PL&B International

ANALYSIS

o`bm=Ó= ^k ^pb^kH=qmm\ the fact that the US is not involved in Privacy Scholars Network (APSN), The Regional Comprehensive RCEP, unlike the TPP, will produce a now with over 110 members, 29 many Economic Partnership (RCEP), is a better result for privacy. of whom are from ASEAN countries. trade agreement covering ten members Founded in 2010, APSN will hold its of ASEAN and six partner countries – lqebo obdflk^i sixth conference in Hong Kong in China, India, Japan, Australia, New absbilmjbkqp September 2017. Zealand and South Korea. RCEP is the ASEAN and the broader Asian region most likely successor to the defunct have a number of active multinational `lk`irpflkp Trans-Pacific Partnership (TPP), which business and NGO initiatives Data privacy developments in ASEAN posed great dangers to all data privacy concerning data privacy. continue to move significantly forward laws through its prohibitions on both The Asian Business Law Institute in the Philippines, Indonesia and personal data export limitations and (ABLI), an initiative of the Singapore Singapore, influenced mainly by data localisation requirements 25 . Academy of Law, was launched in Janu - domestic rather than international Whether RCEP contains similar ary 2017. 28 ABLI has initiated a multi- factors. But in the region as a whole, restrictions, or anything else affecting stakeholder project on the convergence data privacy is still moving at two data privacy, is not certain because of of data privacy laws in Asia, and prob - speeds toward the 2025 ASEAN the secrecy surrounding drafts and lems resulting from their considerable Economic Community (AEC) goals. It negotiations, 26 but the most recent heterogeneity at present. It is organiz - is possible that either AEC or RCEP leaked version of the draft chapter on ing an experts’ network which will first could have a strong regional influence Trade in Services (August 2015) 27 does address the harmonisation of the regu - in future years, but there is no sign of not include any provisions concerning lation of international data transfers. that as yet. Nor are there any these matters. The 18th round of Academics and NGO representa - convincing signs that APEC CBPRs negotiations were held in the tives in the broader Asian region have will be significant. Philippines on 2-12 May 2017. Perhaps successfully established the Asian

Social acceptance is key in

eThex infeormratcionials soicnial cgont ratcth, ore soc iarl liicgenshe fotr thteo trea tmpenrt oifv pearsoncal y information, needs to be clarified in a new social, economic, security and technological context to protect privacy. By Chantal Bernier of Dentons’ Global Privacy and Cybersecurity Group. ocial License to Operate, or SLO, democratic society. Negotiating this bargain is perhaps the refers to the social acceptability a While the right to privacy is a fun - most pressing public and organizational business enjoys to function. It is damental, universal right, immutable policy issue of our times. As the social Smost germane to the mining sector. In and unalienable, its modalities of exer - contract is renegotiated, information that context, SLO is usually contingent cise are a social construct. Throughout policy will become its most critical fea - upon public consultations, benefit shar - centuries and cultures, social mores ture. No member of society – corporate ing and impact assessment. The critical have evolved as to what is acceptable to executive, public leader or ordinary difference between SLO and ethics is reveal or query. When Mark Zucker - citizen – can escape its impact.” 1 that an ethical stance is self-proclaimed. berg pronounced in 2010 that “Privacy Hence, compliance with privacy law SLO is bestowed or withdrawn. is no longer a social norm”, he was con - must be guided by seeking fairness of Applying it to privacy law pursues tradicted on the assertion, but no one digital dividend and social acceptance in three objectives: i) to create a common contested his reference point: social exercising the right to privacy. ground for regulators and organizations acceptance as legitimacy for the applica - The tech giants have understood to interpret privacy law in a socially rel - tion of the right to privacy. that and we have seen them struggle for evant and therefore effective manner, In “Forming the Social Contract for SLO particularly since the Snowden grounded in the expectation of privacy; the Information Society”, Richard revelations: in December 2013 eight ii) to recognize that, since personal Mason lays the ground for an SLO lens tech giants wrote an open letter to Pres - information is the currency of the digi - on privacy: ident Obama calling for an urgent tal economy and the material of public “The modern social contract is review of surveillance methods, distanc - policy, users are “funders” and there - based on an emerging Faustian bargain ing themselves from the NSA’s indiscre - fore the arbiters of legitimacy in privacy in information. In return for the knowl - tions; more and more telcos are volun - law; and iii) to meet the test of human edge and pleasure that new information tarily issuing transparency reports on rights law to limit privacy only as provides us there are important new the number of law enforcement access demonstrably justified in a free and human costs which must be paid. requests they receive, hence re-directing

