Technology and data privacy Global perspectives

Transcription

1 Technology and data privacy Global perspectives Anna Gamvros, Partner, Hong Kong Barbara Li, Partner, Beijing Ryan Berger, Partner, Vancouver 13 September 2018

2 Agenda Asia privacy developments HK and China updates Impact of GDPR on client in Asia and the US Takeaway and tips 2

3 Asia privacy developments

4 APAC privacy overview India: Draft Personal Data Protection Bill issued in July Currently provisions spread across the IT Act 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 and the IT (Intermediaries Guidelines) Rules Thailand: Revised draft of the Personal Data Protection Bill approved by Thai Cabinet in 2 May Cybersecurity Bill published for public consultation in March Vietnam: No comprehensive data protection law - provisions spread across Civil Code, the IT Law, the Penal Code, the Telecommunications Law. Cyber Security Law passed in June 2018 and in full effect on 1 January South Korea: Personal Information Protection Act 2011 (amendments came into force Sept 2016) Japan: Act on Protection of Personal Information 2013 (amendments came into force in May 30, 2017) China: No comprehensive data protection law provisions spread across Cybersecurity Law 2016, Personal Information Security Specification 2017 (effective May 1, 2018), Amendment IX to Criminal Law 2015 and related judicial interpretations of the Supreme Court, Amended PRC Consumer Law 2013, NPC Decision on Strengthening the Protection of Network Information Hong Kong: Personal Data (Privacy) Ordinance (under review) Malaysia: Personal Data Protection Act 2013 (Personal Data Protection Standards came into force on December 23, 2015 ) Singapore: Personal Data Protection Act 2012 (came into full force in July 2, 2014). Most of the Cybersecurity Act provisions have come into force as of August Indonesia: Draft Data Protection Bill revised in July Currently provisions spread across Electronic Information and Transaction Law 2008 and Government Regulation on the Implementation of Electronic Systems and Transactions. Taiwan: Personal Data Protection Act 2010 (amendments came into force March 2016) The Philippines: Data Privacy Act 2012 (Implementing Rules and Regulations effective September 9, 2016) Australia: Privacy Act 1988 (amendments in full effect on March 2014). Notifiable Data Breaches scheme effective Feb

5 APAC privacy laws Comprehensive data protection law in force Australia China Hong Kong India Indonesia Japan Malaysia Philippines Singapore South Korea Taiwan Thailand Vietnam Draft law proposed Regulations/ Guidelines 5

6 APAC comparison Australia China Hong Kong India Indonesia Japan Malaysia Philippines Singapore South Korea Taiwan Thailand Vietnam Distinguishes between data collection and data processing Registration/ notification with data authority (certain industries) International data transfer specifically regulated (certain industries) ^ (certain industries) Mandatory breach notification (certain industries) (certain industries) Criminal sanctions Privacy Officer required (certain industries) (certain industries) Exemptions for employee data CBPR participation ^ Provisions enacted but not yet in force Planning to or considering joining 6

7 APAC Mandatory breach notification Hong Kong China Taiwan Singapore Malaysia Australia Japan South Korea Philippines Mandatory Breach Notification Requirement to notify data subjects Requirement to notify authorities Sector-specific rules 7

8 Cybersecurity Tighter regulation Hong Kong SFC and HKMA issued various cybersecurity circular and initiatives in 2016 SFC issued Consultation Paper to reduce hacking risks associated with internet trading in May 2017 and issued new guideline on the same in Oct 2017 Thailand Cyber Security Bill published for consultation in March 2018 China Cybersecurity Law, effective 1 June 2017 Draft regulations/consultations on security requirements and assessments re: cross border transfer and CII etc. Singapore Most of the Cybersecurity Act provisions have come into force as of August 2018 Malaysia Draft Cybersecurity Bill announced in 2017 The Philippines The National Cybersecurity Plan 2022 was unveiled in May 2017 Indonesia Establishment of National Cyber Agency during 2017 Vietnam Cybersecurity Law passed in June 2018 (and will be in full effect on1 January 2019) 8

9 HK and China updates

10 Hong Kong

11 Hong Kong regulatory requirements Data protection Hong Kong regulatory requirements SFC regulations HKMA regulations 11

12 Regulator focus GDPR - Comparative study on GDPR & PDPO - Potential changes to PDPO - Publication to assist local companies to understand GDPR Cross border data transfer - Section 33 of PDPO - PCPD and the Government are working together to understand the business impact of implementing s33 - Consultation with trades and businesses - Studies of other jurisdictions Tracking and monitoring - PCPD recognized the powerful capability of data collection in this big data era - Issued Physical Tracking and Monitoring Through Electronic Devices information leaflet Data breach notification - Increase no. of cybersecurity incidents - 20% surge of data breach notifications - PCPD encourages privacy management programme 12

