2014 Luxury & Fashion Industry Conference for Multinationals

Transcription

1 2014 Luxury & Fashion Industry Conference for Multinationals Privacy, Data Protection, and the Impact of Social Media and Online Behavioral Advertising on the Industry Anna Gamvros, Hong Kong Francesca Gaudino, Milan Matthias Scholz, Frankfurt Harry A. Valetk, New York

2 Slippery Scope of Data Privacy Laws

3 Scope of Data Privacy Laws Regulate the collection, use, storage, disclosure, and other processing of personally identifiable information or PII Name and other identifiers, and any other data that can be linked with the identified or identifiable person Employees, consumers, contractors, corporate customer contacts, supplier contacts, website visitors, business partner contacts, end users, and other individuals Two approaches to regulation globally: United States: Sector-specific (e.g., GLB, PCI, COPPA) and data-specific (consumer reports, SSNs, financial account numbers, PCI) European Union: Omnibus privacy laws applicable to all PII, regardless of sector, category of individual, or type of PII; EU tends to lead the rest of the non-us world 3

4 What data privacy laws apply outside the US? Comprehensive Data Protection Laws Europe, Asia, LatAm Insurance-sector data laws Financial Services Authorities EU Cookie Compliance Laws 2009 EU Directive requires website operators to give users an opt-in for cookies Foreign Account Tax Compliance Act Free Trade Agreements Cyber Security concerns 4

5 Asia Pacific Overview Taiwan: Personal Data Protection Act effective Oct 2012 Thailand: Draft law sent to Parliament in 2012 Malaysia: Personal Data Protection Act effective Nov 2013 South Korea: Personal Information Protection Act (in force Mar 2012) Japan: Act on Protection of Personal Information (under review) China: Regulating Orders of NPC Decision on Strengthening the Protection of Network Information (Dec 2012) Provisions on Protection of Personal Information of Telecommunications (effective Sep 2013) Hong Kong: Personal Data (Privacy) Ordinance (amendments effective Apr 2013) Singapore: Personal Data Protection Act effective Jul 2014 Vietnam: Provisions spread across the Civil Code, the IT Law, the Penal Code and the Telecommunications Law. Important decrees in Philippines: Data Privacy Act effective Sep 2012 Australia: Privacy Act (Amendments effective Mar 2014) 5

6 Asia Pacific A Comparison Australia China Hong Kong Indonesia Japan Malaysia Philippines Singapore Taiwan Thailand Vietnam Distinguishes between data collection and data processing Registration/notification requirements (certain industries) (certain industries) International data transfer specifically regulated ^ Mandatory breach notification (certain industries) (certain industries) Criminal sanctions (certain industries) (certain industries) Privacy Officer required (public institutions ) Exemptions for employee data (certain cases) Workplace surveillance laws ^ Provision has been enacted but is not yet in force 6

7 Behavioral Advertising & Social Media

8 Customer Data as a Gold Mine Customer centric approach of marketing strategies Data mining, KDD, profiling: you need to know your customer Sources of information: in store, the Internet: Social media, blogs, forums, Internet sites, apps and other media Bi-directional conversation with customers to recreate same experience offline and online 8

9 Web 3.0 tools: Handle with care Cookies and the like Geo-localization, location based tracking Behavioural advertising the filter bubble In-store mapping Instant messaging and other communication tools Social media 9

10 Privacy Limitations Transparency is the privacy mantra Give clear and complete information, easily available Provide a contact point and be prepared for costumers enforcing at any time their privacy rights You need consent Informed, freely given, specific. Keep evidence of consent Set a timeline for data retention Crm database cannot last forever 10

11 Keep Your Privacy House in Order Why? Fines and block of databanks Reputational damages and customer trust Loss of business opportunities How? Internal due diligence - online/offline Privacy notices and consent management Data retention Mapping of trans-border data flows Keep a holistic approach 11

12 Key Business Risks

13 Enterprise Resource Planning (ERP) Systems Global centralization and control: Financials Human resources management Supply chain Distribution Customer relationship management Global PII data flows about: Employees, consumers, corporate customers, distributors, suppliers, end users, and others 13

14 Mergers & Acquisitions Due diligence: privacy may affect value of target company, depending on whether patient, customer, employee, or other user data is critical to value proposition for purchaser Conduct of transaction: exchange of information may be subject to regulation. Post-acquisition integration: IT transformation, consolidated service centers, more data flow 14

15 Inside Breach Incident Response Crisis management Time compression Statutory duties: compliance risks Public relations: reputational risks Potential liability for delay: litigation risks Identification of facts Scope creep Issue resolution Law enforcement reporting Mandatory notifications Consideration of related laws or other legal obligations Strategic decision-making 15

16 Cost of a Data Security Breach Average cost of data security breach: $201/per compromised customer record. Average cost per breach: $5.9 million. Root cause of data breach 44% - Malicious or criminal attack. 31% - Negligent employees. 25% - System glitch. Source: Ponemon Institute, 2014 Cost of a Data Breach Study: United States 16

17 2014 Luxury & Fashion Industry Conference for Multinationals 4 September 2014 The Harvard Club, New York, NY Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a partner means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an office means an office of any such law firm. All rights reserved.