WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Laws and Business International Report

You are here:  WorldLII >> Databases >> Privacy Laws and Business International Report >> 2000 >> [2000] PLBIRp 13

Database Search | Name Search | Recent Articles | Noteup | LawCite | Download | Help

Data protection roundup of 52 jurisdictions worldwide [2000] PLBIRp 13; (2000) 53 Privacy Laws and Business International Report 3

Data Protection Roundup

THE DATA PROTECTION ROUNDUP, updated annually, is a review of the status of data protection legislation around the world. This update summarises the status of data protection laws and bills in 52 jurisdictions in March 2000.

ARGENTINA

A data protection bill - Habeas Data Bill was being prepared in 1996. Its purpose, explained in its first article, was to provide "the comprehensive protection of personal data stored in files, registries, databanks or other electronic and manual media, to guarantee the honour and privacy of persons and access to information registered on them, pursuant to the third paragraph of Art. 43 of the National Constitution." Besides individuals, the bill also aims to protect legal persons. This bill was vetoed by the President in 1997 on the grounds that it would hurt large businesses.

A new bill was pending at the Chamber of Deputies in 1998. The bill was expected to be discussed during 1999.

AUSTRALIA

Australia has a Federal Privacy Act of November 1988, which came into force on January 1st 1989. The Act applies mainly to the federal public sector, but not to State Governments. The Act covers physical persons and both automated and manual records. It was amended in 1989 to include rules about consumer credit information. Other laws, which have data protection measures, include the Telecommunications Act of 1979, and the Crimes Act of 1989.

Australia is close to adopting private sector legislation. The Bill establishing the data protection rules for the private sector was published on 14th December 1999, and comments were sought by 17th January 2000. The law will be based on the previously introduced non-binding national privacy principles for the fair handling of personal information, and enforceable industry codes of practice.

AUSTRIA

Austria's new Data Protection Act (165/1999) was published in the Federal Gazette I 1999/165. The law, which replaces the 1978 Act, and implements the EU Data Protection Directive, entered into force on 1st January 2000. The law applies to both private and public sectors, and now covers also manual data. There are exemptions from notification. Additional regulations, for example on processing personal data in open networks, are expected in the future.

BELGIUM

Belgium adopted a new Data Protection Act implementing the EU Data Protection Directive on 12th November 1998. An implementation law for the new Act was passed on 11th December 1998, and the law entered into force on 13th February 1999. The law repeals the 1992 Act. A Royal Decree is needed to deal with authorisations of data transfers to third countries.

BRAZIL

Brazil's constitution recognises the right to privacy; however, the country does not have a data protection law yet. There were two privacy bills in the Congress in 1999; one of them addresses specifically Internet issues.

CANADA

Canada's Privacy Act was passed in 1982. It came into force in 1983 and applies to the federal government and federal agencies. Except for Quebec, provincial privacy laws apply only to public sector activities.

In October 1998, a Bill for private sector legislation was tabled in Parliament. The bill covers the federally regulated private sector including banking, telecommunications and transport. Regulating the whole private sector is possible only if the provinces follow suit. The proposed law is based on the Canadian Standards Association's (CSA) Model Code for the Protection of Personal Information, and it would help Canada to meet the EU's level of data protection.

The Bill was passed by the House of Commons in October 1999, and by the Senate in December 1999. However, as a result of health information amendments made by the Senate, the Bill C-6 (formerly C-54) now needs to be debated again this spring by the House of Commons.

THE PEOPLES' REPUBLIC OF CHINA

The Ministry of Public Security adopted Regulations on the Security and Management of Computer Information, Networks and the Internet on December 30th 1997. These regulations are more detailed than previous legislation. The Computer Management and Supervision Department within the Ministry is responsible for the enforcement of the regulations which seek specifically and primarily to prevent the use of the Internet and networks as a tool for harming the security and interests of the state.

Organisations and individual network users are also protected from abuse or slander across the net or any actions, which may violate their freedom and privacy. The legislation also applies to network connections between the Peoples' Republic of China and Hong Kong, Taiwan and Macao.

