December 17, 2021
Top 10 Privacy Moments of 2021: 10-7
6 Min Read
As we come to the end of another whirlwind year in the privacy world, it is important to pause and take stock of some of the major developments that we, as privacy professionals, have had to overcome in the past 12 months. In this blog series, we count down the top 10 moments of the year starting with significant developments relating to the ANPD in Brazil, the APAC region, the Middle East, Africa, and Quebec’s Bill 64.
Top 10 Privacy Moments of 2021: 10 – 7
LGPD Enforcement & ANPD’s Summary of the Year
In August, the LGPD’s enforcement provisions entered into effect following the commencement of the LGDP’s other articles which entered into effect in September 2020.
2021 also marked the first year of Brazil’s data protection authority (ANPD) as a fully functional unit. On November 6, 2021, the ANPD summarized its first year in operation and highlighted several of its quantifiable achievements. Among the ANDP’s efforts, summarized via a press release, was the initial structuring and consolidation of the authority. This included raising financial and material resources, expanding the ANPD’s workforce, and internal training in related technical matters.
The achievements listed by the ANPD included:
- Four technical cooperation agreements were signed
- 100% of the first phase of the regulatory agenda was completed
- Six educational materials including guides, booklets, issues, and articles were released
- 313 external events have been held, where ANPD’s members had participated
- Seven consultations were also carried out with society
- OneTrust Solutions: Comply with Brazil’s General Data Protection Law (LGPD)
- OneTrust DataGuidance News: ANPD concludes and summarises first year of operation
- ANPD Press Release: Autoridade Nacional de Proteção de Dados (ANPD) completa 1 ano (only available in Portuguese)
APAC continuing developments
The Asia-Pacific region has seen many privacy developments over the course of 2021. Most notably there have been significant developments in India, Pakistan, Sri Lanka, and Thailand. And China of course, but more on that later.
In November, the Joint Parliamentary Committee in India adopted its highly anticipated report on the personal data protection bill. The report contained 93 recommendations in relation to the bill’s clauses and is expected to be tabled in parliament during the upcoming winter session.
One of the other major news stories of 2021 coming out of the APAC region was the second postponement to Thailand’s Personal Data Protection Act entry into effect. In May, the Ministry of Digital Economy and Society announced a draft decree had been approved to postpone the enforcement of the PDPA for a second time, citing the impact of the Coronavirus pandemic as the main reason behind the decision. The new compliance deadline is now June 1, 2022.
Across the region, there have also been considerable efforts relating to draft data protection laws. In August, the Ministry of Information Technology (MOITT) in Pakistan published a revised draft of the Personal Data Protection Bill for public consultation which introduced several new definitions and provides for the establishment of the National Commission for Personal Data Protection. In November, the Regulation of Processing of Personal Data Bill (the PDP Bill) was published in the Gazette of the Democratic Socialist Republic of Sri Lanka. The PDP Bill will be presented for readings in the Parliament of Sri Lanka.
In Australia, the Government released a discussion paper on the review of the Privacy Act 1988. The review seeks to modernize the provisions of the Privacy Act in line with the growth in digital technology. Finally, in South Korea, the European Commission and the PIPC concluded their adequacy discussions in March. In November, the EDPB adopted its opinion on the findings and now approval by a committee composed of representatives of the EU Member States will be the final step in the process.
- OneTrust DataGuidance: Asia-Pacific News
- OneTrust Blog: The Ultimate Guide to Thai PDPA Compliance
- OneTrust DataGuidance Jurisdictions: Asia-Pacific
Developments in the Middle East and Africa
The Middle East also saw significant developments this year as several pieces of legislation were enacted. The ADGM’s Data Protection Regulations 2021 were released in February, and a comprehensive eight-part suite of guidance materials soon followed. In September, the Personal Data Protection Law (‘PDPL’) was also published in Saudi Arabia establishing several new requirements for organizations.
However, one of the biggest developments in the UAE came more recently as the first comprehensive federal privacy law was adopted as part of a broad federal reform package which saw over 40 other laws amended or enacted. The Federal Personal Data Protection Law will introduce new data subject rights, as well as requirements around breach notification requirements, and new conditions for consent, among other things.
In Africa, new data protection legislation was enacted in Zimbabwe and Rwanda, and the Data Protection and Privacy Regulations were passed in Uganda. Earlier this year, the final provisions of POPIA became fully effective eight years after it was first promulgated into law in South Africa.
- OneTrust Blog: UAE Enacts New Federal Personal Data Protection Law
- OneTrust DataGuidance Webinar: Middle East Privacy Update: Developments in Privacy Legislation, Part 1
- OneTrust DataGuidance Webinar: Middle East Privacy Update: Developments in Privacy Legislation, Part 2
Quebec’s Bill 64
The Canadian province of Quebec passed an Act to Modernize Legislative Provisions As Regards The Protection Of Personal Information (‘Bill 64’) in September this year. The bill was initially introduced in the National Assembly in June 2020, but later received royal ascent passing Bill 64 into law. The passing of Bill 64 means that Quebec’s existing privacy framework is set to be overhauled and the bill’s requirements will have a far-reaching impact on the private and public sectors. Bill 64 will enter into effect across three years with the first set of provisions becoming effective later next year.
The provisions that will enter into effect after one year include the requirement to appoint a privacy officer and data breach notification requirements. Provisions entering into effect after two years include the implementation of data governance and external privacy policies, requirements to perform privacy impact assessments (PIAs), and consent requirements including clear, free, and informed consent for a specified purpose and timeframe. Further provisions include offering data subjects the right to restrict processing, erasure, and data portability.
Notably, Bill 64 will introduce new penalties of up to CAD 50,000 (approx. €33,330) for individuals and up to CAD 10,000,000 (approx. €6,667,950) or 2% of worldwide turnover for the preceding year, whichever is greater for businesses. The CAI will also have the power to launch penal proceedings with a maximum penalty of CAD 100,000 (approx. €66,660) for individuals and CAD 25,000,000 (approx. €16,667,130) or 4% of worldwide turnover for the preceding fiscal year (whichever is greater) in all other cases. In the event of repeat violations, the fines will be doubled.
- National Assembly of Quebec: An Act to modernize legislative provisions as regards the protection of personal information
- OneTrust Blog: Quebec’s Bill 64 Adopted
- OneTrust DataGuidance Insight: Quebec’s privacy legislation is growing teeth
- OneTrust DataGuidance News: Quebec: CAI welcomes adoption of Bill 64