. All Data controllers must comply with eight numbered ‘Standards’, one of which includes compliance with the various ‘Rights of the Data Subjects’. The Act also imposes four types of higher obligations, above the ‘Standards’, on some controllers in relation to some processing. These include registration, controls on specified processing, Data protection officers (DPOs) and Data protection impact assessments (DPIAs). The Act’s enforcement is based on three types of notices by the Commissioner, which can then lead to offences, administrative penalties, or compensation. The terminology and procedures are somewhat unusual, but the enforcement mechanisms are substantial. This is a remarkably strong post-GDPR Data Privacy Law. Of the nearly 20 features of the EU’s GDPR that are relevant to countries outside the EU, and are stronger than the 1995 Data Protection Directive, only a handful are missing from explicit inclusion in Jamaica’s Law: Data protection by design and default; demonstrable accountability of controllers; direct liability for processors; requirements to cooperate with other DPAs; and rights of public interest groups to take representative actions. The exemptions from the Act may prove to be unreasonably broad. It remains to be seen whether fines of up to 4% of corporate turnover will be genuinely dissuasive when administered by courts, and whether significant compensation awards will be made.
-
india s personal Data protection bill 2019 needs closer adherence to global standards submission to joint committee parliament of india
2020Co-Authors: Graham GreenleafAbstract:This is a submission to the Joint Committee on The Personal Data Protection Bill, 2019 of the Parliament of India, which has invited submissions from the public. The submission argues that a stronger Bill is needed if the Indian government is to have reasonable prospects both to protect legislation and practices on which government programs depend against unconstitutionality, and in order to maximize India’s prospects of obtaining a positive ‘adequacy assessment’ from the European Union under the GDPR. The submission also argues that there are many aspects of the Bill which fall far short of the accepted international benchmarks for a high quality Data Privacy Law. The submission argues that areas which need improvement in the government’s Bill include: (i) Data principals, and NGOs representing them, are given too little ability to enforce the Law, both in the courts, and before the DPAI and its AOs. It must be clear that Data principals can enforce, and seek remedies for, any breaches of obligations by Data fiduciaries, as well as for any breaches of explicit rights of Data principals. Breaches of rights and obligations should be treated alike. (ii) The guarantees of independence of the DPAI and its AOs are not strong enough. (iii) State powers to exempt government agencies from the Law are too strong. (iv) The DPAI has too broad a discretion to authorise new grounds of non-consensual processing of personal Data. (v) Obligations of Data fiduciaries to give Data Breach Notifications, to both the DPAI and to Data principals, should be stated as objective criteria. (vi) The rights of Data principals are too weak, in relation to both rights to withdraw consent, and access rights. (vii) Requirements of ‘harm’ before some obligations/rights apply are inappropriate. ‘Harm’ should also be better defined. (viii) The ‘outsourcing exemption’ for Data on foreigners being processed in India defeats India’s aspiration to be a global leader in ethical Data protection. (ix) A number of aspects of the Bill concern non-personal Data, including anonymisation of personal Data, deserve further consideration. (x) The Bill’s provisions concerning Data localisation, including Data export restrictions, give the government and the DPAI a great deal of discretionary control, with few legislative constraints, and few guarantees that discretions will be exercised to benefit the Privacy of Data principals. These broad discretions may cause unnecessary problems, and a more legally constrained approach may be better. For clarity, there is a need to amend s. 34(1) in relation to the number of bases for Data exports.
-
china s new cybersecurity Law also a Data Privacy Law
Social Science Research Network, 2016Co-Authors: Graham Greenleaf, Scott LivingstonAbstract:In November 2016, China’s Standing Committee of the National People’s Congress (SC-NPC) promulgated the PRC Cybersecurity Law, which will take effect on 1 June 2017. Although the Law is mainly devoted to provisions concerning the security of information networks and, in particular, to mandating security procedures and requirements for ‘critical information infrastructure’ and ‘critical information infrastructure operators’ the Cybersecurity Law’s provisions relating to Data Privacy articulate what are China’s most comprehensive and broadly applicable set of Data Privacy principles to date. These Data Privacy provisions reiterate many of the basic principles and requirements found in other Laws and regulations, but the Law also includes new or more explicit requirements with respect to Data correction rights, deletion, re-use and disclosure, breach notification to users and Data localization. Still missing, however, are several common elements of other jurisdictions’ Data Privacy Laws, such as explicit user access rights, requirements on Data quality and special provisions for sensitive Data. The Law also does not establish a national Data protection authority. There are also uncertain questions of scope, particularly in relation to public sector bodies. While China has long lacked a broadly applicable national Data Privacy Law, the scope and strengthened principles of this new legislation means that it can probably now be considered to be “China’s Data Privacy Law,” with which other lower-level Laws and regulations must be consistent. This article analyses the Privacy-related aspects of the Cybersecurity Law, and in particular asks what (if anything) it adds to China’s previous set of Data Privacy Laws. Comparisons are made with China’s existing Data Privacy Laws.