social opprobrium to the “requesters”; • User concern about the protection share. Their accountability there - in the Microsoft Ireland case 2, the com - of personal privacy has increased fore includes understanding the pri - pany stood up to the US Government from 42 percent in 2012, 52 percent vacy implications of sharing infor - on the extraterritorial reach of warrant in 2014, to 57 percent in 2016 (Office mation on digital platforms and access to personal information; 3 and of the Privacy Commissioner of exercising the corresponding who can forget Apple staring down the Canada, OPC, 2016 Survey of Cana - controls. FBI on personal data encryption, with dians on Privacy). That is the realistic model for the support of several companies, on People are, at the same time, mas - accountability for compliance, taking access to the iPhone owned by the San sively enjoying digital dividends and into account social realities. The Euro - Bernardino couple responsible for a ter - increasingly overwhelmed by the com - pean Data Protection Supervisor uses rorist attack on December 2, 2015. plexity of digital technology. This cre - an environmental analogy by referring More recently, WhatsApp, owned by ates an imbalance of power between to a “big data protection ecosystem” 4 to Facebook, announced end-to end organizations and users, whether in insist upon a multi-level approach of encryption on its app, standing up pub - government or business, that calls for an coordinated action according to reality licly to the Brazilian authorities in 2016 architecture of mediated accountability. of control. and meeting the wrath of the United This mediated accountability is An SLO approach makes the DPAs Kingdom government after the London structured around the sphere of control mediators of accountability on behalf of attack in February 2017. of each actor. In other words, each actor users. This is necessary to correct the Without discounting the genuine is accountable for the privacy protec - growing power imbalance between commitment of these companies, it is tion that is within its control: users and organizations in view of the fair to assume that all had their sights on • Governments are in control of the complexity and invisibility of the Inter - SLO. legislative framework, public policy, net operating systems. Perhaps the most telling sign of a law and order, and public good; shift towards SLO as the test for pri - consequently, they are accountable qeb l_ifd^qflk ql fabkqfcv vacy compliance and enforcement is the for effective legislative regimes to mromlpbp Ó= fk ^ cbt tloap 2016 call by both Apple’s CEO Tim protect privacy, including establish - Again, taking a picture of relevant Cook and then Director of the FBI ing an independent and effective social trends and social acceptance will James Comey for a legislative and socie - Data Protection Authority (DPA) guide interpretation or modernization tal debate about the issue of law and public education about privacy of the law on this point: enforcement access to personal data. rights and recourses. • Since 2014, mobile has exceeded PC Calling it a “societal issue”. It was their • DPAs are in control of ensuring Internet usage – hence, identifying one point of agreement: the informa - compliance with the legislation; purposes has to occur on a small tional social contract, or social license hence, they are accountable for exer - screen, within a short time. for the treatment of personal informa - cising their powers to hold organi - • The issue has been addressed for tion, needs to be clarified in a new zations accountable on behalf of some time as in the OPC, British social, economic, security and techno - individuals, monitoring organiza - Columbia OIPC and Alberta logical context to protect privacy. tions to exercise the due diligence OIPC 2012 guidance ‘Seizing So how does this point to the future that users do not have the capability Opportunity: Good Privacy Prac - of privacy regulation? This is how the of applying, and informing the tices for Developing Mobile Apps’; Fair Information Protection Principles public to guide them in their privacy the challenge is defined as “convey - could be applied through an SLO lens. choices and assist them in protecting ing meaningful information about their rights. privacy choices (…) with a small ^``lrkq^_fifqv W=a b c^`ql • Organizations are in control of pri - screen and intermittent user afpbjmltbojbkq lc rpbop vacy protective management of the attention.” User behaviour surveys tell us that users personal information in their cus - • Intermittent user attention may by themselves are too overwhelmed by tody. Consequently, their accounta - explain why 58 percent of the the complexity of information bility therefore includes complying respondents to the OPC 2016 Pri - technology (IT) to hold organizations with relevant legal requirements, vacy survey answered that they did accountable. We all have read the demonstrating such compliance, not read privacy polices before statistics that, frankly, are repetitive: informing users of risks and protec - downloading an app. • 52 percent of Americans online do tive measures on their platforms and • And yet, 82 percent of the respon - not fully understand what a privacy providing proper privacy controls dents expressed at least some con - policy is (Pew Research Center for users to implement their risk cern about privacy and reputation, 2014) – these same people trust that management choices, including particularly in relation to postings privacy policies reflect that the per - ready access by users, erasure or and photos. sonal information they provide to an correction to ensure accuracy and A social picture emerges from these organization will be held secure. effective remedies as needed. statistics: privacy policies need to be • Only 16 percent of users read pri - • Individuals are in control of the IT relegated to the background because vacy policies (Global Internet User platform and privacy settings they they have no real social relevance; and Survey 2012). choose, and the information they the essence of their content must move

