Global privacy laws have continued to develop rapidly throughout the course of 2020. Significant new laws have entered into force such as the LGPD in Brazil, further sections of POPIA commenced, and the updated Privacy Act 2020 in New Zealand came into force on December 1.
It is not just new laws entering into force, globally, there is now a focus on amending, modernizing, and harmonizing existing privacy laws. More recently, we have seen the passing of the CPRA, the introduction of a federal privacy bill in Canada, and calls for a united approach to data privacy in Africa.
US Privacy Update: CCPA, CPRA, and New State Bills
In America, the final regulations under the CCPA were issued by the California Attorney General in August and entered into immediate effect. In November however, a vote on Proposition 24 led to the California Privacy Rights Act (‘CPRA’) passing. The CPRA will not become operative until January 1, 2023, but many of its provisions will apply to personal information collected as of January 1, 2022.
Keep up to date with developments to US privacy laws: OneTrust DataGuidance US State Law Tracker
Away from California, the draft bill for the Washington Privacy Act 2021 was released in September. The SHIELD act in New York was re-introduced in January and entered into effect in March, while, in July, privacy acts entered into force in both Maine and Vermont. Additionally, in September, the SAFE DATA Act was introduced seeking to create a comprehensive federal privacy law in the US.
Europe Privacy Update: Cookie Guidance, Brexit, and UK Adequacy
Gain insight into cookie requirements globally: OneTrust DataGuidance Cookie Comparison
Additionally, with the UK’s departure from the European Union looming, the Department for Digital, Media, Culture & Sport (‘DCMS’) published its framework for adequacy discussions and outlined that the UK is seeking an adequacy decision from the EU. Further Brexit guidance was also released, which included a checklist of amendments organizations should make before the end of the transition period.
Latin America Privacy Update: LGPD and the Brazilian Data Protection Authority
The biggest story to come from Latin America this year was the entry into force of Brazil’s LGPD. Following a number of bills seeking to postpone the LGPD – potentially to January or August 2021 – it eventually entered into force on September 18, 2020. In November, the board of directors of the Brazilian data protection authority (‘ANPD’) were appointed. Under the LGPD, the ANPD is tasked with among others, ensuring the protection of personal data, developing relevant guidelines, and investigating and enforcing violations of data protection.
Access free resources relating to the LGPD: OneTrust DataGuidance LGPD Portal
APAC Privacy Update: Thailand PDPA, South Korea PIPA, and New Zealand Privacy Act 2020
2020 has been a busy year for the development of data privacy laws in the APAC region. Thailand’s PDPA – initially set to come into effect in May 2020 – was postponed until May 31, 2021. In South Korea, there were several amendments made to the PIPA which became effective on August 5. Further amendments were made in Japan, where a bill was introduced to update the APPI. Additionally, on December 1, 2020, the New Zealand Privacy Act 2020 will come into force, introducing mandatory breach reporting among other provisions.
Middle East Privacy Update: New Data Protection Laws in Dubai and Abu Dhabi
In Dubai, the DIFC introduced the Data Protection Law No. 5 of 2020 in July which expands many of the provisions from its previous law. These include greater rights for data subjects, frameworks for accountability, and mandatory data breach notification – among others. More recently, the Abu Dhabi Global Market launched a public consultation on a new data protection framework and Data Protection Regulations 2020
Africa Privacy Update: POPIA, Egypt’s First Data Protection Law, and African Union Harmonization initiative
Further sections of South Africa’s POPIA commenced in July 2020, however, POPIA does allow for a one-year grace period for compliance until July 1, 2021. There were further updates in Egypt – where its first data protection law was introduced, and in Nigeria, where a new data protection bill was introduced. In November, the African Union launched an initiative for harmonized privacy legislation across Africa. However, further information on the initiative is not yet publicly available, and the framework is currently not legally binding.
Benchmark global privacy laws with the GDPR: OneTrust DataGuidance GDPR Benchmarking Tool
Throughout 2020, we have seen amendments and proposals to update existing privacy legislation as well as seeing several new laws introduced or proposed. As the regulatory landscape continues to evolve there is a greater importance on remaining ahead of the curve with obligations applicable to your organization. Re-watch our “Global Privacy Laws: What’s New in 2020” TrustWeek session for an overview of data privacy in 2020.
Further resources for global privacy law updates in 2020:
- Subscribe for daily regulatory news updates to your inbox: DataGuidance Daily Alert
- OneTrust Solutions: OneTrust for CPRA
- CNIL final recommendations and amended guidelines on cookies and other trackers (Available only in French)
- Read the case study: Reed Smith LLP Relies on OneTrust DataGuidance for Localized Privacy Law Research to Help Advise Multinational Companies