Luiss

Department of Law

The Rest of the World

Data Protection as for the Others

24 novembre 2021 Data Protection Law A.A. 2021-2022

Brazil
Constitution Art. 5, X:
«The intimacy, private life, honor and image of the people are inviolable, with assured
right to indenization by material or moral damage resulting from its violation»

Lei Geral de Proteção de Dados Pessoais, or LGPD (13709/2018)

• became law on September 18, 2020 but its enforceability was backdated August 16,
2020
• sanctions under the regulation will only be applied from August 1, 2021

• to unify 40 different Brazilian laws that regulate the processing of personal data
• DPA responsible for its enforcement: Autoridade Nacional de Proteção de Dados, or
ANPD
Brazil
Brazil
Brazil
Scope
• Personal scope: not irrispectively of their nationality or place of residence
• Territorial scope: not extraterritorial scope
• Material scope: any processing operation

Key definitions
• Personal data: sensitive data
• Pseudonymisation: not specified
• Controllers and processors: no contract needed; joint liability under consumers’ law
• Children: 13yo consent with regard to any processing of their personal data
• Research: processing conducted by «research bodies»; no derogations

Individuals’ rights
• Right to erasure
• Right to be informed
• Right to object
• Right of access
• Right not to be subject to discrimination for the exercise of rights
• Right to data portability
Brazil
Legal basis
processing of common data
• consent
• contract
• legal obligation
• protection of life or physical safety
• by public administration for the execution of public policies provided for in law
• legitimate interest
• necessary for credit protection

processing of sensitive data

• consent
• legal obligation
• protection of life or physical safety
• regular exercise of rights
• by public administration for the execution of public policies provided for in law
• by health professionals or entities for health protection
• for ensuring the prevention of fraud and security of the data subject
Brazil
Controller and processor obligations
• Data transfers: not from a public register or based on legitimate interest
• Data processing records: exeptions established by the ANPD; no specification about the information
required
• Data protection impact assessment: no specification about when required
• Data protection officer appointment: only controllers; independence not mentioned
• Data security and data breaches: minimum technical standards provided by the ANPD; no precise
timing
• Accountability and good practice: privacy governance programme, and measures demonstrating its
effectiveness

Enforcement
• Monetary penalties: up to 2% of a private legal person’s, group or conglomerate revenues in Brazil, for
the prior financial year, excluding taxes, up to a total maximum of BRL 50,000,000 (approx.
€11,582,750) per infraction; government agencies cannot be sanctioned with administrative fines
• Supervisory authority: the ANPD is a federal public administrative agency, subordinated to the Cabinet
of the Presidency
• Civil remedies for individuals: not specified
South Africa
Constitution: most general right to privacy → right to personal data protection

Protection of Personal Information Act, or POPI 2013

• not fully effective until 2018

• to protect personal information (PII)

• to enforce individuals’ rights to privacy
• to provide guidelines for lawfully processing sensitive information and notifying regulators and data
subjects in the event of a breach

Scope
• personal information, which means any information that relates to a specific person (not limited to a
natural person)
• any data processor that is domiciled (legally based) in South Africa
• if the data processor is outside of South Africa “but makes use of automated or non-automated means
in the [country]”
• some exclusions: such as national security and journalism
South Africa
Personal information
«information relating to an identifiable, living,
natural person, and where it is applicable, an
identifiable, existing juristic person»

• race • educational, medical, financial, criminal, or

• gender employment history
• pregnancy • ID number
• marital status • email address
• national, ethnic, or social origin • physical address
• colour • telephone number
• age • location
• religion, beliefs, or culture • biometric information
• language
South Africa
Eight Guidelines

(for when it is lawful for someone to use and process someone else’s personal information)
1. Accountability
2. Processing limitation
3. Purpose specification
4. Further processing limitation
5. Information quality
6. Openness
7. Security safeguards
8. Data subject participation
South Africa
Measures for accountability
• Respect the consumer’s choice to opt-in or out
• Be clear when requesting consent for a specific purpose
• Give consumers a clear way to express their choice by giving them the option to click a button or mark a
checkbox
• Keep records of when and how consent was obtained and exactly what it covers

• Fines can go up to R10 million and, in extreme cases, there is also the possibility of being sentenced to
up to 10 years in jail

