390 likes | 518 Views
Data Protection Masterclass VI: Global Privacy. May 24, 2012 Ann Bevitt Karin Retzer Miriam Wugmeister. Data Protection Laws in Europe. 30 Member States of the European Economic Area Azerbaijan Belarus Bosnia & Herzegovina Channel Islands Croatia Isle of Man Russia Serbia
E N D
Data Protection Masterclass VI:Global Privacy May 24, 2012 Ann Bevitt Karin Retzer Miriam Wugmeister
Data Protection Laws in Europe • 30 Member States of the European Economic Area • Azerbaijan • Belarus • Bosnia & Herzegovina • Channel Islands • Croatia • Isle of Man • Russia • Serbia • Switzerland • Ukraine
North America Canada Mexico United States Central & South America Argentina Brazil (Pending) Chile Colombia Costa Rica Ecuador (Pending) Paraguay (Limited) Peru Uruguay Middle East Israel UAE (DIFC) Qatar (Financial Center only) Africa Angola Morocco South Africa (Pending) Tunisia Asia-Pacific Rim Australia China (Limited) Hong Kong India Japan Macao Malaysia New Zealand Philippines (Pending) Singapore (Pending) South Korea Taiwan Thailand (Pending) Vietnam (Limited) And elsewhere …
Common Elements in Privacy Laws • Notice • Choice • Access • Security • Audit and Enforcement • Agreements with Third Parties • Cross-border transfers
Australia • Omnibus law regulates the collection, use, and disclosure of personal data by the private sector • An organization may transfer personal data to a recipient in a foreign country only if it is subject to a “substantially similar” privacy regime. Organizations must determine for themselves what constitutes “substantially similar” • Administrative penalties and private right of action possible • No limits on damages
Australia (cont’d) • Law amendments under review by Parliament • Amendments would create a unified set of Privacy Principles to cover both the private and public sectors • Second stage of amendments to clarify or remove certain exemptions such as the employee records exemption, require breach notification, establish a private right of action, and harmonize national, state and provincial privacy laws
China • No constitutional right to privacy • Criminal law amended in 2009 to make sale or other unauthorized disclosure of certain personal data a criminal offense • Tort liability law, effective July 1, 2010, recognizes independent right of privacy; private rights of action for civil damages possible • Anti-spam regulations issued in March 2006 • Privacy legislation possible – either a separate statutory protection for the right to privacy or statutory extension of the right to personal dignity under the Constitution
China (cont’d) • Internet Regulations issued in December 2011, governing the collection, storage and use of personal information by Internet companies • Internet Information Service Providers must provide notice and obtain users’ prior consent when collecting personal information or providing it to others • Limitations on use and general security requirements • Breach of the requirements subject to sanctions that include rectification orders, warnings and penalties ranging from RMB10,000 to RMB30,000
Hong Kong • Omnibus law — Personal Data (Privacy) Ordinance • Notice, use and disclosure regulated • No database registration required • Cross-border transfer restriction is not operative and no implementation date has been set • Statutory penalties and private rights of action possible • Anti-Spam Law enacted in 2007 • Voluntary Security and Data Breach Guidelines issued • The Personal Data (Privacy) Amendment Bill introduced into Hong Kong’s Legislative Council in July 2011; expectation that will be enacted before the end of 2012 • New rules in areas such as direct marketing, data security, data breach notification, and data transfers possible
Japan • Omnibus law — Law Concerning the Protection of Personal Information (“PIPL”) • Framework legislation, implemented by Ministry Regulations (34 guidelines issued by 12 ministries) • No cross-border limitation — based on accountability • Opt-in consent for transfer of personal information to third parties • “Third parties” include subsidiaries, affiliates, group companies, franchisees, foreign companies, and joint marketing partners • Criminal sanctions and administrative penalties for violations
Japan (cont’d) • Implied consent not necessary if • Transfer is to a “Delegatee” (service provider) • Transfer compliant with specific notice and opt-out requirements and when used for direct marketing purposes • Transfer is pursuant to M&A transaction or • Other exceptions — if transfer is pursuant to a law or ordinance; if necessary to protect life, person or property and consent is difficult to obtain; if necessary to improve public safety or protect children and consent is difficult to obtain; or if cooperation is required bygovernment agencies
Korea • Consent • “Separate” consent is required for each stage of handling of personal data: • collection and use • transfer to a third party • (handling of) particular identification data • (handling of) sensitive data • Lots of details required — i.e. list up the names of all third-party recipients • Trans-border transfer: (1) consent from the data subject is required, and/or (2) transfer contract in line with Korean law
Korea (cont’d) • Notice (separate from the notification for informed consent): • Items of personal data to be handled • Purposes of use of personal data • Retention and use periods • Information on transfer of personal data to a third party, outsourcing and destruction of personal data • Rights of data subjects • Protective measures for data security
Korea (cont’d) • Security – technical, administrative and physical • Supervisory authority (MOPAS) has specified details: • establishment and implementation of internal management plan • keeping access records, • prevention of falsification of such records, access control, • password control, • installation and operation of an access control system anti-virus programs, • encryption of devices,
Korea (cont’d) • Data Breach Notification/Report • Notification to affected data subjects, to specify • Items of personal data breached • Date/time of data breach • Measures to take to minimize possible damages • Available remedies • Report to the authority: upon a leak involving 10,000 or more data subjects
Korea (cont’d) • Liability/Penalties • Violation: may entail criminal punishment (e.g., imprisonment of up to 5 years and USD 50K), administrative sanctions, civil liability. • Companies subject to hacking — are sanctioned — criminal / administrative / civil liabilities.
