Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Data protection roundup of 51 jurisdictions [1999] PLBIRp 14; (1999) 48 Privacy Laws and Business International Report 3

Data Protection Roundup

THE DATA PROTECTION ROUNDUP, updated annually, is a review of the status of data protection legislation around the world. This update summarises the status of data protection laws and bills in 51 jurisdictions in March 1999.

ARGENTINA

A data protection bill - Habeas Data Bill was being prepared a few years ago. Its purpose, explained in its first article, was to provide "the comprehensive protection of personal data stored in files, registries, databanks or other electronic and manual media, to guarantee the honour and privacy of persons and access to information registered on them, pursuant to the third paragraph of Article 43 of the National Constitution." Besides individuals, the bill also aimed to protect legal persons. This bill was vetoed by the President in 1997 on the grounds that it would harm large businesses. A new bill is now expected to be discussed during 1999.

AUSTRALIA

Australia has a Federal Privacy Act of November 1988, which came into force on January 1st 1989. The Act applies mainly to the federal public sector, but not to State Governments. The Act covers physical persons and both automated and manual records. It was amended in 1989 to include rules about consumer credit information. Other laws, which have data protection measures, include the Telecommunications Act of 1979, and the Crimes Act of 1989.

In February 1998, the Australian Privacy Commissioner issued a set of national principles for the fair handling of personal information. The principles have now been accepted as a basis for private sector legislation, which is currently being prepared. The new law will be based on creating enforceable industry codes.

AUSTRIA

Austria's Data Protection Act was passed on October 18th 1978. Implementation of the Act has taken place in stages, the first stage being January 1st 1980. The Act was amended in July 1986 with new provisions on international transfers of data, which entered into force on July 1st 1987. The law covers physical and legal persons, and mainly automated data in both public and private sectors.

Austria is expected to adopt a new data protection law implementing the EU Data Protection Directive during 1999 (in July at the earliest). In February 1999, the Bill was not yet in Parliament.

BELGIUM

Belgium adopted the Law on the Protection of Private Life Regarding the Processing of Personal Data on December 8th 1992. Royal Decrees, containing details about the enactment of different sections of the Act, interpret the text of the new law. The final date for all provisions of the Act to enter into force was June 1st 1995. In February and March 1995, several Royal Decrees, including decrees on sensitive data, criminal convictions data, notification to individuals and registration fees, were passed. In March 1996, three further decrees were passed, two of which made amendments to the relevant 1995 decrees.

In November 1998, Belgium adopted a new data protection law, which implements the EU Data Protection Directive. The implementation law was published in the Official Journal on 3rd February 1999.

BRAZIL

Brazil's constitution recognises the right to privacy; however, the country does not have a data protection law yet. There are two privacy bills in the Congress; one of them addresses specifically Internet issues.

CANADA

Canada's Privacy Act was passed in 1982. It came into force in 1983 and applies to the federal government and federal agencies. The Privacy Commissioner's jurisdiction has been extended to a few Crown Corporations (state-owned companies). On the provincial level, most Canadian provinces have passed privacy legislation. Except for Quebec, these laws apply only to public sector activities.

In October 1998, a bill for private sector legislation was tabled in Parliament. The bill covers the federally regulated private sector including banking, telecommunications and transport. Regulating the whole private sector is only possible if the provinces follow suit. The proposed law would be based on the Canadian Standards Association's (CSA) Model Code for the Protection of Personal Information, which was approved in 1996. The Code is based on the OECD Guidelines and sets minimum standards and requirements for the protection of personal information, formulated through ten interrelated principles. It is expected that the law will be adopted by the end of June 1999.

THE PEOPLES' REPUBLIC OF CHINA

The Ministry of Public Security adopted Regulations on the Security and Management of Computer Information, Networks and the Internet on December 30th 1997. These regulations are more detailed than previous legislation. The Computer Management and Supervision Department within the Ministry is responsible for the enforcement of the regulations which seek specifically and primarily to prevent the use of the Internet and networks as a tool for harming the security and interests of the state.

Organisations and individual network users are also protected from abuse or slander across the net or any actions which may violate their freedom and privacy. Although the English translation refers to generic privacy, the original Chinese version refers specifically to e-mail privacy. The legislation also applies to network connections between the Peoples' Republic of China and Hong Kong, Taiwan and Macao.

CZECH REPUBLIC

The Protection of Personal Data in Information Systems Law was approved by the former Federal Government of Czechoslovakia on April 29th 1992 and the law entered into force in June 1992. This law is still in force in the Czech Republic. The law applies to physical persons in the public and private sectors and covers automated data only. As it is not fully compatible with the EU Data Protection Directive, it has been decided to draft a new law rather than amend the old one. The Government has ordered the Office for the State Information Systems to submit a draft for a new law by the end of May 1999. The new law will establish an independent supervisory authority.