CZECH REPUBLIC

The Protection of Personal Data in Information Systems Law was approved by the former Federal Government of Czechoslovakia on April 29th 1992 and the law entered into force in June 1992. The law applies to physical persons in the public and private sectors and covers automated data only. As the current law is not fully compatible with the EU Data Protection Directive, it has been decided to draft a new law rather than amend the old one.

On 27th January 2000, the Chamber of Deputies of the Czech Parliament approved a Bill on personal data protection. The Bill will be debated in the second chamber of the Parliament in spring 2000.

DENMARK

Denmark is currently in the process of implementing the EU Data Protection Directive into national legislation. There are two separate Acts of 1978 on personal data in public and private registers. The directive has been partially implemented by an Act amending the Civil Registration Act, which deals with public registers. The amending legislation was published on 26th June 1998, and entered into force on 1st October 1998.

The rest of the directive will be implemented soon. A new data protection bill was published on 9th December 1999, and is now waiting for the second reading in Parliament. It is expected that a new law will be adopted by July 2000.

ESTONIA

Estonia has had a Personal Data Act since 1996. It has been amended by a regulation (01/02/1999) establishing an independent supervisory authority. The Inspectorate of Data Pro-tection has been operating since 18th February 1999. The country also adopted a law on Databases in 1997. Laws in preparation include amendments to the Personal Data Act and the Databases Act, as well as to the Code of Administrative Offences. The amendments will harmonise the current legislation with the EU Data Protection Directive.

FINLAND

Finland implemented the EU Data Protection Directive into its national law in 1999. The new Personal Data Act (523/99), which was adopted on 10th February 1999 and entered into force on 1st June 1999, replaces the Personal Data Files Act of 1987. The law applies to all natural persons, and the processing of automated as well as manual data. There are wide exemptions from notification. Transfers to non-EEA countries have to be notified to the Data Protection Ombudsman.

Finland also adopted a new Freedom of Information Act in 1999. It entered into force on 1st December last year. At the moment, the Government is working on a proposal for legislation to deal with processing of personal data in the employment field.

FRANCE

France has an Act on Data Processing, Data Files and Individual Liberties, which was passed on January 6th 1978. It became fully operational on January 1st 1980. The Act covers automated and manual records in both public and private sectors and provides for a central registration system. France's data protection law's right of access was extended to legal persons on July 3rd 1984 by an administrative decision of the CNIL, France's Data Protection Authority.

France is still awaiting the adoption of a new law, which will implement the EU Data Protection Directive. A rapporteur, appointed by the Conseil D'Etat, submitted a report in March 1998 on the implementation of the EU Data Protection Directive into France's law. In February 2000, France was still waiting for the publication of a data protection bill. It is expected that a new law will be adopted in summer.

GERMANY

The Federal Data Protection Act was passed on January 27th 1977 and became fully operational on January 1st 1979. The law covers physical persons' automated and manual records in both public and private sectors. In addition, the Lander have separate data protection laws covering access to name-linked data held by them and institutions owned by them, like banks.

The Federal Data Protection Act was substantially amended in late 1990. On August 1st 1996, the Federal Telecommunications Act was passed which also includes strict data protection provisions. An Information and Communications Act was passed in August 1997. The Act takes into account new applications of information and communications technology such as the Internet.

Implementation of the EU Data Protection Directive has been delayed. The Government has prepared several draft bills, but Parliamentary work has not yet begun.

GIBRALTAR

Gibraltar, a UK colony, intends to legislate to implement the EU Data Protection Directive. The Gibraltar Government has requested that the UK Data Protection Registrar assume responsibility for Gibraltar's data protection functions. A provision, which enables the Registrar to take this responsibility, is included in the 1998 UK Data Protection Act.

GREECE

Greece was the last Member State of the European Union to adopt data protection legislation. Its 1997 law follows closely the provisions of the EU Data Protection Directive. The Act, adopted on 10th April 1997, came into force on 10th November 1997. The law covers manual data, has a universal notification system, and establishes an independent Data Protection Authority.

