This Week in Privacy: 6 December 2021
December 06, 2021
UAE: UAE enacts new Federal Law on Protection of Personal Data as part of legislative reform package
The UAE Cabinet announced that it had enacted its Federal Law on the Protection of Personal Data.
Key features of the Law include:
- data controller obligations, including impact assessments, breach notification, data protection officer appointments ('DPO'), and maintenance of data processing records.
- data processor obligations including requirements regarding the relationships with data controllers;
- principles for the lawful processing of personal data;
- a requirement of consent for lawful processing of personal data and instances where consent shall not be required;
- data subject rights; and
- cross border data transfers.
The Law will enter into effect on 2 January 2022 and provides for an implementation period of 12 months.
Read more here.
EU: Council and Parliament reach agreement on Data Governance Act
The Council of the European Union announced that it had reached a provisional agreement with the European Parliament on the Data Governance Act.
The Council highlighted that the DGA will set up robust mechanisms to facilitate the reuse of certain categories of protected public sector data, increase trust in data intermediation services, and foster data altruism across the EU. With respect to transfers of non-personal data, the European Commission may adopt adequacy decisions similar to those relating to personal data under the GDPR.
The provisional agreement will now be submitted to the Council's Permanent Representatives Committee for endorsement.
Once the DGA has been adopted, its provision will become applicable 15 months after its entry into force.
Read more here.
Shanghai: Municipal Congress adopts Shanghai Data Regulations
The Shanghai Municipal People's Government announced that the Shanghai Data Regulations had been adopted.
The regulations clarify that they were developed in accordance with the Data Security Law, the Personal Information Protection Law, as well as other laws and outline terms and requirements in relation to data processing, data security, and public data. The regulations also address the processing of biometric data. Supervisory authorities are provided with powers to file a lawsuit where personal information is handled in violation of these regulations.
The regulations will enter into effect on 1 January 2022.
Read more here.