GDPR. v. POPI
• Territorial Scope: Restricted to organizations that are either based or process personal data in South
Africa
• Data Controller: Mandatory role, known as Information Officer, for all organisations under POPI Act;
POPIA does not require a representative based within South Africa
• Breach reporting deadline: as soon as reasonably possible
• Data transfers: Cross-border transfers are permitted to a third party that is subject to legal or corporate
data protection rules
India
Right to Privacy: fundamental right and an intrinsic part of Article 21 that protects life and liberty of the
citizens and as a part of the freedoms guaranteed by Part III of the Constitution

Information Technology Act, 2000

Information Technology (Amendment) Act, 2008

• Section 43A: implementation of reasonable security practices for sensitive personal data or
information and compensation of the person affected by wrongful loss or wrongful gain
• Section 72A, which provides for imprisonment for a period up to three years and/or a fine up to Rs.
500,000 for a person who causes wrongful loss or wrongful gain by disclosing personal information of
another person while providing services under the terms of lawful contract

In June 2011, India passed subordinate legislation that included various new rules that apply to companies
and consumers
• required that any organization that processes personal information must obtain written consent from
the data subjects before undertaking certain activities
• application and enforcement of the rules is still uncertain
India
Aadhaar Card
• privacy issue became controversial when the case reached the Supreme Court
• the hearing in the Aadhaar case went on for 38 days across 4 months, making it the second longest
Supreme Court hearing
• on 24 August 2017, a nine-judge bench of the Supreme Court in «Justice K. S. Puttaswamy (Retd.) and
Anr. vs Union Of India And Ors.» unanimously held that the right to privacy is an intrinsic part of right to
life and personal liberty under Article 21 of the Constitution
• need for a strong personal data protection regime was further highlighted by the apex court in its
judgement in September 2018 in which it held Aadhaar as a constitutionally valid scheme but struck
down some provisions in the Aadhaar Act
Personal Data Protection Bill
• being examined by a parliamentary panel, is likely to be tabled in Parliament in the first week of the
winter session (sources said on Friday)
• the Joint Committee of Parliament, chaired by BJP MP PP Chaudhary, met in Delhi on Friday to discuss a
draft report on the Bill but could not adopt it as some more amendments have been suggested to the
proposed legislation
• the committee has held wide discussions on the bill with various stakeholders, including social media
giants like Twitter and Facebook, e-commerce players and telcos
India
Personal Data Protection Bill
• according to the provisions of the bill, all Internet companies will have to mandatorily store critical data
of individuals within the country
• they can transfer sensitive data overseas after the explicit consent of the data owner to process it only
for purposes permissible under the proposed legislation
• critical data will be defined by the government from time to time
• data related to health, religious or political orientation, biometrics, genetic, sexual orientation, health,
financial and others have been identified as sensitive data
Social media companies will be required to come up with a mechanism to identify users on their
platform who are willing to be identified voluntarily. It will be voluntary
• it will be voluntary for individuals if they want to get verified or not
• the bill had provisions to grant the right to be forgotten to data owners as well as the right to erase,
correct and porting of data
China
Personal Information Protection Law, or PIPL 2021
personal information
• all information related to identified or identifiable natural persons
• personal information handler: controller

territorial scope
• processing activities of personal information of natural persons conducted by organizations and
individuals within the territory of China
• the purpose of providing products and services to natural persons in China
• analyzing/assessing the behavior of natural persons in China
• such other circumstances as provided by laws and administrative regulations (unspecified in the PIPL)

key principles
• lawfulness, necessity and good faith
• purpose limitation and data minimization
• transparency
• accuracy
• accountability and security
China
Conditions for Processing All Personal Information
• consent
• contract
• legal obligation
• necessary for coping with public health emergencies or for the protection of the life, health, and
property safety of a nature person
• public disclosure within a reasonable scope
• news reporting and supervision by public opinions for the public interests within a reasonable scope
• other circumstances provided by laws and administrative regulations

Special Conditions for Processing Sensitive Personal Information

• specific purpose and sufficient necessity, and adopts strict protection measures
• separate consent
• information
China
Rights of the Data Subjects
• Right of Knowledge, Decision, Restriction, Objection and Rescission
• Right to Access, Copy and Portability
• Right to Rectification
• Right to Deletion