-
regulations with Data export limitations bring singapore s Data Privacy Law into force
Social Science Research Network, 2014Co-Authors: Graham GreenleafAbstract:On 2 July 2014, the Data protection provisions of Singapore’s Personal Data Protection Act 2012 (PDPA) came into force, following an 18 month transition period for companies to prepare for compliance. To complete the process, the Personal Data Protection Regulations 2014 (PDPR) were made on 15 May 2014.This article considers the most important aspects of the Regulations, which concern personal Data exports. Singapore’s approach is very thorough and not easily classified – it is sui generis. The Act requires that Data exports should only be to recipients bound by legally enforceable obligations comparable to those found in Singapore, and also includes some elements of extraterritoriality. Regulation 10 specifies that ‘legally enforceable obligations’ may include Laws, contracts, binding corporate rules (BCRs) or ‘any other legally binding instrument’. It probably gives individual Data subjects few opportunities to protect themselves against unprotected exports, unless an export becomes publicly notorious. However, it does impose obligations on companies which, if not observed, could result in PDPC enforcement action if something goes badly wrong. Other aspects of how the PDPA is being brought into force are also explained, including regulations concerning deceased persons, various draft Guidelines, and exemptions promulgated by the Monetary Authority of Singapore which illustrate a major weakness of the PDPA. They have a common feature that businesses involved with Singapore need to be aware of considerable regulatory detail or there are considerable risks involved.
Bilyana Petkova - One of the best experts on this subject based on the ideXlab platform.
-
domesticating the foreign in making transatlantic Data Privacy Law
International Journal of Constitutional Law, 2017Co-Authors: Bilyana PetkovaAbstract:Research shows that in the Data Privacy domain, the regulation promoted by front-runner states in federated systems such as the United States or the European Union (EU) generates races to the top, not to the bottom. Institutional dynamics or the willingness of major interstate companies to work with a single standard generally creates opportunities for the federal Lawmaker to level up Privacy protection. This article uses federalism to explore whether a similar pattern of convergence (toward the higher regulatory standard) emerges when it comes to the international arena, or whether we witness a more nuanced picture. I focus on the interaction of the European Union with the United States, looking at the migration of legal ideas across the (member) state jurisdictions with a focus on breach notification statutes and Privacy officers. The article further analyzes recent developments such as the invalidation of the Safe Harbor agreement and the adoption of a Privacy Shield. I argue that instead of a one-way street, usually conceptualized as the EU ratcheting up standards in the United States, the influences between the two blocs are mutual. Such influences are conditioned by the receptivity and ability of domestic actors in both the United States and the EU to translate, and often, adapt the “foreign” to their respective contexts. Instead of converging toward a uniform standard, the different points of entry in the two federated systems contribute to the continuous development of two models of regulating commercial Privacy that, thus far, remain distinct.
-
domesticating the foreign in making transatlantic Data Privacy Law
Social Science Research Network, 2017Co-Authors: Bilyana PetkovaAbstract:Research shows that in the Data Privacy domain, the regulation promoted by frontrunner states in federated systems such as the United States or the European Union generates races to the top, not to the bottom. Institutional dynamics or the willingness of major interstate companies to work with a single standard generally create opportunities for the federal Lawmaker to level up Privacy protection. This article uses federalism to explore whether a similar pattern of convergence (toward the higher regulatory standard) emerges when it comes to the international arena, or whether we witness a more nuanced picture. I focus on the interaction of the European Union with the United States, looking at the migration of legal ideas across the (member) state jurisdictions with a focus on breach notification statutes and Privacy officers. The article further analyses recent developments such as the invalidation of the Safe Harbor Agreement and the adoption of a Privacy Shield. I argue that instead of a one-way street, usually conceptualized as the EU ratcheting up standards in the US, the influences between the two blocs are mutual. Such influences are conditioned by the receptivity and ability of domestic actors in both the US and the EU to translate, and often, adapt the “foreign” to their respective contexts. Instead of converging toward a uniform standard, the different points of entry in the two federated systems contribute to the continuous development of two models of regulating commercial Privacy that, thus far, remain distinct.
Dan Jerker B. Svantesson - One of the best experts on this subject based on the ideXlab platform.
-
article 4 1 a establishment of the controller in eu Data Privacy Law time to rein in this expanding concept
Social Science Research Network, 2016Co-Authors: Dan Jerker B. SvantessonAbstract:• Article 4(1)(a) of Directive 95/46/EC plays an important role in determining the applicability of EU Data Privacy Law. However, its wording lends itself to various interpretations.• Consequently, it is unsurprising that Article 4(1)(a) has been the object of several recent CJEU judgments, and that this provision is the object of ongoing litigation.• This article seeks to analyse and predict the future landscape by examining the two relevant recent CJEU decisions (the Google Spain case and the Weltimmo case), Advocate General Saugmandsgaard Oe’s Opinion in Verein fur Konsumenteninformation, and in particular the currently ongoing Facebook Fanpages dispute.
