2019 in data: policy
GDR’s editorial team brings you its coverage of the most significant data policy stories of 2019.
Data isn’t just about compliance, enforcement and litigation. Businesses and their advisers need to keep an eye on how the policy decisions of regulators, politicians and governments could affect their data assets. We’re pleased to present some of GDR’s top 2019 policy stories.
By Bronte Cullum, 3 January
The outgoing Brazilian president’s creation of a data protection authority by a last-minute executive order raised concerns among observers about its independence.
By Vincent Manancourt, 23 January
The European Commission removed restrictions from transferring personal data to Japan, after the country implemented additional safeguards that aim to guarantee that exported data receives adequate protection.
By Sam Clark, 12 February
The Chinese government released a set of proposed amendments to the country’s data protection standards that would introduce stricter obligations if passed.
By Sam Clark, 28 February
Indian policymakers considered blocking Indian citizen data sharing abroad in a bid to get companies to relocate key functions to the country.
By Lauren Morris, 28 February
Industry pressure groups argued in support of a US federal data privacy framework to replace state laws, but some lawmakers voiced fears that such a law could water down stricter state requirements.
By Bronte Cullum, 2 April
Australia’s competition watchdog released draft rules governing data portability in the banking sector.
By Sam Clark, 30 May
The European Commission issued guidance for businesses on a new law governing the free flow of non-personal data.
By Sam Clark, 14 June
New draft rules by China’s cybersecurity regulator would force network operators to seek permission before sending data abroad, expanding the scope of planned rules that previously only applied to critical information infrastructure operators.
By Bronte Cullum, 28 June
A long-awaited report by a French MP recommended reforms aimed at bolstering French companies’ defences against foreign data requests.
By Sam Clark, 4 July
The UK’s Information Commissioner’s Office told the Association of British Insurers that it will not share detailed cyber breach data with the insurance trade body – but the ABI insists this “cannot be the end of the matter”.
By Vincent Manancourt, 10 July
Leading EU competition and data protection regulators vowed to combine forces and use a wider array of their powers to change the data-driven business models favoured by the likes of Google, Apple, Facebook and Amazon – as well as China’s tech giants.
By Ken Silva, 23 July
The Federal Trade Commission would have been unable to reach a settlement of the magnitude of its $700 million settlement with Equifax without the help of other regulators, the agency’s chair Joseph Simons said.
By Tom Webb and Robert Hart, 31 July
An Australian watchdog recommended wholesale reform of the country’s privacy laws – which it says are unfit to police current data practices.
By Ken Silva, 15 August
Two automotive tech companies sued the state of Arizona over a law they say would give third parties unaccountable access to their proprietary software.
By Robert Hart, 10 July
The UAE Telecommunications Regulatory Authority’s new Internet of Things regulation includes data localisation requirements and incorporates elements of the GDPR, such as data minimisation.
By Lauren Morris, 15 July
The European Data Protection Board said that an international agreement between the US and the EU is required to ensure that information requests under the US Clarifying Lawful Overseas Use of Data Act’s (CLOUD Act) comply with European law.
By Vincent Manancourt, 23 August
Brazil’s strongman president Jair Bolsonaro used his first year in office to stuff the government with military types. Observers fret the country’s first data protection agency awaits the same fate.
By Ken Silva, 16 September
Legislators put their finishing touches on the California Consumer Privacy Act, but parts of the law remain unclear pending guidance from its enforcer.
By Ken Silva, 24 September
After receiving criticism from industry and other stakeholders, the Office of the Privacy Commissioner of Canada backed off from its proposal to require businesses to obtain consent for data transfers.
By Sam Clark, 19 September
Proposed rule changes would allow the US foreign investment committee to block deals that might endanger sensitive personal data.
By Ken Silva, 4 October
The California Consumer Privacy Act will cost more than $50 million in 2020 and could cost between $463 million and $16.5 billion over the next decade, according to a cost-benefit analysis on the law released by California’s Department of Finance.
By Robert Hart, 11 October
Ireland’s government breached EU law by awarding the country’s data protection watchdog a fraction of the budget it had requested, the European Commission was told.
By Sam Clark, 18 October
European adtech trade body the Interactive Advertising Bureau clashed with the UK Information Commissioner’s Office over the lawful basis for processing cookies data, documents seen by GDR show.
By Ken Silva, 16 October
A data-sharing agreement between the US and the UK allows British investigators to conduct live wiretaps on US soil and vice versa, the US Department of Justice’s cybercrime chief said.
By Ken Silva, 6 November
China’s government will have legal and technical access to all digital data within its borders from next year, the US Senate Committee on the Judiciary heard.
By Robert Hart, 11 November
In guidance that seemingly contradicts advice by its French counterpart, Spain’s data regulator said that continuous browsing can be used to obtain consent.
By Sam Clark, 29 November
Brazilian legislators submitted plans to stagger the implementation of fines under its new data protection law, in response to a proposal to delay the entire law for two years.
By Robert Hart, 4 December
The coalition of German privacy regulators called for an update to data protection rules that would give IT producers additional responsibilities under the GDPR.
By Ken Silva, 11 December
In renewing his call for a new national data protection framework, Canada’s federal privacy commissioner Daniel Therrien warned against including an overly broad standard business practices provision – a concept similar to the GDPR’s legitimate interest basis for non-consent-based data processing.