Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | virginia-berry |
View: | 218 times |
Download: | 0 times |
©
2012
Mor
rison
& F
oers
ter
LLP
| A
ll R
ight
s R
eser
ved
| mof
o.co
m
Data Protection Masterclass VI:Global Privacy
May 24, 2012Ann Bevitt
Karin RetzerMiriam Wugmeister
2This is MoFo. 2
Data Protection Laws in Europe 30 Member States of the
European Economic Area
Azerbaijan
Belarus
Bosnia & Herzegovina
Channel Islands
Croatia
Isle of Man
Russia
Serbia
Switzerland
Ukraine
3This is MoFo. 3
And elsewhere …
North America Canada Mexico United States
Central & South America Argentina Brazil (Pending) Chile Colombia Costa Rica Ecuador (Pending) Paraguay (Limited) Peru Uruguay
Middle East Israel UAE (DIFC) Qatar (Financial
Center only)
Africa Angola Morocco South Africa (Pending) Tunisia
Asia-Pacific Rim Australia China (Limited) Hong Kong India Japan Macao Malaysia New Zealand Philippines (Pending) Singapore (Pending) South Korea Taiwan Thailand (Pending) Vietnam (Limited)
4This is MoFo. 4
Common Elements in Privacy Laws
Notice Choice Access Security Audit and Enforcement Agreements with Third Parties Cross-border transfers
5This is MoFo. 5
Australia
Omnibus law regulates the collection, use, and disclosure of personal data by the private sector
An organization may transfer personal data to a recipient in a foreign country only if it is subject to a “substantially similar” privacy regime. Organizations must determine for themselves what constitutes “substantially similar”
• Administrative penalties and private right of action possible
• No limits on damages
6This is MoFo. 6
Australia (cont’d)
Law amendments under review by Parliament Amendments would create a unified set of Privacy Principles to cover both the private and public sectors
Second stage of amendments to clarify or remove certain exemptions such as the employee records exemption, require breach notification, establish a private right of action, and harmonize national, state and provincial privacy laws
7This is MoFo. 7
China
No constitutional right to privacy Criminal law amended in 2009 to make sale or other
unauthorized disclosure of certain personal data a criminal offense
Tort liability law, effective July 1, 2010, recognizes independent right of privacy; private rights of action for civil damages possible
Anti-spam regulations issued in March 2006 Privacy legislation possible – either a separate statutory
protection for the right to privacy or statutory extension of the right to personal dignity under the Constitution
8This is MoFo. 8
China (cont’d)
Internet Regulations issued in December 2011, governing the collection, storage and use of personal information by Internet companies
Internet Information Service Providers must provide notice and obtain users’ prior consent when collecting personal information or providing it to others
Limitations on use and general security requirements Breach of the requirements subject to sanctions that include
rectification orders, warnings and penalties ranging from RMB10,000 to RMB30,000
9This is MoFo. 9
Hong Kong
Omnibus law — Personal Data (Privacy) Ordinance Notice, use and disclosure regulated
No database registration required
Cross-border transfer restriction is not operative and no implementation date has been set
Statutory penalties and private rights of action possible
Anti-Spam Law enacted in 2007
Voluntary Security and Data Breach Guidelines issued
The Personal Data (Privacy) Amendment Bill introduced into Hong Kong’s Legislative Council in July 2011; expectation that will be enacted before the end of 2012
New rules in areas such as direct marketing, data security, data breach notification, and data transfers possible
10This is MoFo. 10
Japan
Omnibus law — Law Concerning the Protection of Personal Information (“PIPL”)
Framework legislation, implemented by Ministry Regulations (34 guidelines issued by 12 ministries)
No cross-border limitation — based on accountability
Opt-in consent for transfer of personal information to third parties
“Third parties” include subsidiaries, affiliates, group companies, franchisees, foreign companies, and joint marketing partners
Criminal sanctions and administrative penalties for violations
11This is MoFo. 11
Japan (cont’d)
Implied consent not necessary if
Transfer is to a “Delegatee” (service provider)
Transfer compliant with specific notice and opt-out requirements and when used for direct marketing purposes
Transfer is pursuant to M&A transaction or
Other exceptions — if transfer is pursuant to a law or ordinance; if necessary to protect life, person or property and consent is difficult to obtain; if necessary to improve public safety or protect children and consent is difficult to obtain; or if cooperation is required bygovernment agencies
12This is MoFo. 12
Korea
Consent
“Separate” consent is required for each stage of handling of personal data:
collection and use
transfer to a third party
(handling of) particular identification data
(handling of) sensitive data
Lots of details required — i.e. list up the names of all third-party recipients
Trans-border transfer:
(1) consent from the data subject is required, and/or(2) transfer contract in line with Korean law
13This is MoFo. 13
Korea (cont’d)
Notice (separate from the notification for informed consent):
Items of personal data to be handled
Purposes of use of personal data
Retention and use periods
Information on transfer of personal data to a third party, outsourcing and destruction of personal data
Rights of data subjects
Protective measures for data security
14This is MoFo. 14
Korea (cont’d)
Security – technical, administrative and physical
Supervisory authority (MOPAS) has specified details:
establishment and implementation of internal management plan
keeping access records,
prevention of falsification of such records, access control,
password control,
installation and operation of an access control system anti-virus programs,
encryption of devices,
15This is MoFo. 15
Korea (cont’d)
Data Breach Notification/Report
Notification to affected data subjects, to specify
Items of personal data breached
Date/time of data breach
Measures to take to minimize possible damages
Available remedies
Report to the authority: upon a leak involving 10,000 or more data subjects
16This is MoFo. 16
Korea (cont’d)
Liability/Penalties
Violation: may entail criminal punishment (e.g., imprisonment of up to 5 years and USD 50K), administrative sanctions, civil liability.