to a pop up with a Privacy Policy link reasonable to expect an individual to ^``ro^`v I= ^``bpp ^ka and consent button, at the user’s choice. understand before providing consent. objbafbp This addresses the transparency para - This entails applying a deferential lens The right to accurate personal dox where the more information an to user choices. Provided all the infor - information is most challenged in the organization provides about its privacy mation is accessible to base valid con - digital economy with respect to the policies, the less users read. sent, that user controls are sufficient to permanence of the Internet, where it Based on social acceptance, we exercise it, and that DPAs have the lasts long past the accuracy of personal know that users do not want their resources to monitor its compliance, information, and with respect to information used for purposes other user consent alone provides legitimacy profiling through algorithms that may than the ones they bargained for. But of collection, use and sharing of per - draw a very detailed, possibly we also know that they do not read pri - sonal information. It does not mean inaccurate, profile of a user. vacy policies because they simply do anything goes with consent. But it does The internationally coordinated not fit the Internet environment. An mean that anything goes with informed investigation of Global 24h, where the SLO approach would entail that: i) pri - consent, commensurate user control site was deliberately posting embarrass - vacy information be written as a warn - and regulatory oversight. With SLO, ing legal information about individuals, ing before going further; ii) the user there is no second guessing the user, or is illustrative of addressing an issue on have just enough information to exer - judgment of what is reasonable to the basis of social acceptance. The OPC cise a choice but, iii) with an option to consent to. Report of Findings relied upon the learn more. Going back to accountabil - Model Policy for Access to Records in ity, this quick identification of pur - ifjfqfkd `liib`qflk I= rpb I Canada (Policy), developed by the poses and consent would be buttressed obqbkqflk ^ka afp`ilprob Judges’ Technology Advisory Commit - by increased monitoring by DPAs. Again, grounding our analysis on social tee of the Canadian Judicial Council acceptance, surveys will serve as our (CJC) following public consultations `lkpbkq proxy to define it with respect to the where consensus was found as follows: Again, thanks to the 2016 OPC legitimate limits of collection, retention • Permitting unrestricted e-access to Privacy Survey, we know that 48 and disclosure. These are the relevant court documents may be harmful; percent of respondents felt they have results of the 2016 survey of the US • Bulk search of electronic court doc - lost control over the collection of their National Telecommunications and uments by the public should not be personal information by organizations. Information Administration (NTIA): permitted; The most recent survey of the Pew • 23 percent backed away from • Where public access is allowed, Research Center buttresses the online activity due to unwanted information should be de-identified; importance of control: data collection by online services; • Data-mining of electronic court • 74 percent say it is “very impor - and documents should be prohibited; tant” to them that they are in con - • 22 percent did the same for fear of and trol of who can get information loss of control over the use of their • Remote public access to all court about them; and personal data. records is not desirable 6. • 65 percent say it is “very impor - The NTIA drew this conclusion The public consultation by the CJC tant” to them to control what infor - from its survey that directs us to an infers that a permanent posting on the mation is collected about them. SLO approach: Internet, beyond its relevance, is inac - Autonomous collection of personal “It is clear that policymakers need curate and socially unacceptable. information (e.g. beacons and geoloca - to develop a better understanding of The other new privacy risk of the tion) gives reason for concern. In this mistrust in the privacy and security of Internet relevant here is profiling for context, the notion of consent appears the Internet and the resulting chilling advertising. It occurs and yet may be essentially set aside. And yet, that effects.” 5 accurate or not, accessible or not, and would be socially unacceptable. Since It is fair to extend this comment to remediable or not. The Economist the right to privacy is the right to deter - all organizations: collection, use, reten - reflects social consensus with an article mine what will be disclosed about us, tion and disclosure of personal infor - on advertising and technology entitled consent is of the essence of privacy. We mation should be guided by concern ‘Stalkers Inc’ 7. The article refers to that either consent individually — for for user benefit and control, albeit at social consensus: example when we download an app or the expense of corporate objectives. “Relevant ads are probably more buy on line — or collectively when we The three tenets of SLO – public con - useful to consumers than irrelevant accept the collection of personal infor - sultation, benefit sharing and impact ones. But any business based on covert mation for the greater good — for assessment – apply here. The idea is to surveillance is vulnerable to a back - example when we file our income tax or increase consideration of social accept - lash.” participate in a medical research trial. ance as a decisional factor in the collec - SLO would be met with the broad - An SLO approach elevates the tion, use, retention and disclosure of ening of existing mechanisms that pro - notion of consent from strictly individ - personal information for both organi - vide ready access to a profile (for e.g. ual to collective: social acceptance, or zations in determining their practices, Google Ad Preferences), and direct adherence to an informational social and regulators in assessing compliance access to correction and elimination. contract, creates a context for what is with privacy law. This requires organizations to alert

