2019 in data: policy

GDR’s editorial team brings you its coverage of the most significant data policy stories of 2019.

Data isn’t just about compliance, enforcement and litigation. Businesses and their advisers need to keep an eye on how the policy decisions of regulators, politicians and governments could affect their data assets. We’re pleased to present some of GDR’s top 2019 policy stories.

Brazil creates privacy watchdog, but fears remain over its independence

By Bronte Cullum, 3 January

The outgoing Brazilian president’s creation of a data protection authority by a last-minute executive order raised concerns among observers about its independence.

EU adopts Japan adequacy decision

By Vincent Manancourt, 23 January

The European Commission removed restrictions from transferring personal data to Japan, after the country implemented additional safeguards that aim to guarantee that exported data receives adequate protection.

China proposes strict data protection amendments

By Sam Clark, 12 February

The Chinese government released a set of proposed amendments to the country’s data protection standards that would introduce stricter obligations if passed.

Indian e-commerce policy proposes localisation rules

By Sam Clark, 28 February

Indian policymakers considered blocking Indian citizen data sharing abroad in a bid to get companies to relocate key functions to the country.

Senators and lobbyists clash over US federal privacy law

By Lauren Morris, 28 February

Industry pressure groups argued in support of a US federal data privacy framework to replace state laws, but some lawmakers voiced fears that such a law could water down stricter state requirements.

Australia begins roll-out of data portability scheme

By Bronte Cullum, 2 April

Australia’s competition watchdog released draft rules governing data portability in the banking sector.

EU gives guidance on data flow regulation

By Sam Clark, 30 May

The European Commission issued guidance for businesses on a new law governing the free flow of non-personal data.

China strengthens international data transfer requirements

By Sam Clark, 14 June

New draft rules by China’s cybersecurity regulator would force network operators to seek permission before sending data abroad, expanding the scope of planned rules that previously only applied to critical information infrastructure operators.

Extend scope of GDPR to non-personal data, French government told

By Bronte Cullum, 28 June

A long-awaited report by a French MP recommended reforms aimed at bolstering French companies’ defences against foreign data requests.

ICO rejects insurance industry’s requests for breach data

By Sam Clark, 4 July

The UK’s Information Commissioner’s Office told the Association of British Insurers that it will not share detailed cyber breach data with the insurance trade body – but the ABI insists this “cannot be the end of the matter”.

EU regulators take aim at data-driven business models

By Vincent Manancourt, 10 July

Leading EU competition and data protection regulators vowed to combine forces and use a wider array of their powers to change the data-driven business models favoured by the likes of Google, Apple, Facebook and Amazon – as well as China’s tech giants.

Equifax case highlights need for federal data law, FTC chair says

By Ken Silva, 23 July

The Federal Trade Commission would have been unable to reach a settlement of the magnitude of its $700 million settlement with Equifax without the help of other regulators, the agency’s chair Joseph Simons said.

Australian watchdog backs privacy framework reform

By Tom Webb and Robert Hart, 31 July

An Australian watchdog recommended wholesale reform of the country’s privacy laws – which it says are unfit to police current data practices.

Tech companies seek to put brakes on auto data law

By Ken Silva, 15 August

Two automotive tech companies sued the state of Arizona over a law they say would give third parties unaccountable access to their proprietary software.

New UAE IOT regulation incorporates GDPR-like principles

By Robert Hart, 10 July

The UAE Telecommunications Regulatory Authority’s new Internet of Things regulation includes data localisation requirements and incorporates elements of the GDPR, such as data minimisation.

CLOUD Act conflicts with GDPR, EDPB says

By Lauren Morris, 15 July

The European Data Protection Board said that an international agreement between the US and the EU is required to ensure that information requests under the US Clarifying Lawful Overseas Use of Data Act’s (CLOUD Act) comply with European law.

Military nominee seems likely for Brazil data watchdog

By Vincent Manancourt, 23 August

Brazil’s strongman president Jair Bolsonaro used his first year in office to stuff the government with military types. Observers fret the country’s first data protection agency awaits the same fate.

California passes final version of CCPA, but questions remain

By Ken Silva, 16 September

Legislators put their finishing touches on the California Consumer Privacy Act, but parts of the law remain unclear pending guidance from its enforcer.

Canada’s privacy watchdog ditches proposal to require consent for transfers

By Ken Silva, 24 September

After receiving criticism from industry and other stakeholders, the Office of the Privacy Commissioner of Canada backed off from its proposal to require businesses to obtain consent for data transfers.

US strengthens data-rich inbound investment rules

By Sam Clark, 19 September

Proposed rule changes would allow the US foreign investment committee to block deals that might endanger sensitive personal data.

CCPA could cost $16.5 billion over a decade

By Ken Silva, 4 October

The California Consumer Privacy Act will cost more than $50 million in 2020 and could cost between $463 million and $16.5 billion over the next decade, according to a cost-benefit analysis on the law released by California’s Department of Finance.

Irish government accused of breaking law over watchdog funding

By Robert Hart, 11 October

Ireland’s government breached EU law by awarding the country’s data protection watchdog a fraction of the budget it had requested, the European Commission was told.

IAB and ICO clashed over adtech legal basis, documents show

By Sam Clark, 18 October

European adtech trade body the Interactive Advertising Bureau clashed with the UK Information Commissioner’s Office over the lawful basis for processing cookies data, documents seen by GDR show.

CLOUD Act permits British wiretapping on US soil, deputy AG says

By Ken Silva, 16 October

A data-sharing agreement between the US and the UK allows British investigators to conduct live wiretaps on US soil and vice versa, the US Department of Justice’s cybercrime chief said.

US committee warned of China’s bulk data collection

By Ken Silva, 6 November

China’s government will have legal and technical access to all digital data within its borders from next year, the US Senate Committee on the Judiciary heard.

Browsing enough for cookie consent, according to Spanish guidelines

By Robert Hart, 11 November

In guidance that seemingly contradicts advice by its French counterpart, Spain’s data regulator said that continuous browsing can be used to obtain consent.

Brazil faces LGPD fines delay

By Sam Clark, 29 November

Brazilian legislators submitted plans to stagger the implementation of fines under its new data protection law, in response to a proposal to delay the entire law for two years.

German regulators propose new IT vendor privacy obligations

By Robert Hart, 4 December

The coalition of German privacy regulators called for an update to data protection rules that would give IT producers additional responsibilities under the GDPR.

Canadian privacy commissioner casts doubt on standard business practices

By Ken Silva, 11 December

In renewing his call for a new national data protection framework, Canada’s federal privacy commissioner Daniel Therrien warned against including an overly broad standard business practices provision – a concept similar to the GDPR’s legitimate interest basis for non-consent-based data processing.


Get unlimited access to all Global Data Review content