July 2019 Legislative Updates

July 9, 2019

Share on facebook
Share on google
Share on twitter
Share on linkedin

Brazilian Data Protection Authority

On June 11th, the International Association of Privacy Professionals reported that the Brazil Congress approved Provisional Measure No. 869, which created the Brazilian data protection authority (DPA). The Brazilian DPA will be an agency within the office of the Brazil president. In 2018, Brazil passed a comprehensive data protection law, which will take effect February 2020. The DPA will be responsible for enforcing the law, including issuing technical guidelines and civil penalties for violations.

General Data Protection Regulation

On June 3rd, Thomson Reuters published a survey of data privacy professionals at large global organizations and their experience with compliance with the General Data Protection Regulation (GDPR). According to Thomson Reuters:

  • 48 percent of respondents said that they are failing to meet GDPR requirements;
  • 79 percent of respondents said that they are struggling to stay up to date on regulations;
  • U.S. businesses were most likely to report that they were failing to meet data privacy requirements;
  • Nearly all businesses are aware of GDPR;
  • 33 percent of respondents said that GDPR compliance was more challenging than anticipated; and
  • Companies reported spending an average of USD$1.32 million in 2018 on data protection issues.

On June 13th, the European Commission published the results of a studywhich found that 73 percent of Europeans are aware of at least one of their rights under the GDPR – such as the right to access their own data, correct any errors, object to direct marketing, or have their own data deleted. The European Commission announced that it will launch a privacy awareness campaign to encourage citizens to read privacy statements and optimize privacy settings.

Portugal Data Protection

This month Portugal adopted its new data protection law, “Lei de Execução do Regulamento Geral sobre a Proteção de Dados” (English translation: “Execution Law of the General Data Protection Regulation (GDPR).”) To enter into force, the new law must be signed by the President and then published in the Official Journal. It will then enter into force a day after publication in the Official Journal. That leaves European Union (EU) member states Greece and Slovenia as the only EU member states who have not passed GDPR-implementing legislation. Why is GDPR-implementing legislation important? Because, while the GDPR is about harmonizing data protection rules throughout Europe, it does provide for certain areas where EU member states “shall” and “may” carve out exceptions within the articles of the regulation. This requires implementing legislation at the member state level.

Swedish Data Protection Authority

On June 12th, the Swedish Data Protection Authority announced an investigation into music streaming company Spotify for its handling of customer requests under the EU General Data Protection Regulation (GDPR). Spotify allegedly failed to provide the necessary information when consumers requested copies of all the data that Spotify collects on them, in violation of the GDPR right to access.