users to the constitution of a profile responded to the breach may have, in protect privacy not as a mere regulatory with implied consent for non-sensitive fact, enhanced its SLO rather than framework but as a matter of social personal information and low expecta - reduced it. responsibility as trustees of users’ per - tion of privacy, or with express consent In contrast, in the AFF breach in sonal information. for sensitive information in a context of 2015, experts found evidence of lacks in Regulators ensure compliance with high expectation of privacy with ready safeguarding with inadequate cyberse - privacy law on behalf of users, not in access to consult, correct and challenge curity. Users were offended by its place of them, which means taking into as the case may be. delayed response to the breach. Risk to account the dynamics of social accept - SLO was directly raised by David v ance rather than only the static rules of p^cbdr^oap Forte: privacy law in a formal, bureaucratic In the last NTIA survey, mentioned “How can a company salvage or manner. above, 45 percent responded that maintain the trust of its customers after privacy and security concerns deterred so easily losing the private information them from performing at least one of 3.5 million accounts; let alone against common online activity over the supposedly a single hacker operating previous year such as financial out of a small, foreign country across transactions and purchasing goods or the world? Consumers may see this as a services. The reality of incessant and lack of interest in the safety of their per - virulent attacks has impacts on social sonal information.” 8 scrutiny of organizations. While every The two examples show that an breach creates an uproar and financial SLO approach to safeguards refocuses AUTHOR loss (an average of $4M per breach the obligation from outcome to dili - Chantal Bernier is Counsel at Dentons’ according to Forbes 2017), SLO is only gence. Consequently, organizations Global Privacy and Cybersecurity Group, lost upon evidence of negligence in must continue to address 100 percent of and former Interim Privacy Commissioner safeguarding the information or in identifiable risks and document them, of Canada. responding to the breach. By way of and regulators need to focus on due Email: [email protected] example, that made the difference diligence in prevention and response between the LinkedIn and the rather than impact of breach. INFORMATION AdultFriendFinder (AFF) breaches. The LinkedIn breach occurred in `lk`irpflk W=^ mmivfkd pil © 2016 Dentons. Dentons is a global legal practice providing client services June of 2012. LinkedIn immediately ibkp ql mofs^`v i^t worldwide through its member firms and notified the public, users and regulators, Organizations and regulators have a affiliates. This publication is not designed and remedied the situation. It common ground to apply privacy law: to provide legal or other advice and you responded with demonstrable care for social acceptance. It puts the power should not take, or refrain from taking, users’ data, integrity and transparency. where the right to privacy bestows it: action based on its content. Dentons Canada LLP. Please see dentons.com for It has doubled its users since then, with the user, not the letter of the law. Legal Notices. showing that the diligence with which it Organizations, private or public,

