This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.

The EU and US Seek to Close a Transatlantic Data Flow Deal That Protects EU Data From US Intelligence Agencies

Canada USA Europe APAC Rest of World

Type: Development
Effective Date: September 17, 2021

Summary: A new transatlantic data flow deal between the European Union and the United States is currently being worked on by representatives in Brussels and Washington, respectively. The deal aims to better protect the privacy of EU citizens by limiting what US intelligence agencies are allowed to do with the data as it flows into the United States. Currently, there appears to be a differing of opinions regarding how close the two parties are to making a deal. According to negotiators in Washington, the two parties are very close to making a deal, whereas negotiators in Brussels have expressed that they are not close to making a deal.

Analyst Perspective: The European Union previously expressed that they intend to keep the discussion of this transatlantic data flow deal separate from the conversations to be had during the first EU-US Trade and Technology Council that took place in late September, due to the deal concerning EU citizen rights. Washington however appears to be eager to reach a deal with Brussels, as organizations that will be affected by this deal are currently being negatively affected by the lack of a deal. Therefore, it is possible that Washington sought to apply pressure with their claim of a close deal in order to fast-track discussions.

Analyst: Ian Mulholland, Research Director – Security, Privacy, Risk, and Compliance

More Reading:

Québec Adopts Bill 64

Canada USA Europe APAC Rest of World

Type: Regulation
Effective Date: September 22, 2021

Summary: The Québec National Assembly adopted Bill 64, An Act to modernize legislative provisions as regards the protection of personal information. The Act requires the private sector to improve their privacy governance, breach reporting, and data processing and handling. Organizations must appoint a privacy officer, conduct mandatory privacy impact assessments, and obtain express consent to use sensitive personal information. The Act also creates enhanced consent and transparency obligations that require organizations to communicate their privacy policy, the purpose and means of information collection, and an individual’s rights to access and rectify information and withdraw consent. The Act will enforce these provisions through administrative monetary penalties of up to $10 million and penal offences of up to $25 million.

Analyst Perspective: Organizations that fall within the scope of the Act should work with business units to understand what personal data they collect and why. Next, they should build a data privacy program that identifies and evaluates gaps in their privacy framework and prioritizes initiatives to meet the new requirements. Québec takes the view that its privacy legislation applies to all collection of personal information in Québec, which makes the Act relevant beyond its borders. It introduces new standards for individual privacy rights that set a precedent in Canadian privacy law, but some of the changes the Act will bring have been common practice for many years.

Analyst: Michel Hébert, Research Director – Security, Privacy, Risk, and Compliance

More Reading:

CNIL Offers a Maturity Self-Assessment in Data Protection Management

Canada USA Europe APAC Rest of World

Type: Guidance
Announcement Date: September 9, 2021

Summary: The French data protection authority, CNIL, proposes a self-assessment of maturity in data protection management that intends to transpose the maturity levels defined in international standards to data protection management and allows organizations to assess their own level of maturity and determine how to improve their management of data protection. The Maturity in Data Protection Management and Compliance addresses two complementary concepts. Firstly, maturity represents the formalism with which data protection activities are managed. While compliance applies to each processing of personal data, maturity applies to the activities managed by the organization for all the processing it implements. Secondly, maturity levels transpose the definition in international standards to data protection management. The draft model describes eight typical data protection activities in five maturity levels.

Analyst Perspective: Incoporate CNIL’s self-assessment maturity model into your existing privacy program if feasible. The data protection management maturity model will allow and support organizations to assess their own level of maturity and determine how to improve their data protection management. It will also address creating an action plan that can be used to bridge the gaps between practice and the appropriate level targeted by each organization. This approach will improve the data protection assessment landscape of the organizations to provide a clear and concise approach to establishing better data protection posture. It’s important to stress that this methodology is not intended to ensure compliance, but it’s rather treated as an analysis tool that can help set up favorable conditions for the organization of the required actions and make them more sustainable.

Analyst: Petar Hristov, Research Director – Security, Privacy, Risk, and Compliance

More Reading:

China Passed Personal Information Protection Law (PIPL)

Canada USA Europe APAC Rest of World

Type: Regulation
Effective Date: November 1, 2021

Summary: The Personal Information Protection Law (PIPL) was formally passed on Aug. 20, 2021, and will become effective on Nov. 1, 2021. The PIPL is considered one of the strictest data privacy laws in the world. Along with the Cybersecurity Law and Data Security Law, the PIPL built a cornerstone to govern China’s data protection practices for decades to come. The PIPL consists of eight chapters and lays out general provisions, personal information processing rules, individual's rights, processor’s obligations, etc. Although the PIPL is similar to the EU GDPR to a certain extent, it does differ from the GDPR in several areas. For instance, unlike GDPR, the PIPL does not provide “legitimate interests” as a lawful basis for processing personal information. The GDPR does not require data localization. However, the PIPL deliberately articulates that critical information infrastructure operators and personal information processors that process personal information up to the number prescribed by the national cybersecurity and informatization department shall store personal information within China.

Analyst Perspective: Organizations that are operating in China or have subsidiaries or offices in China need to start the compliance journey immediately by implementing a structured privacy program. From a compliance obligation perspective, China’s PIPL is essentially similar to the EU GDPR. If you are currently compliant with the EU GDPR, you should be confident that you can handle the China PIPL without significant changes to your privacy program. If your organization doesn’t have a structured privacy program in place yet, you need to consider implementing the following core privacy controls: designating a person in charge of personal information protection, establishing policies and procedures, classifing your personal information, conducting awareness training, implementing security controls, and performing personal information impact assessments.

Analyst: Alan Tang, Principal Research Director – Security, Privacy, Risk & Compliance

More Reading:

Changes to the International Data-Transfer Rules in Uruguay

Canada USA Europe APAC Rest of World

Type: Development
Announcement Date: June 8, 2021

Summary: Uruguay’s data protection authority (Unidad Reguladora y de Control de Datos Personales) has moved to an international data-transfer scheme in which certain territories are preapproved, eliminating the need for prior data-transfer authorization. Notably absent from this list is the United States, meaning that American organizations will need to secure data transfer contractually within six months of the announcement.

Analyst Perspective: Keep an eye on Latin America. These developments in Uruguay and Brazil’s LGPD coming into effect may encourage other governments to update their data protection laws, causing a series of new challenges for organizations with dealings in Latin America. The new regulations might impose stricter data protection obligations to organizations, including enhanced accountability and transparency, more restrictive cross-border data transfers and disclosure rules, and security controls, etc.

Analyst: Logan Rohde, Senior Research Analyst – Security, Risk, and Compliance

More Reading:

If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: October 15, 2021



Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019