GUERNSEY

Guernsey passed its Data Protection (Bailwick of Guernsey) Law on May 28th 1986, which came into force on November 11th 1987. It covers physical persons and automated data in the public and private sectors. Unlike the UK, Guernsey has no Data Protection Registrar. The Advisory and Finance Committee oversees the law with the help of a Data Protection Officer, who combines this work with other responsibilities.

As Guernsey is not an EU member, it is not obliged to implement the Data Protection Directive. However, it is currently revising the law to satisfy the requirement of "adequate" protection for transborder data flows.

HONG KONG

Hong Kong passed the Personal Data (Privacy) Ordinance in August 1995. The Ordinance entered into force on 20th December 1996. It covers both automated and manual data and applies to both private and public sectors.

The Hong Kong law generally includes most of the provisions of the EU Data Protection Directive with few exceptions such as specified categories of sensitive data, which are not included.

HUNGARY

Hungary's data protection law was enacted on October 27th 1992, and was combined with freedom of information legislation giving a general right of public access to government information. The Act on the Protection of Personal Data and Disclosure of Data of Public Interest entered into force on May 1st 1993.

The Act covers automated and manual data of physical persons and has a limited registration system for some types of data. It provides for the establishment of a Parliamentary Commissioner for Data Protection and Freedom of Information who was appointed in July 1995.

As Hungary has applied for EU membership, the current data protection law is now being reviewed. An amendment was adopted in 1999, which makes a legal distinction between data controller and data processor. The European Commission is currently considering whether the Hungarian law can be regarded as providing adequate protection in terms of the EU directive's requirements for transborder data flows. The EU Data Protection Working Party is of the view that the law is adequate.

ICELAND

Iceland's Act Respecting Systematic Recording of Personal Data was passed in 1981 and came into force on January 1st 1982. It covers both automated and manual records, physical and legal persons in both public and private sectors and has a central registration system.

On 28th December 1989, the Act was amended and the new Act Concerning the Registration and Handling of Personal Data came into force in January 1990. The Act's scope is the same as the previous one's.

The current Act is under examination as a result of the European Union adopting the Data Protection Directive. The intention is to make the law equivalent to that of the EU Member States, as Iceland is an associate member.

IRELAND

Ireland's Data Protection Act was passed on July 13th 1988 and it came into force on April 19th 1989.The Act covers physical persons and automated data in both the public and private sectors.

The Department of Justice issued a consultation paper in December 1997 on implementation of the Data Protection Directive. It is expected that a Bill will be published in spring 2000, and enacted by summer 2000. The directive will be implemented through amendments to the existing 1988 Data Protection Act.

ISLE OF MAN

Isle of Man passed its Data Protection Act on July 16th 1986. The law fully entered into force on October 17th 1990. The Act is similar to the UK Data Protection Act, except that the exemptions have been widened to exclude many small businesses. Other differences include registration requirements and costs.

The Isle of Man is not a member of the EU, but it intends to update the law to reflect the requirements of the EU Data Protection Directive. A draft Bill is currently being written. It is expected that a new law will be adopted by early 2001.

ISRAEL

Israel's Protection of Privacy Law was passed in February 1981 and entered into force on September 11th 1981. It covers the processing of personal data in computer data banks. The law was amended on March 4th 1985 to regulate the transmission of information between public bodies. The law requires the holders of data banks to register.

In 1996, an amendment was adopted which included restricting registration to a narrower group of data users, and introducing a provision on direct marketing. Last year, discussions started on revising the 1981 privacy law.

ITALY

Italy adopted an Act on the Protection of Individuals and Legal Persons Regarding the Processing of Personal Data on December 31st 1996. The Act entered into force on May 8th 1997.

The law applies both to private and public sectors and automated and manual processing. In addition to personal data of individuals, it also offers protection to legal persons. Two decrees were passed in May and July 1997 on transitional provisions for notification.