Malaysia • Personal Data Protection Bill 2009 given Royal Assent and published in June 2010; however, date of entry into force still to be determined • Personal Data Protection Commission expected to be set up in 2012; implementing regulations need to be issued • Notice, use and disclosure regulated • Classes of data users that must register their databases to be determined • Cross-border transfer restrictions • Fines and imprisonment possible • Directors equally liable for offenses committed by the organization • Once Act becomes effective, organizations have three months to come into compliance
New Zealand • Privacy Act 1993 applies to private and public sectors • Notice, use and disclosure regulated • No database registration required • Government currently conducting full scale law review • Enacted the Privacy (Cross-border Information) Amendment Act in 2010, empowering the Privacy Commissioner to prohibit the onward transfer of personal information received from overseas • In April 2011, EU’s Article 29 Working Party adopted an adequacy opinion
Philippines • Constitutional right to privacy • EU-style draft legislation has been approved by both the House and the Senate • Senate version of the bill (SB 2965) will need to be reconciled by bicameral conference committee with HB 4115 and then sent to President Benigno Aquino to consider and sign • Draft legislation would create a national Privacy Commission to enforce regulations, receive complaints, institute investigations, issue injunctions and recommend penalties to department of Justice
Singapore • No data protection law is in place • Voluntary Model Data Protection Code sets out 11 data protection principles for adoption by the private sector • Processing of employment data and data for personal, journalistic and scientific research use are exempt from the Code • Continued reliance on self-regulatory regime will depend on whether companies adopt the voluntary guidelines • Ministry of Information, Communications and the Arts issued detailed proposals for a draft Personal Data Protection Bill; public comment period ended April 30, 2012 • Government plans to introduce the bill in Parliament by the third quarter of 2012 • Anti-Spam Law enacted in 2007
Taiwan • Computer Processed Personal Data Protection Act • Covers limited private entities — financial, securities, insurance, mass media, and telecommunications companies • Database registration and opt-in consent required • Amendment approved by Parliament in April 2010 eliminated the registration requirement and will extend coverage to all sectors, public and private, once fully implemented • Criminal, civil, and administrative penalties for violations; private right of action • However, new government took office in February 2012 and delayed implementation
Taiwan (cont’d) • Concern about the draft implementing regulations issued in October 2011 • Government to consult with businesses and the financial sector and research cross border-related issues • Any revisions to the underlying law would be sent to Parliament for approval • Unclear if Cabinet would be able to finalize a proposal and get it to lawmakers before the end of the legislative session in late June 2012
Argentina • Very similar to Spain • The scope of the law is relatively narrow — Applies to databases that are shared • Requires notice and opt-in consent to process personal information or to share information with affiliated companies • Prohibits transborder transfers to countries without “adequate” data protection • Protective contracts or consent of individual is required if no adequacy finding • Argentina has not issued any adequacy findings, so organizations must rely on protective contracts or the consent of individual • Criminal sanctions, administrative penalties, and private right of action possible
Brazil • Draft privacy legislation pending in Congress • Public consultation on a draft bill started in April 2011; Ministry of Justice will now revise and present draft bill to Congress • Current bill requires: express consent to process all personal information; express consent to disclose personal information to third parties with no exceptions; express consent, or another exception, to transfer personal information to inadequate countries; provision of unfettered rights of access to personal information • Sensitive information, such as health information, is protected under the Constitution; consumer data is protected under the Consumer Defense Code • For consumer data, there are notice, access, and correction obligations as well as consent requirement in order to transfer data
Chile • First country in Latin America to enact data privacy law • Notice and consent required • Written consent required to disclose sensitive information • No database registration • Access and correction rights • Must keep personal information secret and confidential • No cross border restrictions but confidentiality agreements must be in place to transfer nonpublic personal information to third parties • New legislation introduced in 2008 but no action has been taken by the legislature
Colombia • Habeas data law enacted in 2008 gives individuals the constitutional right to know, update, and correct information about them contained in databases • Controversy regarding the scope of 2008 Law about whether it applies only to financial data or more broadly regulates the collection, use, storage and transfer of financial, credit, services and commercial data • Comprehensive new data privacy law approved by Congress in late 2010; Constitutional Court upheld majority of the law’s provisions • The law, which must be signed by the President before it enters into force, requires an individual’s specific consent to collect, use, store, and/or transfer personal data • Timetable for enactment unknown
