Global Privacy and Data Protection Risk:

Transcription

1 Global Privacy and Data Protection Risk: Implementing Best Practices Now to Comply with Impending Regulatory Changes 15 September 2014 Robert Bond, CCEP Partner and Notary Public Kristy Grant-Hart, CCEP-I Chief Compliance Officer, United International Pictures Robert Bond A Solicitor, Notary Public and Certified Compliance & Ethics Professional, Robert has specialised in data privacy since 1983 and is listed in the top 20 Best Privacy Advisers in a survey published in Computer World. In 2012 Robert was appointed an Ambassador for Privacy by Design by Commissioner Ann Cavoukian of Ontario. He continues to impress year on year. His spark of imagination and ability to grasp the technology are amazing. Chambers Directory 2014 He has advised many multinationals on transborder data flows and global data privacy compliance, co-authored the ICC BCR Report in 2006, the ICC Guidelines on Basel II and data privacy in 2007 and the ICC UK Cookies Guide in Robert is the author of many books, including Negotiating International Software Licenses and Data Transfer Agreements (Sweet & Maxwell) and Negotiating Software Contracts (Bloomsbury). Robert is a Companion of the British Computer Society, a Fellow of the Society of Advanced Legal Study, an Honorary Member of the Institute of Export and in 1994 was a researcher in Information Security and data privacy at the University of Leicester. Robert is listed in Legal Experts 2013 and The Who s Who of International Internet & E-Commerce Lawyers. Robert is listed as Notable Practitioner for data privacy in Chambers UK 2014 to 2010 describing him as an esteemed figure in the field. He has an impressive reputation for his work on cross-border data compliance and cutting-edge IT data privacy issues within the digital, online and social media spheres. Sources say: "He is up for anything and incredibly knowledgeable," report clients. "Everyone gravitates towards him. A very good communicator and very generous with his time. 2 1

2 Kristy Grant-Hart Kristy Grant-Hart is an expert in creating and implementing effective international compliance programs for multi-national companies. She currently serves as the Chief Compliance Officer for United International Pictures, the joint distribution company for Paramount Pictures and Universal Pictures, based in London. Mrs. Grant-Hart began her legal career at the international law firm of Gibson, Dunn & Crutcher, where she worked in the firm s Los Angeles and London offices. While at Gibson Dunn, her team was nominated for Best Regulatory Law Firm of the Year at Thompson Reuter s Compliance Awards. Mrs. Grant-Hart is an experienced international conference speaker, and has published articles in magazines and trade publications in the United States and Europe on anti-bribery topics and on data privacy and data transfer between the United States, the United Kingdom and the European Union. She has advised Fortune 500 companies on international compliance, and created and revamped compliance programs for major companies in Europe and the United States. Mrs. Grant-Hart graduated summa cum laude from Loyola Law School in California. She holds certification as a Corporate Compliance and Ethics Professional International (CCEP-I) and is a member of the California Bar. Sources say: "She is a great colleague with a positive attitude and has always taken ownership of her work ensuring that any issues get resolved effectively. Kristy is an experienced professional, whose level of commitment and enthusiasm sets her apart. 3 TOPICS Hot Topics of the Moment Data Privacy Overviews - USA - Europe - Asia Legal Framework Registration/Notification Requirements Collection and Processing Transfer Security and Breach Notifications Enforcement Direct Marketing Online Privacy and Cookies A look to the future - Stricter rules in the States? - European Data Protection Regulation - Further expansion in the Asia-Pacific region 4 2

3 HOT TOPICS OF THE MOMENT 5 UNITED STATES A DATA PRIVACY OVERVIEW No single law on the issue Sector-specific legislation e.g. HIPAA, COPPA Hundreds of state laws - California alone has more than 25 state privacy and data security laws Pressure on law-makers from internet companies and big business Weak individual protection Security concerns Safe Harbor Federal Trade Commission (FTC) enforcement 6 3

4 EUROPE A DATA PRIVACY OVERVIEW EU Data Protection Directive (Directive 95/46/EC) is designed to protect the privacy and protection of all personal data collected for or about citizens of the EU The Directive encompasses all key elements from Article 8 of the European Convention on Human Rights (rights of privacy in personal and family life, as well as in the home and in personal correspondence) OECD Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data 2013 General Data Protection Regulation aim is uniformity across 28 member states as opposed to the current patchwork quilt of different national laws 7 ASIA A DATA PRIVACY OVERVIEW Recent developments in countries such as: - Malaysia; - Singapore; - China; - Hong Kong; - South Korea; and - The Philippines Laws based upon the fundamental principles of the European Data Protection Directive BUT no 'one-size-fits-all' solution and no United States of Asia! Citizens more rights-aware following spate of hackings and data breaches Asia as a growing business hub - security is paramount! Potentially strict enforcement 8 4

