Last Week in Privacy- July 24, 2018

Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.


Here’s a quick recap of last week’s top five privacy industry headlines:

  1. The European Commission announced that it has reached a safe data agreement with Japan, in which the EU and Japan recognize each other’s respective data protection systems as “equivalent,” allowing data to flow safely and freely between the two. Each side will now begin its internal procedures to adopt the agreement, which is expected to be finalized this Fall.
  2. The UK Information Commissioner’s Office released its annual report, citing an unprecedented demand for its casework on data protection and freedom of information. The report states that data protection complaints in the UK are up 15%, breach notifications are up 30%, and that 26 penalties have been issued, totaling £3.28 million, as well as 19 criminal prosecutions with 18 convictions, calling it the largest number of civil monetary penalties in the history of the Commissioner’s Office.
  3. The Nepal Law Commission has prepared a preliminary draft data protection bill that includes jail sentences of up to three years or a fine of up to 30,000 rupees, or both, for violating an individual’s right to privacy. The draft will be reviewed by the line ministry next, and, to be successful, would need to be enacted by parliament by September 19th. Items addressed in the bill include: requirements for consent before government bodies can publicize an individual’s personal data, and requirements for privacy of communications, trespassing, and more.
  4. Lithuania’s law to implement the GDPR has come into effect. The law takes advantage of a number of GDPR derogations, including a prohibition on publicizing  national identification numbers or processing them for direct marketing purposes; placing limits on a variety of GDPR requirements when processing is for the purposes of journalistic, academic, artistic or literary expression; more specific rules on the processing of employee data; lowering the age of consent from 16 to 14 in relation to the offering of information society services, and more.
  5. The Brazilian senate has unanimously approved a bill for Brazil’s first General Data Protection Law. The bill is currently awaiting approval from Brazil’s president, who is likely to veto the articles that would establish a national data protection authority in Brazil, thus raising questions about how the potential law would be enforced. The bill, which bears striking similarities to the GDPR, takes a risk-based approach to compliance, and includes new rights for individuals, requirements for data mapping and DPIAs, breach notification, DPO requirements, and includes extra-territorial scope that will apply not only to companies doing business in Brazil, but to cross-border data processing as well. If approved, the law would go into effect after an 18-month grace period, allowing organizations time to adapt.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.