REFERENCES 1 Mason, Richard O, Forming the Social 160922-019B.) chissues_Synthesis_2005_en.pdf , Contract for the Information Society, 4 Opinion 4/2015 Towards a New Digital 7 September 11, 2014 at (1980) ICIS 1980, Proceedings, 17, Ethics p.9 www.economist.com/news/leaders/216 aisel.aisnet.org/icis1980/17/ 5 Rafi Goldberg, Lack of Trust in Internet 16953-surveillance-advertising- 2 Microsoft v. United States , No. 14-2985 Privacy and Security May Deter industrys-new-business-model-privacy- (2d Cir. 2016) Economic and Other Online Activities, needs-better 3 Microsoft Corp. v. The U.S. Department NTIA Office of Policy Analysis and 8 www.linkedin.com/pulse/impact-adult- of Justice, et al. , No. 2:16-cv-00538, Development May 13, 2016. friend-finders-data-breach-dario-v-forte W.D. Wash.). (Opposition to dismissal 6 https://www.cjc- motion available. Document #97- ccm.gc.ca/cmslib/general/news_pub_te

Finland’s GDPR implementation delayed The working group under the Ministry from making changes at the national derogations allowed for in the GDPR. of Justice preparing an implementation level when implementing EU legislation. Bill on the GDPR has reported that it In this case, however, the working group • See (in Finnish) oikeusministerio.fi/ has not met its deadline of 31 May 2017 says it needs to identify whether there is fi/index/valmisteilla/lakihankkeet/ for issuing a preliminary report. The need for changes at the national level informaatio-oikeus/henkilotietojensuo Finnish government’s programme states legislation, and especially whether the jakansallisenlainsaadannontarkist that the country should aim to refrain country wishes to make use of the aminen_0.html