Companies subject to hacking — are sanctioned — criminal / administrative / civil liabilities.
17This is MoFo. 17
Malaysia
Personal Data Protection Bill 2009 given Royal Assent and published in June 2010; however, date of entry into force still to be determined
Personal Data Protection Commission expected to be set up in 2012; implementing regulations need to be issued
Notice, use and disclosure regulated Classes of data users that must register their databases to be determined
Cross-border transfer restrictions
Fines and imprisonment possible
Directors equally liable for offenses committed by the organization
Once Act becomes effective, organizations have three months to come into compliance
18This is MoFo. 18
New Zealand
Privacy Act 1993 applies to private and public sectors Notice, use and disclosure regulated
No database registration required
Government currently conducting full scale law review
Enacted the Privacy (Cross-border Information) Amendment Act in 2010, empowering the Privacy Commissioner to prohibit the onward transfer of personal information received from overseas
In April 2011, EU’s Article 29 Working Party adopted an adequacy opinion
19This is MoFo. 19
Philippines
Constitutional right to privacy EU-style draft legislation has been approved by both the House
and the Senate Senate version of the bill (SB 2965) will need to be reconciled
by bicameral conference committee with HB 4115 and then sent to President Benigno Aquino to consider and sign
Draft legislation would create a national Privacy Commission to enforce regulations, receive complaints, institute investigations, issue injunctions and recommend penalties to department of Justice
20This is MoFo. 20
Singapore
No data protection law is in place Voluntary Model Data Protection Code sets out 11 data protection principles
for adoption by the private sector Processing of employment data and data for personal, journalistic
and scientific research use are exempt from the Code Continued reliance on self-regulatory regime will depend on whether
companies adopt the voluntary guidelines
Ministry of Information, Communications and the Arts issued detailed proposals for a draft Personal Data Protection Bill; public comment period ended April 30, 2012
Government plans to introduce the bill in Parliament by the third quarter of 2012
Anti-Spam Law enacted in 2007
21This is MoFo. 21
Taiwan
Computer Processed Personal Data Protection Act Covers limited private entities — financial, securities,
insurance, mass media, and telecommunications companies
Database registration and opt-in consent required
• Amendment approved by Parliament in April 2010 eliminated the registration requirement and will extend coverage to all sectors, public and private, once fully implemented
Criminal, civil, and administrative penalties for violations; private right of action
However, new government took office in February 2012 and delayed implementation
22This is MoFo. 22
Taiwan (cont’d)
Concern about the draft implementing regulations issued in October 2011
• Government to consult with businesses and the financial sector and research cross border-related issues
• Any revisions to the underlying law would be sent to Parliament for approval
Unclear if Cabinet would be able to finalize a proposal and get it to lawmakers before the end of the legislative session in late June 2012
23This is MoFo. 23
Argentina
Very similar to Spain
The scope of the law is relatively narrow — Applies to databases that are shared
Requires notice and opt-in consent to process personal information or to share information with affiliated companies
Prohibits transborder transfers to countries without “adequate”
data protection
Protective contracts or consent of individual is required if no adequacy finding
• Argentina has not issued any adequacy findings, so organizations must rely on protective contracts or the consent of individual
Criminal sanctions, administrative penalties, and private right of action possible
24This is MoFo. 24
Brazil
Draft privacy legislation pending in Congress Public consultation on a draft bill started in April 2011; Ministry of Justice will
now revise and present draft bill to Congress Current bill requires: express consent to process all personal information;
express consent to disclose personal information to third parties with no exceptions; express consent, or another exception, to transfer personal information to inadequate countries; provision of unfettered rights of access to personal information
Sensitive information, such as health information, is protected under the Constitution; consumer data is protected under the Consumer Defense Code
For consumer data, there are notice, access, and correction obligations as well as consent requirement in order to transfer data
25This is MoFo. 25
Chile
First country in Latin America to enact data privacy law
Notice and consent required
Written consent required to disclose sensitive information
No database registration
Access and correction rights
Must keep personal information secret and confidential
No cross border restrictions but confidentiality agreements must be in place to transfer nonpublic personal information to third parties
New legislation introduced in 2008 but no action has been taken by the legislature
26This is MoFo. 26
Colombia
Habeas data law enacted in 2008 gives individuals the constitutional right to know, update, and correct information about them contained in databases
Controversy regarding the scope of 2008 Law about whether it applies only to financial data or more broadly regulates the collection, use, storage and transfer of financial, credit, services and commercial data
Comprehensive new data privacy law approved by Congress in late 2010; Constitutional Court upheld majority of the law’s provisions