DENMARK

Denmark has separate Public Registers and Private Registers Acts, both passed in June 1978. They both entered into force on January 1st 1979.

The Private Registers Act covers automated and manual records and applies to both physical and legal persons. In July 1996, a new Act on the use of health data in the employment sector came into force. It contains principles regarding the collection and use of employees' health data by employers.

The transposition of the EU Data Protection Directive will bring major changes to the current law. A bill was submitted to Parliament last October, which proposes to widen the scope of the current law from registration and disclosure of registered data to processing of personal data.

ESTONIA

Estonia has had a Personal Data Act since 1996. The country has since adopted a law on databases in 1997. A Data Protection Department in the Ministry of Interior enforces the provisions of the Personal Data Act. It is planned to establish an independent supervisory body, and amend the law to bring it into line with the EU Data Protection Directive.

FINLAND

Finland passed a Personal Data Files Act on February 4th 1987, which came into force on January 1st 1988. The Act was amended with effect from July 1st 1994 to give some exemptions to specific databases. The Parliament adopted, on 10th February 1999, a new data protection law, which implements the EU Data Protection Directive. It had not come into force yet at the beginning of April. There are also plans to legislate separately on the protection of workers' personal data.

FRANCE

France has an Act on Data Processing, Data Files and Individual Liberties, which was passed on January 6th 1978. It became fully operational on January 1st 1980. The Act covers automated and manual records in both public and private sectors and provides for a central registration system. France's data protection law's right of access was extended to legal persons on July 3rd 1984 by an administrative decision of the CNIL, France's Data Protection Authority.

France is still awaiting the adoption of a new law, which will implement the EU Data Protection Directive. A rapporteur, appointed by the Conseil d'Etat, submitted a report in March 1998 on the implementation of the EU Data Protection Directive into France's law. In January 1999, the Prime Minister reaffirmed the Government's intention to present to Parliament a new law transposing the EU Data Protection Directive.

GERMANY

The Federal Data Protection Act was passed on January 27th 1977 and became fully operational on January 1st 1979. The law covers physical persons' automated and manual records in both public and private sectors. In addition, the Lander have separate data protection laws covering access to name-linked data held by them and institutions owned by them, such as banks.

A new Federal Data Protection Act was adopted in late 1990. On August 1st 1996, the Federal Telecommunications Act was passed which also includes strict data protection provisions. An Information and Communications Act was passed in August 1997. The Act takes into account new applications of information and communications technology such as the Internet.

Finally, implementation of the EU Data Protection Directive has been delayed. The Government circulated a draft Bill for comment at the end of 1997, but a new Bill is now being prepared. It is expected that the Bill will be published by June.

GIBRALTAR

Gibraltar, a UK colony, intends to legislate to implement the EU Data Protection Directive. The Gibraltar Government has requested that the UK Data Protection Registrar assume responsibility for Gibraltar's data protection functions. A provision, which enables the Registrar to take this responsibility, is included in the 1998 UK Data Protection Act.

GREECE

Greece was the last Member State of the European Union to adopt data protection legislation. Its 1997 law follows closely the provisions of the EU Data Protection Directive. The Act, adopted on 10th April 1997, came into force on 10th November 1997. The law covers manual data, has a universal notification system, establishes an independent Data Protection Authority and provides an exemption for domestic data processing.

GUERNSEY

Guernsey passed its Data Protection (Bailwick of Guernsey) Law on May 28th 1986, which came into force on November 11th 1987. It covers physical persons and automated data in the public and private sectors. Unlike the UK, Guernsey has no Data Protection Registrar. The Advisory and Finance Committee oversees the law with the help of a Data Protection Officer, who combines this work with other responsibilities. As Guernsey is not an EU member, it is not obliged to implement the EU Data Protection Directive. However, it is currently revising the law to satisfy the requirement of "adequate" protection for transborder data flows.

HONG KONG

Hong Kong passed the Personal Data (Privacy) Ordinance in August 1995. The Ordinance entered into force in December 1996. It covers both automated and manual data and applies to both private and public sectors.

The Hong Kong law generally includes most of the provisions of the EU Data Protection Directive with few exceptions such as specified categories of sensitive data, which are not included.

HUNGARY

Hungary was the first country in Eastern Europe to pass data protection legislation. The law was enacted on October 27th 1992, and was combined with freedom of information legislation giving a general right of public access to government information. The Act on the Protection of Personal Data and Disclosure of Data of Public Interest entered into force on May 1st 1993.