Mexico • Data privacy law approved by Congress in April 2010 and entered into force July 5, 2010 • Regulations Issued in September 2011 • Notices must be provided at the time of collection • Access and Correction Rights • A data privacy person or office must be designated to process requests from individuals who wish to exercise their rights under the law • Consent • Implied (opt-out) sufficient in most instances • Written express consent to process financial or asset data and sensitive personal information
Mexico (cont’d) • Individuals must be notified immediately in the event of a security breach that significantly affects their "equity or legal rights" • Organizations must have contracts in place with third parties that require the third parties to treat the data in accordance with the privacy notice provided to the individual and assume the same obligations as the organization that is transferring the data • Data Transfers • Domestic or international transfers of data without consent to affiliated entities that operate under the same internal processes and policies • Other exceptions such as contractual necessity • No Registration • Possible penalties include large fines and jail time
Peru • Omnibus data privacy law enacted July 5, 2011 • Regulates the collection, use and disclosure of personal information by private sector organizations • Establishes a Data Protection Authority that will report to the Ministry of Justice • Requirements include: • Express consent needed in many instances to collect, use and disclose personal information • Database registration • Data may not be transferred to third countries that do not provide an adequate level of protection • Grants DPA the power to impose sanctions on organizations that violate the law
Peru (cont’d) • Only Title II provisions establishing the data protection principles and creating the DPA and the multi-sectoral commission responsible for developing the implementing regulations now in effect • Other provisions to become effective 30 days after the implementing regulations are published • Timetable for issuance of regulations unknown
Uruguay • EU style data protection law enacted in August 2008 (Implementing Decree in August 2009) • Prior notice and opt-in consent are required to process personal data unless an exception applies • Access must be provided and individuals may request rectification, updating, inclusion, or deletion of personal data • Database registration required • Obligation to report security violations that significantly affect the interests of the individuals concerned; however, unclear to whom notice must be given • Cross-border transfers of personal data to countries not deemed “adequate” are prohibited without opt-in consent, unless an exception applies • Administrative penalties and a private right of action
Forest/Trees • Focus on core substantive obligations • Notice • Choice • Security • Service Providers • Look for commonalities • Stay involved – changes weekly
Evaluate Risky Areas • Collection of information over the Internet and email • Access to sensitive files by employees and independent contractors • Access to credit card information • Transmission, storage, and disposal of computerized data, including data contained on disks and hard drives • Data to be transmitted to any third party • Storage and disposal of paper records • Data center moves/consolidations • Transfer and use by service provider/outsourcing
How Must Information Be Protected? • Technical • Firewalls, anti-virus, and anti-spyware protections • Periodic changing of (non-default) IDs and passwords • Access controls (important when someone leaves the company) • Encryption • Limit access to that which is necessary to perform duties • Basic rules for employees • Do not email sensitive or special PI • Do not access more than that which is needed • Create and use secure documents • Use passwords
How Must Information Be Protected? (cont’d) • Physical • Lock file cabinets • Shred appropriately (do not put PI in the garbage) • Check litigation/document holds before disposing of any documents • Control movement of personnel into, through, and out of offices • Enforce procedures for card keys and other access controls • Monitor employees with access to customer and Human Resources data
How Must Information Be Protected? (cont’d) • Administrative • Technology use policy • Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops • Security breach notification procedure • How is unauthorized access or acquisition reported? • Who is on the immediate response team? • Confidentiality policy • Does it cover confidential information and Personal Information? • Training • Audit
Specific Controls • Background checks • Non-Disclosure Agreements • Video cameras on site • Physical segregation of customer data • Fire walls/virus controls • Servers locked to shelves • Separate and locked server room • Encryption of laptops • Limitations on remote access • USB/Memory Sticks • Cell phones/iPods in service centers
Employee Training and Awareness All employees with access to PI should be trained in data security policy and procedures and refresher training should be provided as necessary Important to have follow-up to assess employees’ awareness Consider Non-Disclosure Agreements (NDAs) with employees Employees should be advised that violations of data protection policy will result in disciplinary action Think creatively about training
Questions? • Ann Bevitt, London abevitt@mofo.com • Karin Retzer, Brussels kretzer@mofo.com • Miriam Wugmeister, New York mwugmeister@mofo.com • Mofoprivacy.com