Access Legal & IG Quarterly Update – September 2022

Welcome to the Q3 Access Legal and Information Governance (IG) quarterly update, documenting the latest legislation and regulatory news happening around the world. We hope that professionals in the IG, legal, compliance and records management fields continue to find these briefings helpful. Our areas of research focus mainly on data privacy and security, records retention, financial services, payment processing, workplace safety, and back office refresh.

Just as we set out to do when we first launched in 2021, in this third quarter of 2022, we aim to ensure that you have all the latest regulatory updates and provisional information you need to do your job as efficiently as possible and with the utmost confidence.

We also include notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo, as a courtesy to active clients. We look forward to continuing to provide these updates throughout the rest of this year and beyond. Following is the latest on that front.

New & Noteworthy Legislation in the United States:

  • The U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) established a framework for the implementation of a price cap on Russian oil to diminish the energy revenues of the Russian state.
    • This policy, constructed as a ban on services, will have an important exception: jurisdictions or actors that purchase seaborne Russian oil at or below a price cap to be established by the coalition will expressly be able to receive services related to the maritime transportation of Russian Federation origin crude oil and petroleum products. OFAC will expect the actors in Tier 1, Tier 2, and Tier 3 to retain relevant records for five years.
      • Tier 1 Actors. Actors who regularly have direct access to price information in the ordinary course of business, such as commodities brokers and refiners, “should retain and share” documentary evidence such as invoices, contracts, or receipts/proof of accounts payable to show that seaborne Russian oil was purchased at or below the price cap.
      • Tier 2 Actors. Actors who are sometimes able to request and receive price information from their customers in the ordinary course of business, such as financial institutions, “should, when practicable,” retain documentary evidence such as invoices, contracts, or receipts/proof of accounts payable to show that seaborne Russian oil was purchased at or below the price cap, but when not “practicable,” should obtain and retain customer attestations in which the customer commits to not purchase seaborne Russian oil above the price cap.
      • Tier 3 Actors. Actors who do not regularly have direct access to price information in the ordinary course of business, such as insurers and protection and indemnity clubs, “should obtain and retain” customer attestations in which the customer commits to not purchase seaborne Russian oil above the price cap.
    • In Virgo as “OFAC Guidance Sept. 9. 2022”.

New & Noteworthy Legislation in Canada:

In Quebec –

  • On Sept. 22, 2022, new requirements relating to personal data protection and confidentiality incidents came into force.
  • Act respecting ‘Access to Documents Held by Public Bodies and the Protection of Personal Information (chapter A-2.1) and the Act Respecting the Protection of Personal Information in the Private Sector (chapter P 39.1):
    • These amendments and new regulations require organizations to keep a register of confidentiality incidents (meaning: “(1) access not authorized by law to personal information; (2) use not authorized by law of personal information; (3) communication not authorized by law of personal information; or (4) loss of personal information or any other breach of the protection of such information.”) for a period of 5 years. The register must contain:
      1. a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
      2. a brief description of the circumstances of the incident;
      3. the date or time period when the incident occurred or, if that is not known, the approximate time period;
      4. the date or time period when the body became aware of the incident;
      5. the number of persons concerned by the incident or, if that is not known, the approximate number;
      6. a description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
      7. if the incident presents a risk of serious injury, the transmission dates of the notices to the Commission d’accès à l’information and the persons concerned, pursuant to the second paragraph of section 63.8 of the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information or the second paragraph of section 3.5 of the Act Respecting the Protection of Personal Information in the Private Sector, as well as an indication of whether the body issued public notices and, if applicable, its reasons for doing so; and
      8. a brief description of the measures the body has taken after the incident occurred in order to reduce the risks of injury.
    • In Virgo, under “Confidentiality Incidents Regulation” and under “Act Respecting the Protection of Personal Information in the Private Sector”. 

In Manitoba –

  • The Limitations Act, SM 2021, c 44 repeals and replaces the current legislation, The Limitations of Actions Act, CCSM c L150.
  • The Old Act provided for limitation periods ranging from 1 to 10 years. The New Act replaces those with a limitation period of 2 years for most claims.
    • In Virgo under “The Limitations Act”.

Beyond Storage – A Comprehensive Information Management Checklist

Organizations of all kinds and sizes are finding themselves faced with an array of information management challenges. Some of these challenges, like the transformation of information technologies and the growth of data sets, have remained relatively unchanged for years.