The Act covers automated and manual data of physical persons and has a limited registration system for some types of data. It provides for the establishment of a Parliamentary Commissioner for Data Protection and Freedom of Information, who was appointed in July 1995.

As Hungary has applied for EU membership, the current data protection law is now being examined in order to establish whether it should be amended.

ICELAND

Iceland's Act Respecting Systematic Recording of Personal Data was passed in 1981 and came into force on January 1st 1982. It covers both automated and manual records, physical and legal persons in both public and private sectors and has a central registration system.

On 28th December 1989, the Act was amended and the new Act concerning the Registration and Handling of Personal Data came into force in January 1990. The new Act has the same scope as the previous one.

The current Act is under examination as a result of the European Union adopting the Data Protection Directive. The intention is to make the law equivalent to that of the EU Member States, as Iceland is an Associate Member.

IRELAND

Ireland's Data Protection Act was passed on July 13th 1988 and it came into force on April 19th 1989. The Act covers physical persons and automated data in both the public and private sectors.

The Department of Justice issued a consultation paper on the implementation of the EU Data Protection Directive in December 1997. It is expected that a Bill will be published before April 1999. The directive will be implemented through amendments to the existing 1988 Data Protection Act.

ISLE OF MAN

The Isle of Man passed its Data Protection Act on July 16th 1986. The law fully entered into force on October 17th 1990. The Act is similar to the UK Data Protection Act, except that the exemptions have been widened to exclude many small businesses. Other differences include registration requirements and costs. The Isle of Man is not a member of the EU, but it intends to update the law to reflect the requirements of the EU Data Protection Directive for transborder data flows.

ISRAEL

Israel's Protection of Privacy Law was passed in February 1981 and entered into force on September 11th 1981. It covers the processing of personal data in computer data banks. The law was amended on March 4th 1985 to regulate the transmission of information between public bodies. The law requires the holders of data banks to register.

In 1996, an amendment was adopted which included restricting registration to a narrower group of data users, and introducing a provision on direct marketing. Recently, discussions have started on revising the 1981 law.

ITALY

Italy adopted an Act on the Protection of Individuals and Legal Persons Regarding the Processing of Personal Data on December 31st 1996. The Act entered into force on May 8th 1997.

The law applies to both private and public sectors and automated and manual processing. In addition to personal data of individuals, it offers protection to legal persons. Two decrees were passed in May and July 1997 on transitional provisions for notification. The law will be further amended by secondary legislation.

JAPAN

The Act on Protection of Computer Processed Personal Data held by Administrative Organs was enacted on December 16th 1988, and came into force in stages from October 1st 1989 to October 1st 1990.

The Act covers automated data in national government departments. It is based on several data protection principles, but contains a number of exceptions.

In March 1997, The Ministry of International Trade and Industry (MITI) issued guidelines for data processing in the private sector. The guidelines are based on the OECD Guidelines and the Council of Europe Convention number 108. A supervisory authority was established in February 1998 under MITI to monitor the adoption of the guidelines and the system of privacy protection marks.

JERSEY

Jersey, a self-governing entity associated with the UK, passed a Data Protection (Jersey) Law on April 30th 1987. This is similar to the UK's Data Protection Act, covering both public and private sectors. It came into effect from November 11th 1987.

Although Jersey is not obliged to implement the EU Data Protection Directive, as it is not a member, it intends to review the current law. The Registrar recommends that Jersey should, in general terms, follow the UK Data Protection Act. It is expected that the revision of the data protection law will be on the legislative programme for the year 2000. The new law could then be in force by the end of that year, or at the beginning of 2001.

KOREA (South)

South Korea has a law on the Protection of Personal Information Managed by Public Agencies. The law, adopted in 1994, applies to national administrative agencies, local government, other public agencies and schools. The law covers automated data and protects the personal information of natural persons.

LITHUANIA

Lithuania has had a law on the Legal Protection of Personal Data since 1996. The law covers public sector data of natural persons, which is processed by means of state computerised information systems. The law was amended in 1998 to bring it into line with the EU Data Protection Directive. The establishment of an independent supervisory authority is being planned.

LUXEMBOURG

Luxembourg's Nominal Data (Automatic Processing) Act was passed on March 31st 1979 and entered into force on October 1st 1979. The law covers the public and private sectors, automated records and legal persons, and has a central registration system. Amendments made in September/October 1992 applied to police files and medical data.

A bill implementing the EU Data Protection Directive was presented to Parliament in September 1997, but was later withdrawn. In February 1999, the Ministry of Justice was finalising the new bill.

