By Thomas Monson and Nick Wells
Compliance with emerging worldwide data privacy legislation continues to pose challenges, particularly for organizations operating in multiple foreign jurisdictions.
Uruguay
Uruguay recently enacted new data privacy legislation aimed at protecting personal data held by commercial entities. Law 17.838 regulates the personal data processing activities of commercial entities operating in Uruguay, in some ways mirroring the European Union’s restrictions on processing of personal data. However, the Uruguayan law imposes no restrictions on movement of personal data outside of the country, as do many other nations’ data privacy statutes.
Uruguay’s new law also grants specific rights to those whose personal data is collected by any organization, mandating that individuals shall have the right to review any information collected about them, to provide new information or update mistaken information, and to have personal data removed from an organization’s records or database under certain circumstances.
Regulations intended to provide additional guidance on complying with the new Uruguayan law are scheduled for release by April 1, 2005.
Asia
In Asia, several new data privacy laws are being considered.
The Supreme Court of India recently suggested that the Indian Parliament toughen existing legislation, restricting the use of personal data for marketing purposes. The Parliament continues to work on broader data privacy legislation modeled on the United Kingdom’s Data Protection Act. An Indian data protection act was expected in 2004, but has not yet been enacted.
The Republic of Korea recently enacted the Act on Promotion of Information and Communication Network Utilization and Information Protection, which includes numerous additional provisions controlling collection and processing of personal data by firms involved in the telecommunications industries (including those related to the Internet). The Korean Ministry of Information and Communication is also preparing more comprehensive legislation aimed at regulating broader sectors of the Korean economy. Currently, the effect on organizations doing business in Korea is less pronounced because Korea does not generally limit the transfer of personal information outside the country.
Pressure continues to build in many other countries worldwide for additional restrictions on the use of personal information for commercial, governmental, or other purposes. To the extent that new legislation will mirror the European Union model, firms operating internationally may anticipate significant administrative burdens, even those whose operations originate in countries having minimally restrictive data protection laws, such as the United States. For example, concerns over civil rights and foreign trade with the European Union have prompted the Philippines’ Information Technology and E-Commerce Council to begin drafting of a data privacy law similar to restrictive EU data protection laws.
United States
Data privacy issues increasingly affect businesses operating in the United States. In February, 2005, ChoicePoint, Inc., headquartered in Alpharetta, Georgia, discovered that hackers had downloaded personal information for as many as 35,000 California residents. As required under a 2003 California law, CheckPoint notified all affected individuals that their personal data may have been compromised. The fact that CheckPoint has not notified customers in other states may result in pressure to adopt similar laws in other states and at the federal level. United States Senator Diane Feinstein continues to promote passage of her Notification of Risk to Personal Data Act, which would impose notification duties after a theft or hacking of personal data, similar to California’s Senate Bill 1386.
For additional information please contact Tom Monson at tmonson@kmclaw.com or Nick Wells at nwells@kmclaw.com.