New & Noteworthy Legislation in UAE:

  • Circular No. 5/2022
    • Ministry of Economy and the UAE Ministry of Justice implemented new Anti-Money Laundering reporting requirements, set out in Circular No. 5/2022, applicable to cash and virtual currency-related real estate transactions conducted in the UAE.
    • In force July 1, 2022
    • Requirement for parties to real estate transactions to keep records for at least 5 years. Records to be retained include: copies of identity documents (Emirates ID or passport) from the party transferring the funds; receipts, invoices, contracts and Sale & Purchase Agreements relating to the transaction; and where the buyer is a corporate entity, the entity’s Trade License; the entity’s Articles of Association; register of Beneficial Owners of the entity; Emirates ID or passport copy for all Beneficial Owners of the entity; and Emirates ID or passport copy for all shareholders/partners of the entity.
    • In Virgo as “Circular No. 5 of 2022, Art. 6”.
  • New Labour Law
    • Labour Law, Federal Law Number 33 of 2021 came into force earlier this year and repeals Law Number 8 of 1980, replacing it entirely.
    • New recordkeeping requirements for employers include:
      • Maintaining employee files and records for no less than 2 years after the date of the worker’s end of service (Art. 13).
      • Concluding an employment contract with the worker; the contract shall be made in two copies; one copy shall be kept by the employer and the other shall be handed over to the worker (Art. 8)
    • In Virgo as “Federal Decree-Law No. (33) of 2021”.

New & Noteworthy Legislation in Vietnam:

  • Vietnam issued The Law on Cybersecurity, Decree No. 53/2022/ND-CP on Aug. 15, 2022, and it will become fully effective on Oct. 1, 2022. One of the important matters issued in this Decree relates to data localization:
    • Domestic companies and certain foreign companies providing specified services (e.g. telecommunications, e-commerce, online payment), must store specific data in Vietnam for at least 2 years, and system logs relating to violations of the law must be stored for at least 12 months.
    • In Virgo under “Decree 53/2022/ND-CP guiding the Law on Cybersecurity”.

New & Noteworthy Legislation in Indonesia:

  • New “Personal Data Protection Act” was ratified by Indonesia’s parliament on Sept. 20, 2022.
    • Under the new Act, entities (whether public or private) that handle Indonesian residents’ personal data are required to ensure the protection of the data in their systems. The Act also imposes sanctions for the mishandling of personal data, including prison terms of up to six years for falsifying personal data for personal gain. Also under the Act, Indonesian residents are able to claim compensation for breaches of their personal data and are provided certain privacy rights, including the rights of access, deletion and restriction.
    • In Virgo as “Personal Data Protection Act”.

New & Noteworthy Legislation in Cuba:

  • Personal Data Protection Law No. 149 was published in the Official Gazette of Cuba on Aug. 25, 2022 and it enters into force in February 2023.
    • The Law guarantees the right to the protection of personal data; ensures due respect for personal and family privacy; ensures protection of an individual’s voice, image, honor, and personal identity; regulates the effective processing of personal data and the use of public information; and promotes a culture of data protection.
    • Under the Law, data subjects must be informed of: the lawful basis of processing his/her data; the manner by which data will be processed; the recipients of the data; data retention; the consequences of providing inaccurate data, and the format by which data is to be stored.
    • In Virgo as “Law 149 of 2022 on the Protection of Personal Data”.

As always, over the coming months, the Access Legal Research Team will be conducting new research and reviewing existing research in the following jurisdictions:

  • Argentina
  • Australia
  • Austria
  • Belgium
  • Brazil
  • Canada
  • Chile
  • China
  • Colombia
  • Croatia
  • Czech Republic
  • Germany
  • Djibouti
  • France
  • India
  • Iraq
  • Japan
  • Kuwait
  • Lebanon
  • Mexico
  • Netherlands
  • Panama
  • Philippines
  • Singapore
  • Slovenia
  • Turkey
  • South Africa
  • UAE
  • US
  • UK

To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo here.

Request a Virgo Product Demo Today!

Related Resources

View all resources
The Disastrous Effects of a Data Breach
The Disastrous Effects of a Data Breach
Blog | 2 min read
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
Blog | 4 min read
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Blog | 5 min read
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
Blog | 3 min read