5 LEGAL FRAMEWORK About 20 sectorspecific laws and hundreds of state laws e.g. HIPAA (The Health Insurance Portability and Accountability Act) and COPPA (Children's Online Privacy Protection Act) EU Data Protection Directive transposed into national law in 28 different member states e.g. The UK Data Protection Act 1998, Germany s Federal Data Protection Act 2001 and Italy s Privacy Code 2003 Varying national laws loosely based on the European Directive e.g. Malaysian Personal Data Protection Act 2010 and South Korea's Personal Information Protection Act (PIPA) REGISTRATION/NOTIFICATION REQUIREMENTS No requirement for companies to register No national Data Protection Authority (DPA) Requirements vary but most countries require registration before the processing of personal data Each member state has a DPA, but those DPAs have varying levels of expertise, funding and resources Varies according to country, and in countries such as Malaysia it is dependant on sector DPAs are generally in their very early stages or operate at a regional level (if they exist at all) 10 5

6 COLLECTION AND PROCESSING Vary widely but generally require precollection notice and opt-out for use and disclosure of regulated personal information Opt in rules usually apply where information is considered sensitive e.g. health information, children s information Data controllers need to meet one of several conditions to collect and process personal data such as: - Consent - Legitimate reason - Performance of a contract - Protecting the data controller s vital interests There are stricter rules for processing sensitive personal data (e.g. gaining a data subject s explicit consent) Requirements vary across the Asia-Pacific region but the fundamental principles of the European Data Protection Directive can usually be found in the various national laws e.g. purpose definition and use limitation Countries such as South Korea, Singapore and Malaysia may take a strict view on how personal data is processed 11 TRANSFER No geographic transfer restrictions apply out of the US Within the EEA is permitted. There are conditions to be met to transfer data out of the EEA such as: - Consent - Legitimate reason - Performance of a contract - Protecting the data controller s vital interests Adequate protection is required for transfers outside of the EEA e.g. standard contractual clauses, Safe Harbor, BCRs Different restrictions apply but many reflect the conditions listed in the European Directive APEC Cross Border Privacy Rules 12 6

7 SECURITY AND BREACH NOTIFICATIONS Most businesses are required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information HIPAA regulated entities are subject to much more extensive data security requirements Breach notifications are commonplace across the States Data controllers must take appropriate technical and organisational measures These measures are aimed to prevent unauthorised processing, accidental loss or damage to personal data No mandatory breach notifications under the Directive but different obligations across Europe are in force Varying standards expected from detailed provisions in South Korea to more general expectations in Malaysia and Singapore Range from mandatory notifications in South Korea to no notifications in Singapore and Malaysia 13 ENFORCEMENT Violations generally enforced by the FTC, State Attorney General, or the regulator for the industry sector in question Highest penalty - $22.5m against Google Possibility of class action lawsuits Violations enforced by each country s respective DPA. Generally range from $ 000s to $ 000,000s Highest penalty - $4.5m by Portuguese DPA Google recently fined $1.2m by Spain Violations enforced by each country s respective DPA. May be up to $800,000 in Singapore DPAs in relatively early stages so not much fining history But some DPAs even provide for imprisonment for relatively minor offences! 14 7

8 DIRECT MARKETING Regulates marketing communications extensively (including , text, telemarketing and fax) e.g. The CAN-SPAM Act applies labelling and opt-out requirements to all commercial messages Privacy and Electronic Communications Regulations (PECR), the Data Protection Directive and various national laws all regulate this area Enforced by national authorities South Korea has particularly stringent rules on electronic marketing. Singapore also notably has a Do- Not-Call Register which imposes strict rules on obtaining consent to direct marketing Enforced by national authorities 15 ONLINE PRIVACY AND COOKIES No specific federal law regulating use of cookies Californian law does have a right to erasure for children Websites and apps that target children and receive location data must comply with COPPA The EU Cookie Directive should be transposed into national law in all 28 Member States Websites need to provide clear information about the use of cookies and how to accept/refuse them Some countries have additional laws on traffic data and location data South Korea s IT Network Act provides for rules on obtaining consent for use of cookies Other Asian countries laws such as Singapore, the Philippines and Malaysia do not specifically deal with location data/cookie data There are, nonetheless, more general rules on cybercrime 16 8

9 WHAT DOES THE FUTURE HOLD FOR DATA PROTECTION? USA Stricter rules on data collection? Who do you believe? 17 WHAT DOES THE FUTURE HOLD FOR DATA PROTECTION? Europe The proposed EU General Data Protection Regulation Applies to businesses that process EU citizens personal data Introduction of the Data Protection Officer - Mandatory for most businesses Stricter rules for valid consent Data breach notification requirements - Regulators to keep a register of data breaches Right of erasure Significant fines up to 5% of annual global turnover When? - Voted by EU Parliament in March Voted by Council of Ministers in June Passed by May of In force by 2017? 18 9

10 WHAT DOES THE FUTURE HOLD FOR DATA PROTECTION? Asia Malaysia, Singapore, China, Hong Kong, South Korea, Taiwan and The Philippines have all introduced new laws or amended existing data privacy laws in the past four years who will be next? Brunei and Thailand have shown signs of enacting legislation in 2014/

11 OUR ROAD MAP APPROACH TO DATA PRIVACY COMPLIANCE 21 TRAINING One of the technical & organisational measures that organisations must implement to ensure the security of the personal data - Training is mandatory! Great policies are useless without training! Training should be targeted to the specific audience Audit trail - Attendance records - Feedback provided Training programme best way to ensure compliance with current obligation 22 11

12 Questions? 23 12