13 China

14 China cybersecurity law Law making background Part of a series of new regulations and policies for cyberspace sovereignty Three rounds of reading First reading June 2015 Second reading June 2016 Third reading November 2016 Issued on 7 November 2016 Became effective from 1 June 2017 Multiple regulations and guidelines issued already and more to come 14

15 Snapshot of the CSL What is the CSL Cybersecurity and data privacy in China, with potential extra-territorial effect Who will be regulated Network operators - network owners, network administrators and network service providers Who are the regulators CAC, MIIT, Police, industry regulators 15

16 Key legal requirements under the CSL Network Operators Cybersecurity measures taken to protect against cyber crimes Technical support to the authorities for national security and crime investigation Data protection requirements for collection, processing and use of personal data Emergency actions in case of network security incidents 16

17 Enhanced requirements for CII network operators Vague concept and application scope of Critical Information Infrastructure (CII) Data localisation restriction and security assessment for crossborder data transfer Personal data Important data what is this? How to conduct the security assessment? IT products and services provided to CII subject to security certification * other key industries or sectors, which can seriously harm national security or public interest, if destroyed or tampered with or if data is leaked 17

18 Enforcement Enforcers are increasingly active CSL enforcement inspections and campaigns Review privacy policies and penalise non-compliance Data localisation review Use of VPNs 18

19 Implications for international business Wide application and far reaching effect Increased compliance cost and requirements Restriction on cross-border data flow Serious consequences 19

20 What s next Risk analysis and benchmarking Review of data practice and documentation Close watch on regulatory movements Keep close watch on regulatory movements especially new implementing regulations and guidelines Conduct risk analysis for compliance Consider strategy 20

21 APEC Privacy initiatives

22 Asia-Pacific Economic Cooperation A regional economic forum established in member countries Australia Brunei Canada Chile China Hong Kong Indonesia Japan South Korea Malaysia Mexico New Zealand Papua New Guinea Peru The Philippines Russia Singapore Taipei Thailand US Vietnam Operation through committees, sub-committees, expert groups, working groups and task forces Electronic Commerce Steering Group - Data Privacy Subgroup 22

23 APEC Privacy initiatives Privacy initiatives APEC Cross-Border Privacy Enforcement Arrangement APEC Cross Border Privacy Rules (CBPR) system - currently Japan, Singapore, South Korea, Mexico, Canada and the United States Common Referential for the Structure of the EU System of Binding Corporate Rules and APEC CBPR System Privacy Recognition for Processors System Latest developments Singapore joined CBPR on 6 March 2018 Australia announced it will move forward its application to participate in CBPR in November 2017 Philippines and Taiwan have expressed intention to join Japan Personal Information Protection Act Reform (May 2017) - accreditation under APEC s CBPR system is now one of the exceptions to cross border data transfer Japan Institute for Promotion of Digital Economy and Community recently appointed as the Accountability Agent a third party verifier who assess the compliance of companies under the APEC CBPR system (2016) 23

24 Impact of GDPR on clients in Asia and the US

25 GDPR impact on clients in Asia Clients in Asia are analysing their European connections for confirmation as to whether or not they fall within scope of GDPR Remediation projects underway focusing on fair processing notices and data transfer Concern about processor requirements and contracting Clients are requesting assistance to update their Asia template agreements (NDA, MSA, service provider agreements etc.) to ensure compliance with GDPR requirements 25

26 Comparison Asia data protection laws vs Canadian privacy laws vs EU GDPR

27 GDPR impact on Canadian clients Canadian businesses are analysing their European exposure to determine whether or not they fall within scope of GDPR Remediation projects underway focusing on fair processing notices (cookies) and data transfer Concern about processor requirements and contracting Clients are requesting assistance to update their terms of service, privacy policies etc. to ensure compliance with GDPR requirements Data processing agreements are being requested 27

28 Comparing / contrasting Canada and GDPR Yay, Canada! We are adequate Similar individual rights: - Access (portable?) - Correction - Erasure / de-listing Consent and reasonableness requirements Mandatory breach reporting No controller / processor distinction Registration and reporting to DPA Special categories No significant regulatory penalties 28

29 Evolution and best practices More attention being given to vendor / 3 rd party agreements More detailed privacy and security obligations attention to GDPR requirements Risk allocation incl. GDPR fines and penalties Breach reporting processes and requirements Increased public awareness of rights and duties More access requests by consumers and employees Awareness of the strategic value in disputes / pre-litigation More access for individuals through tools providing self-management of information 29

30 Takeaway and tips How to handle projects in Asia and globally given the differences of laws worldwide?

31

32 Disclaimer Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to Norton Rose Fulbright, the law firm and legal practice are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together Norton Rose Fulbright entity/entities ). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 32