Issue 147 June 2017 Germany’s new DP Act: Big NEWS 1 - Germany’s new DP Act: Big news news or business as usual? or business as usual? The current rule of appointing a DPO in organisations remains. 1 - EDPS: New e-Privacy law will There is no cap on fines and there is the possibility of a criminal mean stronger enforcement sentence of up to three years. By Katharina A. Weimer, Senior 2 - Comment Associate, Gowling WLG, Munich. Germany reaches GDPR milestone n the midst of the “winds of Draft), waiting to be signed by the 23 - Taiwan increases its enforcement change” brought by the General Federal President as the final step of activity Data Protection Regulation the law-making process 1. With the ANALYSIS I(GDPR), Germany’s parliament (the German Draft, the German govern - 9 - PRC data export rules: ‘Adequacy Bundestag ) and the Federal Assem - ment aims at implementing the with Chinese characteristics’? bly (the Bundesrat ) passed a new bill 25 - ASEAN’s two-speed data privacy on data protection (the German Continued on p.3 laws: Some race ahead 28 - Social acceptance is key in exercising the right to privacy EDPS: New e-Privacy law will LEGISLATION 15 - The intersection of US litigation mean stronger enforcement and EU data privacy laws The EDPS welcomes the form of an EU Regulation for e-Privacy 18 - Global reach of the GDPR: What is at stake? but calls for stronger protection for metadata, and envisages some flexibility on consent. Laura Linkomies reports from Brussels. MANAGEMENT he Regulation on Privacy and Data Protection Supervisor, said that 13 - US multinational Stanley Black & Electronic Communications the GDPR will “remain incomplete Decker opts for GDPR standard is proposed to take effect without this additional exercise.” He 17 - Book Review: Data Localization Tfrom 25 May 2018, and aligns with welcomes the fact that the proposal Laws and Policy the GDPR on many aspects. In an extends the scope of e-Privacy rules 20 - Privacy policies: Is there a risk of exclusive interview with PL&B , anti-competitive collusion? Giovanni Buttarelli, the European Continued on p.7 NEWS IN BRIEF 14 - Hogan Lovells issues GDPR compliance app Online search available 14 - Belgium advises on Big Data 22 - EU Commission seeks views on www.privacylaws.com EU-US Privacy Shield compliance Subscribers to paper and electronic editions can access the following: 22 - Italy issues GDPR guidance • Back Issues since 1987 • Materials from PL&B events 24 - Ireland may appoint two more • Special Reports • Videos and audio recordings DP Commissioners See the back page or www.privacylaws.com/subscription_info 31 - Finland’s GDPR implementation To check your type of subscription, contact delayed [email protected] or telephone +44 (0)20 8868 9200.

PL&B Services: Publications • Conferences • Consulting • Recruitment Training • Compliance Audits • Privacy Officers Networks • Roundtables • Research COMMENT

ISSUE NO 147 JUNE 2017

PUBLISHER Stewart H Dresner Germany: Milestone reached [email protected] EDITOR in GDPR implementation Laura Linkomies Germany has issued a new draft law to implement the provisions of [email protected] the GDPR, and may be the most advanced with its plans within the EU. The draft law, adopted by the Parliament on 27 April is not easy DEPUTY EDITOR to understand – and is in places stricter than the GDPR. For example, Tom Cooper the law introduces the possibility of imprisonment of up to three [email protected] years ( p.1 ). ASIA-PACIFIC EDITOR Professor Graham Greenleaf The intersection of US litigation and EU Data Privacy Laws means [email protected] that controllers who may become involved in US litigation should REPORT SUBSCRIPTIONS consider potential obligations to retain, review and produce K’an Thomas documents when drafting privacy policies and notices ( p.15 ). The [email protected] extra-territorial reach of the GDPR is a concern for non-EU companies offering goods and services in the region – when does it CONTRIBUTORS apply? Our correspondents analyse the situation on p.18 . Scott Livingston Simone IP Services, Hong Kong An example of the global reach of the GDPR is that the US Sophie Lawrance and Noel Watson-Doig Bristows LLP, UK multinational Stanley Black & Decker chooses to follow the GDPR standard across its operations ( p.13 ) in order to simplify its Chen Hui-ling and Michael Fahey Winkler Partners, Taiwan compliance. But companies do not have to worry about just the Katharina A. Weimer GDPR – plans to adopt the e-Privacy Regulation are advancing. Read Gowling WLG LLP, Germany on p.1 what the EDPS, Giovanni Buttarelli thinks of the proposal. Laura Hall Allen & Overy, US In China, new data export restrictions need companies’ attention Meredith Jankowski and Michelle Anderson (p.9 ), and mean cost implications for companies as well as restrictions DLA Piper LLP, US on their use of cloud computing. New legislative developments take Chantal Bernier place in ASEAN countries ( p.25 ). In Taiwan, we see an increase in Dentons LLP, Canada enforcement action ( p.23 ).