-
article 4 1 a establishment of the controller in eu Data Privacy Law time to rein in this expanding concept
International Data Privacy Law, 2016Co-Authors: Dan Jerker B. SvantessonAbstract:This article seeks to analyse and predict the future landscape by examining the two relevant recent CJEU decisions (the Google Spain case and the Weltimmo case), Advocate General Saugmandsgaard Oe’s Opinion in Verein fur Konsumenteninformation , and in particular the currently ongoing Facebook Fanpages dispute.
-
Extraterritoriality and targeting in EU Data Privacy Law: the weak spot undermining the regulation
International Data Privacy Law, 2015Co-Authors: Dan Jerker B. SvantessonAbstract:Extraterritoriality and targeting in EU Data Privacy Law : the weak spot undermining the regulation
-
the extraterritoriality of eu Data Privacy Law its theoretical justification and its practical effect on u s businesses
Stanford Journal of International Law, 2014Co-Authors: Dan Jerker B. SvantessonAbstract:Due to its extraterritorial effect, the European Union's trailblazing Data Privacy Law has long been a major concern for US. businesses. With the proposal for a new EU Data Privacy framework with p ...
Emmanuel Pernotleplay - One of the best experts on this subject based on the ideXlab platform.
-
china s approach on Data Privacy Law a third way between the u s and the eu
Social Science Research Network, 2020Co-Authors: Emmanuel PernotleplayAbstract:Because of state surveillance, Data Privacy in China is often assumed to be inexistent. Yet, the country regulates differently Privacy from the state and Privacy from private actors. Consumer Data Privacy in China is at the forefront of new regulations issued during the last years to create a legal framework on Data protection, up to the Cybersecurity Law. Despite the tremendous increase of Data transfers from the West to China, there is a scarcity in the legal research about Chinese Data protection rules, the building of China’s approach on this domain and its consequences. This Article compares China’s Data Privacy Laws (most notably the Cybersecurity Law and its guidelines) to the dominant approaches coming from the EU and the U.S. The goal is to identify China’s direction, whether it transplants their rules, and the specificities that make China’s approach different from Western models. The results of this comparative study show that China initially followed a path resembling the U.S. approach, before recently changing direction and converge with the more stringent EU rules on several legal elements, especially through the Cybersecurity Law and the Personal Information Security Specification. Up to the point that China now has a comprehensive Data protection Law on its legislative agenda and encourages Privacy protection for consumers that sometimes surpasses U.S. rules. This research identifies and decrypts specificities of Data protection in China that make China’s voice special with the potential to gain influence in this field, whereas Western rules are the only bearing regulatory clout so far. These Chinese characteristics, such as the paradoxical – yet parallel – increase of both state surveillance and consumer Privacy and the cyber-sovereignty principle impacting personal Data protection, now compose China’s approach. This “Data Privacy with Chinese characteristics” will bear consequences on the country’s forthcoming regulations on artificial intelligence and for future policy developments in the EU and the U.S.
Gregory W Voss - One of the best experts on this subject based on the ideXlab platform.
-
european union Data Privacy Law reform general Data protection regulation Privacy shield and the right to delisting
Business Lawyer, 2017Co-Authors: Gregory W VossAbstract:This article discusses a few of the most important European Data Privacy Law developments in recent history – perhaps the most significant since 1995 when the European Union adopted the Data Protection Directive. These include the adoption of the General Data Protection Regulation (GDPR), the invalidation of the U.S. – EU Safe Harbor cross-border personal Data transfer framework in the Schrems decision, and the Safe Harbor’s subsequent replacement by the Privacy Shield. The latter allows transfer of personal Data (such as Data about employees and prospects) from the European Union to the United States, upon certification of commitments by participating companies, and provides guarantees from U.S. agencies and means of enforcement in case of violations.The article also covers continuing developments concerning the “right to delisting,” which was applied in the 2014 Google Spain decision. Treatment of the GDPR, which will be applicable as of May 2018 (allowing companies time to prepare), includes its extended territorial scope, changes to personal Data processing principles, provisions regarding storage of Data for public interest, scientific, historical or statistical purposes, developments regarding legitimate bases for processing, including consent, increased Data subject rights which will require companies to take action, as well as new compliance requirements which may include, when applicable, performing Data protection impact assessments and/or hiring Data protection officers. Furthermore, new record-keeping obligations, new requirements for Data breach notifications, and higher administrative fines are detailed.
-
after google spain and charlie hebdo the continuing evolution of european union Data Privacy Law in a time of change
Business Lawyer, 2015Co-Authors: Gregory W VossAbstract:The past year has seen various developments that are modifying Data Privacy Law in the European Union (EU), with consequences for various sectors of business. Over a year ago, the Court of Justice of the European Union (ECJ) issued its now-famous Google Spain decision, recognizing a so-called “right to be forgotten.” This has been followed by EU member state court decisions raising issues for Internet search engines, publishers of information, and potentially other Internet intermediaries. Coordinated European action with respect to Google’s Privacy policy, discussed in last year’s survey, has continued, with implications for other companies offering services that collect and process individual users’ Data on the web. Thus, while Google may seem to have been singled out in a year when that firm is also under European competition Law scrutiny, the lessons to be drawn are more broadly applicable.
