Top 10 Privacy Moments of 2021: 10-7
Top 10 Privacy Moments of 2021: 10-7...

Top 10 Privacy Moments of 2021: 10-7

Countdown the 10 biggest privacy developments of the past 12 months.

clock6 Min Read

Featured Image

As we come to the end of another whirlwind year in the privacy world, it is important to pause and take stock of some of the major developments that we, as privacy professionals, have had to overcome in the past 12 months. In this blog series, we count down the top 10 moments of the year starting with significant developments relating to the ANPD in Brazilthe APAC region, the Middle East, Africa, and Quebec’s Bill 64 


Download the report - Data privacy in 2021

Top 10 Privacy Moments of 2021: 10 – 7  

  1. LGPD Enforcement & ANPD’s Summary of the Year 

In August, the LGPD’s enforcement provisions entered into effect following the commencement of the LGDP’s other articles which entered into effect in September 2020. 

2021 also marked the first year of Brazil’s data protection authority (ANPD) as a fully functional unit. On November 6, 2021, the ANPD summarized its first year in operation and highlighted several of its quantifiable achievements. Among the ANDP’s efforts, summarized via a press release, was the initial structuring and consolidation of the authority. This included raising financial and material resources, expanding the ANPD’s workforce, and internal training in related technical matters.  

The achievements listed by the ANPD included:  

  • Four technical cooperation agreements were signed 
  • 100% of the first phase of the regulatory agenda was completed 
  • Six educational materials including guides, booklets, issues, and articles were released 
  • 313 external events have been held, where ANPD’s members had participated 
  • Seven consultations were also carried out with society 

Further resources: 

  1. APAC continuing developments

The Asia-Pacific region has seen many privacy developments over the course of 2021. Most notably there have been significant developments in India, Pakistan, Sri Lanka, and Thailand. And China of course, but more on that later. 

In November, the Joint Parliamentary Committee in India adopted its highly anticipated report on the personal data protection bill. The report contained 93 recommendations in relation to the bill’s clauses and is expected to be tabled in parliament during the upcoming winter session. 

One of the other major news stories of 2021 coming out of the APAC region was the second postponement to Thailand’s Personal Data Protection Act entry into effect. In May, the Ministry of Digital Economy and Society announced a draft decree had been approved to postpone the enforcement of the PDPA for a second time, citing the impact of the Coronavirus pandemic as the main reason behind the decision. The new compliance deadline is now June 1, 2022. 

Across the region, there have also been considerable efforts relating to draft data protection laws. In August, the Ministry of Information Technology (MOITT) in Pakistan published a revised draft of the Personal Data Protection Bill for public consultation which introduced several new definitions and provides for the establishment of the National Commission for Personal Data Protection. In November, the Regulation of Processing of Personal Data Bill (the PDP Bill) was published in the Gazette of the Democratic Socialist Republic of Sri Lanka. The PDP Bill will be presented for readings in the Parliament of Sri Lanka. 

In Australia, the Government released a discussion paper on the review of the Privacy Act 1988. The review seeks to modernize the provisions of the Privacy Act in line with the growth in digital technology. Finally, in South Korea, the European Commission and the PIPC concluded their adequacy discussions in March. In November, the EDPB adopted its opinion on the findings and now approval by a committee composed of representatives of the EU Member States will be the final step in the process.  

Further resources:  

  1. Developments in the Middle East and Africa  

The Middle East also saw significant developments this year as several pieces of legislation were enacted. The ADGM’s Data Protection Regulations 2021 were released in February, and a comprehensive eight-part suite of guidance materials soon followed. In September, the Personal Data Protection Law (‘PDPL’) was also published in Saudi Arabia establishing several new requirements for organizations. 

However, one of the biggest developments in the UAE came more recently as the first comprehensive federal privacy law was adopted as part of a broad federal reform package which saw over 40 other laws amended or enacted. The Federal Personal Data Protection Law will introduce new data subject rights, as well as requirements around breach notification requirements, and new conditions for consent, among other things.   

In Africa, new data protection legislation was enacted in Zimbabwe and Rwanda, and the Data Protection and Privacy Regulations were passed in Uganda. Earlier this year, the final provisions of POPIA became fully effective eight years after it was first promulgated into law in South Africa.  

Further resources:  

  1. Quebec’s Bill 64 

The Canadian province of Quebec passed an Act to Modernize Legislative Provisions As Regards The Protection Of Personal Information (‘Bill 64’) in September this year. The bill was initially introduced in the National Assembly in June 2020, but later received royal ascent passing Bill 64 into law. The passing of Bill 64 means that Quebec’s existing privacy framework is set to be overhauled and the bill’s requirements will have a far-reaching impact on the private and public sectors. Bill 64 will enter into effect across three years with the first set of provisions becoming effective later next year.  

The provisions that will enter into effect after one year include the requirement to appoint a privacy officer and data breach notification requirements. Provisions entering into effect after two years include the implementation of data governance and external privacy policies, requirements to perform privacy impact assessments (PIAs), and consent requirements including clear, free, and informed consent for a specified purpose and timeframe.  Further provisions include offering data subjects the right to restrict processing, erasure, and data portability.  

Notably, Bill 64 will introduce new penalties of up to CAD 50,000 (approx. €33,330) for individuals and up to CAD 10,000,000 (approx. €6,667,950) or 2% of worldwide turnover for the preceding year, whichever is greater for businesses. The CAI will also have the power to launch penal proceedings with a maximum penalty of CAD 100,000 (approx. €66,660) for individuals and CAD 25,000,000 (approx. €16,667,130) or 4% of worldwide turnover for the preceding fiscal year (whichever is greater) in all other cases. In the event of repeat violations, the fines will be doubled.  

Further resources:  

Follow OneTrust on LinkedInTwitter, or YouTube for the latest privacy developments.

You Might Also Be Interested In

NOVEMBER 17, 2022

The role of disclosures in risk assessment and mitigation 

NOVEMBER 15, 2022

US climate risk rule could affect more than 5,700 federal suppliers

NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU approves new ESG disclosure rules

NOVEMBER 9, 2022

SOC 2: Starting your audit process

NOVEMBER 9, 2022

3 steps for mitigating the impact of ransomware attacks through data discovery

NOVEMBER 8, 2022

Department of Justice: 2022 Updates to Corporate Compliance Guidance 

NOVEMBER 3, 2022

CCPA regulations: A timeline of amendments

Onetrust All Rights Reserved