The law, which must be signed by the President before it enters into force, requires an individual’s specific consent to collect, use, store, and/or transfer personal data
Timetable for enactment unknown
27This is MoFo. 27
Mexico
Data privacy law approved by Congress in April 2010 and entered into force July 5, 2010
Regulations Issued in September 2011
Notices must be provided at the time of collection
Access and Correction Rights
A data privacy person or office must be designated to process requests from individuals who wish to exercise their rights under the law
Consent Implied (opt-out) sufficient in most instances Written express consent to process financial or asset data and sensitive
personal information
28This is MoFo. 28
Mexico (cont’d)
Individuals must be notified immediately in the event of a security breach that significantly affects their "equity or legal rights"
Organizations must have contracts in place with third parties that require the third parties to treat the data in accordance with the privacy notice provided to the individual and assume the same obligations as the organization that is transferring the data
Data Transfers Domestic or international transfers of data without consent to affiliated entities that
operate under the same internal processes and policies Other exceptions such as contractual necessity
No Registration
Possible penalties include large fines and jail time
29This is MoFo. 29
Peru
Omnibus data privacy law enacted July 5, 2011 Regulates the collection, use and disclosure of personal
information by private sector organizations Establishes a Data Protection Authority that will report to the
Ministry of Justice Requirements include:
Express consent needed in many instances to collect, use and disclose personal information
Database registration
Data may not be transferred to third countries that do not provide an adequate level of protection
Grants DPA the power to impose sanctions on organizations that violate the law
30This is MoFo. 30
Peru (cont’d)
Only Title II provisions establishing the data protection principles and creating the DPA and the multi-sectoral commission responsible for developing the implementing regulations now in effect
Other provisions to become effective 30 days after the implementing regulations are published
Timetable for issuance of regulations unknown
31This is MoFo. 31
Uruguay
EU style data protection law enacted in August 2008 (Implementing Decree in August 2009)
Prior notice and opt-in consent are required to process personal data unless an exception applies
Access must be provided and individuals may request rectification, updating, inclusion, or deletion of personal data
Database registration required
Obligation to report security violations that significantly affect the interests of the individuals concerned; however, unclear to whom notice must be given
Cross-border transfers of personal data to countries not deemed “adequate” are prohibited without opt-in consent, unless an exception applies
Administrative penalties and a private right of action
32This is MoFo. 32
Forest/Trees
Focus on core substantive obligations Notice Choice Security Service Providers
Look for commonalities
Stay involved – changes weekly
33This is MoFo. 33
Evaluate Risky Areas
Collection of information over the Internet and email Access to sensitive files by employees and independent
contractors Access to credit card information Transmission, storage, and disposal of computerized data,
including data contained on disks and hard drives Data to be transmitted to any third party Storage and disposal of paper records Data center moves/consolidations Transfer and use by service provider/outsourcing
34This is MoFo. 34
How Must Information Be Protected?
Technical Firewalls, anti-virus, and anti-spyware protections Periodic changing of (non-default) IDs and passwords Access controls (important when someone leaves the company) Encryption Limit access to that which is necessary to perform duties Basic rules for employees
Do not email sensitive or special PI Do not access more than that which is needed Create and use secure documents Use passwords
35This is MoFo. 35
How Must Information Be Protected? (cont’d)
Physical Lock file cabinets Shred appropriately (do not put PI in the garbage)
Check litigation/document holds before disposing of any documents Control movement of personnel into, through, and out of offices Enforce procedures for card keys and other access controls Monitor employees with access to customer and Human Resources data
36This is MoFo. 36
How Must Information Be Protected? (cont’d)
Administrative Technology use policy
Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops
Security breach notification procedure How is unauthorized access or acquisition reported? Who is on the immediate response team?
Confidentiality policy Does it cover confidential information and Personal Information?
Training Audit
37This is MoFo. 37
Specific Controls
Background checks Non-Disclosure Agreements Video cameras on site Physical segregation of customer data Fire walls/virus controls Servers locked to shelves Separate and locked server room Encryption of laptops Limitations on remote access USB/Memory Sticks Cell phones/iPods in service centers
38This is MoFo. 38
Employee Training and Awareness
All employees with access to PI should be trained in data security policy and procedures and refresher training should be provided as necessary
Important to have follow-up to assess employees’ awareness
Consider Non-Disclosure Agreements (NDAs) with employees
Employees should be advised that violations of data protection policy will result in disciplinary action
Think creatively about training
39This is MoFo. 39
Questions?
Ann Bevitt, [email protected]
Karin Retzer, [email protected]
Miriam Wugmeister, New [email protected]
Mofoprivacy.com