Italy's law has since been amended in order to fully implement the directive. The following legislative decrees have been adopted: 51/99 establishing the Data Protection Authority, 135/99 authorising the processing of sensitive data in certain situations, 281/99 on processing historical, statistical and scientific data, and 282/99 providing further rules on the processing of sensitive data. There is also a new regulation on the minimum security requirements, which came into force on 31st March 2000.

JAPAN

Japan has privacy legislation in the public sector. The Act on Protection of Computer Processed Personal Data held by Administrative Organs was enacted on December 16th 1988 and came into force in stages from October 1st 1989 to October 1st 1990. The Act covers automated data in national government departments. It is based on several data protection principles, but contains a number of exceptions.

In March 1997, The Ministry of International Trade and Industry (MITI) issued guidelines for data processing in the private sector. The guidelines are based on the OECD Guidelines and the Council of Europe Convention number 108. A supervisory authority was established in February 1998 under MITI to monitor the adoption of the guidelines and the system of privacy protection marks. Private sector legislation is being considered, and there are bilateral talks in progress with the EU with regard to transborder flows and adequacy.

Japan adopted a Freedom of Information Act on 7th May 1999. It will enter into force in April 2001.

JERSEY

Jersey, a self-governing entity within the UK, passed a Data Protection (Jersey) Law on April 30th 1987. This is similar to the UK's Data Protection Act, covering both public and private sectors. It came into effect from November 11th 1987.

Although Jersey is not obliged to implement the EU Data Protection Directive, as it is not a member, it intends to adopt a new law, which is likely to follow the UK Data Protection Act. The adoption of a new data protection law is on this year's legislative programme. The new law is expected to be adopted by October 2001.

KOREA

South Korea has a law on the Protection of Personal Information Managed by Public Agencies. The law, which was adopted in 1994, applies to national administrative agencies, local government other public agencies and schools. The law covers automated data and protects personal information of natural persons.

LATVIA

Latvia's constitution provides its citizens with confidentiality of correspondence, telephone conversations and other communications. The country is now preparing a data protection law. It has not yet signed the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.

LITHUANIA

Lithuania adoped a law on the Legal Protection of Personal Data in 1996. In April 1998, a law supplementing the Code of Administrative Offences was adopted. The law defines penalties for unlawful processing of data. The 1996 data law is currently being revised to bring it in line with the EU Data Protection Directive. The revision of the law is expected to be adopted during 2000.

Lithuania signed the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data on 11th February 2000.

LUXEMBOURG

Luxembourg's Nominal Data (Automatic Processing) Act was passed on March 31st 1979 and entered into force on October 1st 1979. The law covers the public and private sectors, automated records and legal persons, and has a central registration system. Amendments made in September/ October 1992 applied to police files and medical data. A bill implementing the EU Data Protection Directive is now ready, and awaits formal adoption.

MALAYSIA

Malaysia started to prepare a data protection bill last year. It was then expected to be submitted to Parliament by the end of 1999. The bill will cover both private and public sectors, and legal and natural persons. The drafting committee is giving consideration to the EU Data Protection Directive in order to match the requirements for adequate protection.

MALTA

Malta had been preparing a data protection bill in 1992, but failed to enact a law. Its membership application to the EU means that the country has now started to prepare a new data protection law.

MEXICO has issued a norm which defines the minimum level of data protection. However, there is no data protection bill yet.

MONACO

Monaco passed a Data Protection Law on December 23rd 1993, which entered into force on the same date. It intends to appoint a data protection commission in the future.

THE NETHERLANDS

The Netherlands Data Protection Act was adopted by the Upper House of the States General (legislature) on December 27th 1988. It entered fully into force on July 1st 1990. The Act covers physical persons and also gives legal persons some rights. It applies to both private and public sectors and automated and manual records. Comprehensive rules on the processing of sensitive data are contained in the Royal Decree on sensitive data which entered into force in June 1993.

A bill implementing the EU Data Protection Directive was adopted by the Second Chamber of the Parliament in December 1999. The First Chamber is expected to discuss the bill in spring 2000.