Data protection principles come into question when determining Published by whether a company has a dominant position under competition law, Privacy Laws & Business, 2nd Floor, Monument House, 215 Marsh Road, Pinner, and organisations need to consider the extent to which collusion in Middlesex HA5 5NE, United Kingdom relation to privacy policies is an area that competition authorities may Tel: +44 (0)20 8868 9200 investigate ( p.20 ). Fax: +44 (0)20 8868 5215 Email: [email protected] Website: www.privacylaws.com To conclude, organisations need a ‘social license’ to operate – the Subscriptions: The Privacy Laws & Business International social acceptability of a business is key in the future privacy Report is produced six times a year and is available on an annual subscription basis only. Subscription details are at the landscape, says Canada’s former Interim Privacy Commissioner back of this report. Chantal Bernier ( p.28 ).

Whilst every care is taken to provide accurate information, the publishers cannot accept liability for errors or omissions or for any advice given. Design by ProCreative +44 (0)845 3003753 Laura Linkomies, Editor Printed by Rapidity Communications Ltd +44 (0)20 7689 8686 PRIvACy LAWS & BUSINESS ISSN 2046-844X

Copyright : No part of this publication in whole or in part may be reproduced or transmitted in any form without the prior written permission of the publisher. Contribute to PL&B reports Do you have a case study or opinion you wish us to publish? Contri butions to this publication and books for review are always welcome. If you wish to offer reports or news items, © 2017 Privacy Laws & Business please contact Laura Linkomies on Tel: +44 (0)20 8868 9200 or email [email protected] .

PL&B’s International Repo rt will help you to: Stay informed of data protection legislative Find out about future regulatory plans. developments in 100+ countries. Understand laws, regulations, court Learn from others’ experience and tribunal decisions and what they through case studies and analysis. will mean to you. Incorporate compliance solutions Be alert to future privacy and data into your business strategy. protection law issues that will affect your organisation’s compliance.

Included in your subscription: NK=låäáåÉ=ëÉ~êÅÜ=ÑìåÅíáçå~äáíó PK=bJj~áä=réÇ~íÉë SK=bîÉåíë=açÅìãÉåí~íáçå Search for the most relevant content E-mail updates help to keep you Access International and/or from all PL&B publications and regularly informed of the latest UK events documentation such as events. you can then click straight developments in data protection Roundtables with Data Protection through from the search results into and privacy issues worldwide. Commissioners and PL&B Annual the PDF documents. International Conferences , in QK=_~Åâ=fëëìÉë July, in Cambridge, UK. OK=bäÉÅíêçåáÅ=^ÅÅÉëë Access all the PL&B International We will email you the PDF edition Report back issues since 1987. TK=eÉäéäáåÉ=båèìáêó=pÉêîáÅÉ which you can also access via the Contact the PL&B team with PL&B website. you may also RK=péÉÅá~ä=oÉéçêíë questions such as the current status choose to receive one printed copy. Access PL&B special reports on of privacy legislation worldwide, Data Privacy Laws in 100+ countries and sources for specific issues and and a book on Data Privacy Laws in texts. This service does not offer the Asia-Pacific region. legal advice or provide consultancy.

To Subscribe: www.privacylaws.com/subscribe

PL&B’s International Report is a powerhouse of information that provides relevant insight across a variety of jurisdictions in a timely manner. Mark Keddie, Global Data Protection Officer, Denstu Aegis Network

Subscription Fees Single User Access International Postage (outside UK): International Edition £550 + VAT* Individual International or UK Edition UK Edition £440 + VAT* Rest of Europe = £22, Outside Europe = £30 UK & International Combined Edition £880 + VAT* Combined International and UK Editions Rest of Europe = £44, Outside Europe = £60 * VAT only applies to UK based subscribers

Multi User Access Discounts for 2-10 users. Enterprise licence for 11+ users. Satisfaction Guarantee If you are dissatisfied with the Report in any way, the Subscription Discounts unexpired portion of your subscription will be repaid. Introductory 50% discount. Use code HPSUB (first year only) for DPAs, public sector, charities, academic institutions and small and medium companies. Discounts for 2 and 3 year subscriptions Privacy Laws & Business also publishes the United Kingdom Report. www.privacylaws.com/UK