MALAYSIA

Malaysia was, in mid-March, preparing a Data Protection Bill. It is expected that the bill will be submitted to Parliament by the end of 1999. The bill will cover both private and public sectors, and legal and natural persons. The drafting committee is giving consideration to the EU Data Protection Directive in order to match the requirements for adequate protection.

MALTA

Malta had been preparing a Data Protection Bill in 1992, but failed to enact a law. Its membership application to the EU, and the forthcoming negotiations at the end of the year, may give the attempts to legislate in this field more urgency.

MEXICO

Mexico has issued a norm which defines the minimum level of data protection. However, there is no bill yet.

MONACO

Monaco passed a Data Protection Law on December 23rd 1993, which entered into force on the same date.

THE NETHERLANDS

The Data Protection Act was adopted by the Upper House of the States General (legislature) on December 27th 1988. It entered fully into force on July 1st 1990. The Act covers physical persons and also gives legal persons some rights. It applies to both private and public sectors and automated and manual records. Comprehensive rules on the processing of sensitive data are contained in the Royal Decree on Sensitive Data which entered into force in June 1993.

A bill for a new Data Protection Act, implementing the EU Data Protection Directive, was being discussed in the second chamber of the Parliament in mid-March. The new law is not expected to be adopted before September 1999.

NEW ZEALAND

The Privacy Act was adopted on May 17th 1993 and entered into force on July 1st of the same year. The Act repealed and consolidated the Privacy Commissioner Act of 1991 and included comprehensive new provisions.

The Act applies to both public and private sector agencies. A review of the 1993 Act, required by the Act every five years, was started in autumn 1997 by public consultation. The Commissioner's report on the review was issued in December 1998. Some of the 150 recommendations address the concerns raised by the EU Data Protection Directive. The Minister of Justice is now considering the report.

NORWAY

The Personal Data Registers Act was enacted in June 1978 and came into force on January 1st 1980. It applies to both the public and private sectors, manual and automated records and covers physical and legal persons. On October 1st 1987, the Act was strengthened regarding direct mail, telemarketing and consumer credit. A law on video surveillance in public places was passed on June 24th 1994. The Government will propose changes to the present law which are required because Norway is in the European Economic Area. The draft law had not yet, at the beginning of March, been presented to Parliament.

POLAND

In Poland, data protection is included in the new constitution. The country adopted a Data Protection Act on 29th August 1997. The law, which has been greatly influenced by the EU Data Protection Directive, entered into force on 30th April 1998.

There are some data protection provisions in other legislation, such as the Civil Code. In April 1993, an order by the Ministry of Health on the storage of medical information, including provisions on the protection of medical data, was put into effect.

PORTUGAL

The Assembly passed the Protection of Personal Data Act which was published on April 29th 1991 and entered into force on May 4th of the same year. There were further amendments to the Act in August 1994. In order to implement the EU Data Protection Directive, the Portuguese Constitution was amended in 1997 to include the principle of data protection. A new Data Protection Act, published on 26th October 1998, has now replaced the 1991 Act.

ROMANIA

Romania has signed the Council of Europe Convention 108 and the Parliament is in the process of analysing the proposed changes to the 1992 bill to bring it into line with the EU Data Protection Directive's provisions.

RUSSIAN FEDERATION

The Russian Federation passed The Law of the Russian Federation on Information, Informatisation and Information Protection in January 1995. Although not strictly data protection legislation, its content includes data protection and freedom of information provisions. The law has several provisions, such as a licensing system, the rights of individuals, duties of the "holder of information" and data security. Its structure does not follow that of the European data protection laws and many of its provisions are drafted in wide terms requiring further statutory regulation.

SINGAPORE

Singapore's National Internet Advisory Committee proposed, in 1998, an Electronic Commerce Consumer Protection Code, which establishes rules on conducting business over the Internet. It is proposed that service providers should take steps to ensure the confidentiality of personal data. The voluntary code would also limit the collection of personal data.

SLOVAKIA

In 1995, a draft of the Law on Personal Data Protection in Information Systems was prepared with the help of an expert group from the Council of Europe. The law was adopted in February 1998. The law, which covers both automated and manual data, follows closely the provisions of the EU Data Protection Directive.

SLOVENIA

Slovenia's first Personal Data Protection Act was passed in March 1990. Although this law is still in force, there has been a substantial revision of its provisions. On the recommendation of an expert group of the Council of Europe given in April 1994, a new proposal for legislation has been prepared. The draft aims to match the provisions of the EU Data Protection Directive.