NEW ZEALAND

New Zealand's Privacy Act was adopted on May 17th 1993 and entered into force on July 1st of the same year. The Act repealed and consolidated the Privacy Commissioner Act of 1991 and included comprehensive new provisions.

The Act applies to both public and private sector agencies. A review of the 1993 Act, required by the Act every five years, was started in autumn 1997 by public consultation. The Commissioner's report on the review was issued in December 1998. Some of the 150 recommendations address the concerns raised by the EU Data Protection Directive.

There is no decision yet from the European Commission on whether the New Zealand law will be regarded as providing adequate protection for personal data in tranborder data flows.

NORWAY

Norway's new Data Protection Act, adopted on 7th March 2000, brings the country's data protection up to the level of the EU Data Protection Directive (Norway is not a member of the EU, but is in the European Economic Area).

At the beginning of March, it was not sure when the new law will enter into force. In the meantime, the Personal Data Registers Act of 1978 is still in force. It applies to both public and private sectors, manual and automated records and covers physical and legal persons. On October 1st 1987, the Act was strengthened regarding direct mail, telemarketing and consumer credit. A law on video surveillance in public places was passed on June 24th 1994.

POLAND

In Poland, data protection is included in the new constitution. The country adopted a Data Protection Act on 29th August 1997. The law, which has been greatly influenced by the EU Data Protection Directive, entered into force on 30th April 1998.

There are some data protection provisions in other legislation, such as the Civil Code. In April 1993, an order by the Ministry of Health on the storage of medical information, including provisions on the protection of medical data, was put into effect.

PORTUGAL adopted, on 26th October 1998, a new Data Protection Act implementing the EU Data Protection Directive. The law, which replaced the 1991 Act, entered into force on 15th October 1998. It applies to natural persons, and both to automated and manual processing of personal data.

In order to implement the EU Data Protection Directive, the Portuguese Constitution was amended in 1997 to include the principle of data protection.

ROMANIA

Romania has signed the Council of Europe Convention 108 and the Parliament is in the process of analysing the proposed changes to the 1992 bill to bring it in line with the EU Data Protection Directive's provisions.

RUSSIAN FEDERATION

The Russian Federation passed The Law of the Russian Federation on Information, Informatisation and Information Protection in January 1995. Although not strictly data protection legislation, it contains many data protection, as well as freedom of information, provisions. The law has several provisions, such as a licensing system, the rights of individuals, duties of the "holder of information" and data security. Its structure does not follow that of the European data protection laws and many of its provisions are drafted in wide terms requiring further statutory regulation.

SINGAPORE

Singapore's National Internet Advisory Committee proposed, in 1998, an Electronic Commerce Consumer Protection Code, which establishes rules on conducting business over the Internet. It is proposed that service providers should take steps to ensure the confidentiality of personal data. The voluntary code would also limit the collection of personal data.

SLOVAKIA

In 1995, a draft of the Law on Personal Data Protection in Information Systems was prepared with the help of an expert group from the Council of Europe. The law was adopted in February 1998. The law, which covers both automated and manual data, follows closely the provisions of the EU Data Protection Directive.

SLOVENIA

Slovenia's first Personal Data Protection Act was passed in March 1990. On the recommendation of an expert group of the Council of Europe given in April 1994, a new proposal for legislation was prepared. The new law, adopted in 1999, aims to match the provisions of the EU Data Protection Directive. There is no independent supervisory authority yet.

SOUTH AFRICA

South Africa adopted, on 4th February 2000, a law which gives consumers the right to access their personal data held by public or private sector organisations.

The Promotion of Access to Information Act 2000 applies to all records regardless of when they were created. Organisations are entitled to charge a fee, and the requested information needs to be provided within 30 days.

The country's constitution was amended in 1996 to include the right of access to personal information. The Promotion of Access to Information Act is a result of lengthy discussions, and has its origins in the Open Democracy Bill of 1998.

SPAIN

Spain's new data protection law (15/1999), published on 13th December 1999, entered into force on 14th January 2000. The law implements the provisions of the EU Data Protection Directive into Spanish law, and repeals the Data Protection Act 1992.

