2019 in data: policy
GDR’s editorial team brings you its coverage of the most significant data policy stories of 2019.
Data isn’t just about compliance, enforcement and litigation. Businesses and their advisers need to keep an eye on how the policy decisions of regulators, politicians and governments could affect their data assets. We’re pleased to present some of GDR’s top 2019 policy stories.
Brazil creates privacy watchdog, but fears remain over its independence
By Bronte Cullum, 3 January
The outgoing Brazilian president’s creation of a data protection authority by a last-minute executive order raised concerns among observers about its independence.
EU adopts Japan adequacy decision
By Vincent Manancourt, 23 January
The European Commission removed restrictions from transferring personal data to Japan, after the country implemented additional safeguards that aim to guarantee that exported data receives adequate protection.
China proposes strict data protection amendments
By Sam Clark, 12 February
The Chinese government released a set of proposed amendments to the country’s data protection standards that would introduce stricter obligations if passed.
Indian e-commerce policy proposes localisation rules
By Sam Clark, 28 February
Indian policymakers considered blocking Indian citizen data sharing abroad in a bid to get companies to relocate key functions to the country.
Senators and lobbyists clash over US federal privacy law
By Lauren Morris, 28 February
Industry pressure groups argued in support of a US federal data privacy framework to replace state laws, but some lawmakers voiced fears that such a law could water down stricter state requirements.
Australia begins roll-out of data portability scheme
By Bronte Cullum, 2 April
Australia’s competition watchdog released draft rules governing data portability in the banking sector.
EU gives guidance on data flow regulation
By Sam Clark, 30 May
The European Commission issued guidance for businesses on a new law governing the free flow of non-personal data.
China strengthens international data transfer requirements
By Sam Clark, 14 June
New draft rules by China’s cybersecurity regulator would force network operators to seek permission before sending data abroad, expanding the scope of planned rules that previously only applied to critical information infrastructure operators.
Extend scope of GDPR to non-personal data, French government told
By Bronte Cullum, 28 June
A long-awaited report by a French MP recommended reforms aimed at bolstering French companies’ defences against foreign data requests.
ICO rejects insurance industry’s requests for breach data
By Sam Clark, 4 July
The UK’s Information Commissioner’s Office told the Association of British Insurers that it will not share detailed cyber breach data with the insurance trade body – but the ABI insists this “cannot be the end of the matter”.
EU regulators take aim at data-driven business models
By Vincent Manancourt, 10 July
Leading EU competition and data protection regulators vowed to combine forces and use a wider array of their powers to change the data-driven business models favoured by the likes of Google, Apple, Facebook and Amazon – as well as China’s tech giants.
Equifax case highlights need for federal data law, FTC chair says
By Ken Silva, 23 July
The Federal Trade Commission would have been unable to reach a settlement of the magnitude of its $700 million settlement with Equifax without the help of other regulators, the agency’s chair Joseph Simons said.
Australian watchdog backs privacy framework reform
By Tom Webb and Robert Hart, 31 July
An Australian watchdog recommended wholesale reform of the country’s privacy laws – which it says are unfit to police current data practices.
Tech companies seek to put brakes on auto data law
By Ken Silva, 15 August
Two automotive tech companies sued the state of Arizona over a law they say would give third parties unaccountable access to their proprietary software.
New UAE IOT regulation incorporates GDPR-like principles
By Robert Hart, 10 July
The UAE Telecommunications Regulatory Authority’s new Internet of Things regulation includes data localisation requirements and incorporates elements of the GDPR, such as data minimisation.
CLOUD Act conflicts with GDPR, EDPB says
By Lauren Morris, 15 July
The European Data Protection Board said that an international agreement between the US and the EU is required to ensure that information requests under the US Clarifying Lawful Overseas Use of Data Act’s (CLOUD Act) comply with European law.
Military nominee seems likely for Brazil data watchdog
By Vincent Manancourt, 23 August
Brazil’s strongman president Jair Bolsonaro used his first year in office to stuff the government with military types. Observers fret the country’s first data protection agency awaits the same fate.
California passes final version of CCPA, but questions remain
By Ken Silva, 16 September
Legislators put their finishing touches on the California Consumer Privacy Act, but parts of the law remain unclear pending guidance from its enforcer.
Canada’s privacy watchdog ditches proposal to require consent for transfers
By Ken Silva, 24 September
After receiving criticism from industry and other stakeholders, the Office of the Privacy Commissioner of Canada backed off from its proposal to require businesses to obtain consent for data transfers.
US strengthens data-rich inbound investment rules
By Sam Clark, 19 September
Proposed rule changes would allow the US foreign investment committee to block deals that might endanger sensitive personal data.
CCPA could cost $16.5 billion over a decade
By Ken Silva, 4 October
The California Consumer Privacy Act will cost more than $50 million in 2020 and could cost between $463 million and $16.5 billion over the next decade, according to a cost-benefit analysis on the law released by California’s Department of Finance.
Irish government accused of breaking law over watchdog funding
By Robert Hart, 11 October
Ireland’s government breached EU law by awarding the country’s data protection watchdog a fraction of the budget it had requested, the European Commission was told.
IAB and ICO clashed over adtech legal basis, documents show
By Sam Clark, 18 October
European adtech trade body the Interactive Advertising Bureau clashed with the UK Information Commissioner’s Office over the lawful basis for processing cookies data, documents seen by GDR show.
CLOUD Act permits British wiretapping on US soil, deputy AG says
By Ken Silva, 16 October
A data-sharing agreement between the US and the UK allows British investigators to conduct live wiretaps on US soil and vice versa, the US Department of Justice’s cybercrime chief said.
US committee warned of China’s bulk data collection
By Ken Silva, 6 November
China’s government will have legal and technical access to all digital data within its borders from next year, the US Senate Committee on the Judiciary heard.
Browsing enough for cookie consent, according to Spanish guidelines
By Robert Hart, 11 November
In guidance that seemingly contradicts advice by its French counterpart, Spain’s data regulator said that continuous browsing can be used to obtain consent.
By Sam Clark, 29 November
Brazilian legislators submitted plans to stagger the implementation of fines under its new data protection law, in response to a proposal to delay the entire law for two years.
German regulators propose new IT vendor privacy obligations
By Robert Hart, 4 December
The coalition of German privacy regulators called for an update to data protection rules that would give IT producers additional responsibilities under the GDPR.
Canadian privacy commissioner casts doubt on standard business practices
By Ken Silva, 11 December
In renewing his call for a new national data protection framework, Canada’s federal privacy commissioner Daniel Therrien warned against including an overly broad standard business practices provision – a concept similar to the GDPR’s legitimate interest basis for non-consent-based data processing.