Automated Decision-Making
• where personal information is used to make automated decision, personal information handler shall
guarantee the transparency of decision making and the fairness and justice of processing results
• where a data subject believes that automated decision-making has a significant impact on his/her rights
and interests, the data subject has the right to require the personal information handler to give an
explanation, and to refuse that personal information handlers make decisions solely through automated
decision-making methods
• where business marketing and push notifications are carried out through automated decision-making,
personal information handler shall provide either option not based on his/her personal characteristics
or option for refusal. In this regard, the PIPL is similar to the GDPR
China
Data Governance and Security
• compliance and security measures
• appointment of the DPO
• PIPIA
• data breach response

Gatekeeper Obligations of Internet Giants

a set of enhanced obligations for handlers that operate “important” internet platform services to
“massive” number of users (without providing a threshold number) and have complex business types
• establishing and improving the personal information protection compliance program in accordance with
relevant regulations and establishing a steering committee independent of the handler to oversee its
protection of personal information
• formulating platform rules and clarifying the rules of processing personal information and the
obligations to protect personal information for product or service providers on the platform in
accordance with the principles of openness, fairness and impartiality
• suspending services to product/service providers operating within the handler’s platform if they are in
serious violation of data protection laws
• issuing regular social responsibility reports concerning the processing of personal information
China
Data Transfers Outside China
• necessary conditions
• obtaining separate consent of the personal information subject
• conducting impact assessment and making record
• satisfying one of the four special conditions
• passed the security assessment
• certified by a specialized agency
• concluded a contract with the recipient outside China
• met other conditions provided by laws and regulations
China
Enforcement Authorities, Liabilities and Fines
• no independent authority
• Cyberspace Administration of China
• Ministry of Public Security
• administrative liabilities
• in general circumstances
• order to rectify
• warning
• confiscation of illegal gains
• order to suspend or terminate service provision of the application programs unlawfully processing personal
information
• a fine of not more than CNY 1 million (about USD 153,700), if refusing to make corrections
• a fine ranging from CNY10,000 (about USD 1,537) to CNY100,000 (about USD 15,370)
• in severe circumstances
• order to rectify
• confiscation of illegal gains
• a fine of not more than CNY 50 million (about USD 7,690,000) or 5% of the annual turnover of the prior year
• suspension of relevant business activities, cessation of business for rectification, and/or revocation of business license
or permits
• a fine ranging from CNY 100,000 (about USD 15,370) to CNY 1 million (about USD 153,700)
• prohibition from holding positions of director, supervisor, senior manager, or personal information protection officer
for a certain period
• civil and criminal liabilities
Hong Kong
Personal Data (Privacy) Ordinance (Cap. 486), 20 December 1996

Personal Data (Privacy) (Amendment) Ordinance 2012

Judicial cases are also a source of privacy law

Privacy Commissioner for Personal Data

• non-compliance with data protection principles set out in the ordinances does not
constitute a criminal offense directly
• the Commissioner may serve an enforcement notice to direct the data user to remedy
the contravention and/or instigate the prosecution action
• contravention of an enforcement notice may result in a fine and imprisonment
Singapore
Primarily common law, and the law of confidence
• privacy can be protected indirectly through various common law torts: defamation, trespass, nuisance, negligence,
and breach of confidence

the National Internet Advisory Committee published the Model Data Protection Code for the Private Sector
(February 2002) which set standards for personal data protection

Singapore has also passed various sector-specific statutes that more indirectly deal with privacy and personal
information, including:
• Banking Act
• Statistics Act
• Official Secrets Act
• Statutory Bodies and Government Companies Act
• Central Provident Fund Act
• Telecommunications Act
• Spam Control Act 2007
• Electronic Transactions Act
• National Computer Board Act
• Computer Misuse Act
Singapore
Singapore’s Personal Data Protection Act 2012 came into effect in January 2013, in three separate but
related phases
• July 2014: creation of the Personal Data Protection Commission, the national Do Not Call Registry, and
general data protection Rules
• the Act’s general purpose «is to govern the collection, use and disclosure of personal data by
organisations» while acknowledging the individual’s right to control their personal data and the
organizations’ legal needs to collect this data
• it imposes eight obligations on those organizations that use personal data: consent, purpose limitation,
notification, access, correction, accuracy, protection/security, and retention
• it prohibits transfer of personal data to countries with privacy protection standards that are lower than
those outlined in the general data protection rules
• the Personal Data Protection Commission is responsible for enforcing the Act, which is based primarily
on a complaints-based system
• punishments for violating the Act can include being ordered by the commission to stop collecting and
using personal data, to destroy the data, or to pay a penalty of up to $1 million