The Austrian Data Protection Authority (DPA) recently published its first decision on retention periods following the enactment of the General Data Protection Regulation. The decision is final. The DPA had to decide how long a telecoms service provider must retain so-called 'master data' – that is, data required for the controller's legal relationship with the users of its services.
Companies regularly store information about their customers, clients, employees, investors, partners and vendors. Privacy and data security are therefore important aspects of most M&A transactions. Although the risk of non-compliance with privacy laws may result in severe negative consequences, many M&A agreements still lack adequate privacy-related representations and warranties.
Members of Parliament recently filed an application to amend the Data Protection Act 2018 in order to clarify certain aspects which have led to confusion over the past couple of months. In addition to several provisions relating to competence, the proposed act, among other things, contains a rephrased version of the fundamental right to data protection, introduces the mandatory appointment of data protection officers and suggests enabling the matching of images with explicit consent.
Approximately one year before the General Data Protection Regulation will come fully into force, the Austrian legislature has officially started a six-week consultation process for the national Data Protection Amendment Act 2018. If and to what extent the legislature will make use of the competencies provided for by the 'opening clauses' in the General Data Protection Regulation is highly relevant to companies, and the amendment act has answered this question.
A draft law amending the Federal Act against Unfair Competition 1984 and the Price Labelling Act was recently published for public consultation. The draft law intends to introduce a ban on most-favoured nation clauses in contracts between online travel agencies and hotel operators. Commercially, the draft law puts online travel agencies' business model at risk and may even deter innovation and investments beyond this niche industry.
The Personal Information Protection Act (PIPA) was introduced to regulate and protect the use of personal information and embodies eight core privacy principles which are internationally recognised and accepted. As with the PIPA, the General Data Protection Regulation (GDPR) was enacted to govern the use of personal information and data. Bermuda companies should seek legal advice to determine whether the GDPR applies to their operations and, if so, how.
The president recently approved, with a partial veto, the Project for a General Law regarding Data Protection. The law will regulate the processing of personal data in Brazil. Even though this adaptation may be costly and time consuming, the enforcement of the law is expected to guarantee greater protection of personal data, increasing confidence in Brazil's economic environment.
The European Union's legal framework for e-signatures recently came into effect via the eIDAS Regulation. The British Virgin Islands was one of the first jurisdictions to recognise the validity of e-signatures and electronic records. Along with other BVI statutory developments, the BVI Electronic Transactions Act 2001 provides flexibility in cross-border transactions involving BVI companies.
The Ministry of Industry and Information Technology recently released its Notification on the Network Security Inspection of the Telecom and Internet Industry in 2018. According to the notification, the inspection will cover the networks and systems established and operated by, among other players, internet enterprises and domain name registration administration and service organisations licensed by telecoms regulators.
The Ministry of Public Security recently launched a nationwide security inspection and correction campaign regarding Big Data applications in China. This campaign is one of a series of network security inspection projects which target key information systems, critical information infrastructure and Big Data. The Big Data campaign focuses on the level of supervision, security and protection afforded in the collection, storage, application, transfer and destruction of such data.
The National Information Security Standardisation Technical Committee recently released the Information Security Technology – Guide to the Personal Information Security Impact Assessment (Draft for Comment). The guide provides direction on the personal information specification and stipulates the basic concepts, framework, methods and procedures regarding personal information security impact assessments.
The State Internet Information Office recently released the Digital China Construction and Development Report (2017), laying a foundation for further enhancing China's network security protection capabilities. The report urges China to, among other things, establish a 'correct' view of cybersecurity, strengthen the top-level design of its network security and improve its network security laws and regulations.
The EU General Data Protection Regulation (GDPR) recently came into force, with impact on a global scale. On the same day, the secretariat of the National Information Security Standardisation Technical Committee published the Network Security Practice Guidelines: EU GDPR Key Issues, setting out some key areas of the GDPR which Chinese companies should account for in their practices.