The new law applies to both private and public sectors, and extends the scope of the law to manual records. It includes a general notification requirement. Transfers to countries that do not afford a comparable level of protection to that provided by the Act have to be notified to the Data Protection Commissioner.

SWEDEN

Sweden adopted a new law in April 1998 to implement the EU Data Protection Directive. The law, which replaces the 1973 law, came into force on 25th October 1998. There is a transitional period for processing already under way until 30th September 2001, and for manual data until 1st October 2007.

The framework law has been amended by secondary legislation, for example rules on notification. The Personal Data Ordinance (1998:1191), adopted on 3rd September 1998, prescribes exemptions to notification. This regulation entered into force at the same time as the Act on 25th October 1998.

SWITZERLAND

Switzerland adopted a Federal Law on Data Protection in June 1992, which entered into force in July 1993. The Ordinance on the Federal Law on Data Protection was passed in June 1993. The Ordinance contains more detailed provisions on the rights of access, registration requirements, transfers of data abroad and data security requirements.

The Swiss law applies to the processing of personal data both by public and private sectors and covers both automated and manual data. The Act is not restricted to the protection of personal information on individuals, but extends the protection also to legal persons.

The Telecommunications Act has been amended so that telecommunications are now subject to the data protection provisions relating to the private sector.

TAIWAN

Taiwan adopted the Computer- Processed Personal Data Protection Law in August 1995. The Enforcement Rules, containing more detailed and interpretative provisions, were adopted by the Ministry of Justice in May 1996. Both the Law and the Enforcement Rules entered into force on the respective dates they were adopted.

The Law applies to automated processing of personal data by the public sector and some areas of the private sector.

THAILAND

Thailand adopted, in 1997, the Official Information Act (B.E 2540). The law, in force since 9th December 1997, provides individuals with a right of access to Government information. The law also allows individuals to have inaccurate personal data corrected. The administration is now considering extending the scope of the law to the private sector.

TURKEY

Turkey had, in 1999, a draft data protection law, which covered both private and public sectors, and natural and legal persons. The bill incorporates the main principles of the OECD guidelines and the Council of Europe Convention 108, and establishes an independent Data Protection Authority. It was expected that the bill will be presented to the National Assembly during 1999.

UNITED KINGDOM

The United Kingdom adopted a new Data Protection Act in July 1998. It implements the EU Data Protection Directive, and replaces the 1984 Act. The Act entered into force, together with the supporting secondary legislation, on 1st March 2000.

The new law covers manual records for the first time. There are wide exemptions from the general notification requirement.

A Human Rights Act, which incorporates into UK law the Council of Europe Convention on Human Rights and Fundamental Freedoms, was adopted in November 1998. It will enter into force on 2nd October 2000. In addition, the Freedom of Information Bill is now in Parliament.

UNITED STATES

The United States has numerous pieces of Federal and State legislation as opposed to a nation-wide data protection law. In 1974, the Privacy Act, applicable only to the Federal Government, was passed. Several states, such as New York and California, have similar laws covering individuals' access to records held by state agencies. All US states have some data protection legislation, but the level varies greatly from one state to another.

There is also sectoral federal data protection legislation, such as the Cable Communications Policy Act (1984), the Electronic Communications Privacy Act (1986), the Video Privacy Protection Act (1988), the US Computer Matching and Privacy Protection Act (1988), the Automated Telephone Consumer Protection Act (1991), the Communications Assistance for Law Enforcement Act (1994), and the Identity Theft and Assumption Deterrence Act (1998). There are a number of legislative proposals on specific issues at both federal and state level.

We welcome readers’ comments, additions and suggestions for amendments. For more information on specific countries, see the 1987-1999 newsletter index, which gives references

to reports published in previous newsletters by country and subject. The index was sent to subscribers with the February 2000 newsletter. It is also available on request from our

office, and on the Internet at www.privacylaws.com. This roundup is protected by copyright.

It is available as a separate publication from our office, price £100 (also available to order at

http://www.privacylaws.com).


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/2000/13.html