SOUTH AFRICA

South Africa had an Open Democracy Bill in 1998. It originally included a broad requirement to obtain consent before using an individual's personal data. The Bill has posed many problems for the drafters. One of the problematic areas is the release of information that could harm national security and defence. The data protection provisions have since been excluded, but there are plans to introduce separate data protection legislation in the future.

SPAIN

Spain's Law on the Regulation of the Automated Processing of Personal Data was adopted by the legislature on October 8th 1992. It entered into force in February 1993. The Act covers automated records in the public and private sectors.

In June 1994, a Royal Decree was adopted providing more detailed rules on transborder data flows, registration procedures, data subjects' rights, and containing definitions interpreting terms used in Spain's Act. A new Telecommunications Act 1998 implements the EU Telecommunications Directive. A bill to implement the EU Data Protection Directive was presented to Parliament in July 1998.

SWEDEN

Sweden adopted the world's first national data protection law on May 11th 1973, which has since been amended several times. It covers physical persons, and automated records in both the public and private sectors. Sweden adopted a new law in April 1998 to implement the EU Data Protection Directive. The law came into force on 25th October 1998. There is a transitional period for processing already under way until 30th September 2001, and for manual data until 1st October 2007. The framework law has been amended by secondary legislation, for example, rules on notification.

SWITZERLAND

Switzerland adopted a Federal Law on Data Protection in June 1992, which entered into force in July 1993. The Ordinance on the Federal Law on Data Protection was passed in June 1993. The Ordinance contains more detailed provisions on the rights of access, registration requirements, transfers of data abroad and data security requirements.

The Swiss law applies to the processing of personal data both by the public and private sectors and covers both automated and manual data. The Act is not restricted to the protection of personal information of individuals, but extends the protection also to legal persons. The Telecommunications Act has been amended so that telecommunications are now subject to the data protection provisions relating to the private sector.

TAIWAN

Taiwan adopted the Computer- Processed Personal Data Protection Law in August 1995. The Enforcement Rules, containing more detailed and interpretative provisions, were adopted by the Ministry of Justice in May 1996. Both the Law and the Enforcement Rules entered into force on the respective dates they were adopted.

The Law applies to automated processing of personal data by the public sector and some areas of the private sector.

THAILAND

Thailand started, in February 1998, to prepare laws relating to data protection, computer crime and electronic signatures. Earlier, an Internet Act was proposed, but it failed to materialise.

TURKEY

Turkey has a draft data protection law, which covers both the private and public sectors, and natural and legal persons. The bill incorporates the main principles of the OECD guidelines and the Council of Europe Convention 108, and establishes an independent Data Protection Authority. It is expected that the bill will be presented to the National Assembly during 1999.

UNITED KINGDOM

The United Kingdom's first Data Protection Act was passed in 1984 and fully came into effect in November 1987. The law covers automated records of physical persons in both public and private sectors and has a central registration system.

The United Kingdom adopted a new data protection law in July 1998, which implements the provisions of the EU Data Protection Directive. The new law will also cover some manual records. At the end of March 1999, the Government was still working on the secondary legislation, and the new Act will probably not be in force before mid-1999.

A Human Rights Act, which incorporates into UK law the Council of Europe Convention on Human Rights and Fundamental Freedoms, was adopted in November 1998. In addition, the Government is working on a draft Freedom of Information Bill.

UNITED STATES

The United States has numerous pieces of Federal and State legislation as opposed to a nation-wide data protection law. In 1974, the Privacy Act, applicable only to the Federal Government, was passed. Several states, such as New York and California, have similar laws covering access to records held by state agencies. There is also sectoral federal data protection legislation, for example, the Cable Communications Policy Act (1984), the Electronic Communications Privacy Act (1986), the Video Privacy Protection Act (1988), the US Computer Matching and Privacy Protection Act (1988), the Automated Telephone Consumer Protection Act (1991), and the Communications Assistance for Law Enforcement Act (1994). The 105th Congress adopted the Identity Theft and Assumption Deterrence Act 1998.

All US states have some data protection legislation but the level varies greatly from one State to another. While it seems that the United States is more inclined to rely on self-regulation than adopt a comprehensive data protection law, there are a number of legislative proposals on specific issues, such as medical data, before the US Congress.

We welcome readers' comments, additions and suggestions for amendments. For more information on specific countries, the 1987-1998 newsletter index gives references to reports published in previous newsletters by country and subject. The index was sent to subscribers with the February 1999 newsletter. It is also available on request from the Privacy Laws & Business office, and on the Internet at www.privacylaws.co.uk. This roundup is protected by copyright. It is available as a separate publication from our office, price £100 (also available to order via the Internet, http://www. privacylaws.co.uk).