Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2012 Morrison & Foerster LLP | All Rights Reserved | mofo.com Data Protection Masterclass VI: Global Privacy May 24, 2012 Ann Bevitt Karin Retzer Miriam.

Published byVirginia Berry Modified over 9 years ago

Similar presentations

Presentation on theme: "©2012 Morrison & Foerster LLP | All Rights Reserved | mofo.com Data Protection Masterclass VI: Global Privacy May 24, 2012 Ann Bevitt Karin Retzer Miriam."— Presentation transcript:

1 ©2012 Morrison & Foerster LLP | All Rights Reserved | mofo.com Data Protection Masterclass VI: Global Privacy May 24, 2012 Ann Bevitt Karin Retzer Miriam Wugmeister

2 2 This is MoFo. 2 Data Protection Laws in Europe  30 Member States of the European Economic Area  Azerbaijan  Belarus  Bosnia & Herzegovina  Channel Islands  Croatia  Isle of Man  Russia  Serbia  Switzerland  Ukraine

3 3 This is MoFo. 3 And elsewhere …  North America  Canada  Mexico  United States  Central & South America  Argentina  Brazil (Pending)  Chile  Colombia  Costa Rica  Ecuador (Pending)  Paraguay (Limited)  Peru  Uruguay  Middle East  Israel  UAE (DIFC)  Qatar (Financial Center only)  Africa  Angola  Morocco  South Africa (Pending)  Tunisia  Asia-Pacific Rim  Australia  China (Limited)  Hong Kong  India  Japan  Macao  Malaysia  New Zealand  Philippines (Pending)  Singapore (Pending)  South Korea  Taiwan  Thailand (Pending)  Vietnam (Limited)

4 4 This is MoFo. 4 Common Elements in Privacy Laws  Notice  Choice  Access  Security  Audit and Enforcement  Agreements with Third Parties  Cross-border transfers

5 5 This is MoFo. 5 Australia  Omnibus law regulates the collection, use, and disclosure of personal data by the private sector  An organization may transfer personal data to a recipient in a foreign country only if it is subject to a “substantially similar” privacy regime. Organizations must determine for themselves what constitutes “substantially similar” Administrative penalties and private right of action possible No limits on damages

6 6 This is MoFo. 6 Australia (cont’d)  Law amendments under review by Parliament  Amendments would create a unified set of Privacy Principles to cover both the private and public sectors  Second stage of amendments to clarify or remove certain exemptions such as the employee records exemption, require breach notification, establish a private right of action, and harmonize national, state and provincial privacy laws

7 7 This is MoFo. 7 China  No constitutional right to privacy  Criminal law amended in 2009 to make sale or other unauthorized disclosure of certain personal data a criminal offense  Tort liability law, effective July 1, 2010, recognizes independent right of privacy; private rights of action for civil damages possible  Anti-spam regulations issued in March 2006  Privacy legislation possible – either a separate statutory protection for the right to privacy or statutory extension of the right to personal dignity under the Constitution

8 8 This is MoFo. 8 China (cont’d)  Internet Regulations issued in December 2011, governing the collection, storage and use of personal information by Internet companies  Internet Information Service Providers must provide notice and obtain users’ prior consent when collecting personal information or providing it to others  Limitations on use and general security requirements  Breach of the requirements subject to sanctions that include rectification orders, warnings and penalties ranging from RMB10,000 to RMB30,000

9 9 This is MoFo. 9 Hong Kong  Omnibus law — Personal Data (Privacy) Ordinance  Notice, use and disclosure regulated  No database registration required  Cross-border transfer restriction is not operative and no implementation date has been set  Statutory penalties and private rights of action possible  Anti-Spam Law enacted in 2007  Voluntary Security and Data Breach Guidelines issued  The Personal Data (Privacy) Amendment Bill introduced into Hong Kong’s Legislative Council in July 2011; expectation that will be enacted before the end of 2012  New rules in areas such as direct marketing, data security, data breach notification, and data transfers possible

10 10 This is MoFo. 10 Japan  Omnibus law — Law Concerning the Protection of Personal Information (“PIPL”)  Framework legislation, implemented by Ministry Regulations (34 guidelines issued by 12 ministries)  No cross-border limitation — based on accountability  Opt-in consent for transfer of personal information to third parties  “Third parties” include subsidiaries, affiliates, group companies, franchisees, foreign companies, and joint marketing partners  Criminal sanctions and administrative penalties for violations

11 11 This is MoFo. 11 Japan (cont’d)  Implied consent not necessary if  Transfer is to a “Delegatee” (service provider)  Transfer compliant with specific notice and opt-out requirements and when used for direct marketing purposes  Transfer is pursuant to M&A transaction or  Other exceptions — if transfer is pursuant to a law or ordinance; if necessary to protect life, person or property and consent is difficult to obtain; if necessary to improve public safety or protect children and consent is difficult to obtain; or if cooperation is required by government agencies

12 12 This is MoFo. 12 Korea  Consent  “Separate” consent is required for each stage of handling of personal data:  collection and use  transfer to a third party  (handling of) particular identification data  (handling of) sensitive data  Lots of details required — i.e. list up the names of all third-party recipients  Trans-border transfer: (1) consent from the data subject is required, and/or (2) transfer contract in line with Korean law

13 13 This is MoFo. 13 Korea (cont’d)  Notice (separate from the notification for informed consent):  Items of personal data to be handled  Purposes of use of personal data  Retention and use periods  Information on transfer of personal data to a third party, outsourcing and destruction of personal data  Rights of data subjects  Protective measures for data security

14 14 This is MoFo. 14 Korea (cont’d)  Security – technical, administrative and physical  Supervisory authority (MOPAS) has specified details:  establishment and implementation of internal management plan  keeping access records,  prevention of falsification of such records, access control,  password control,  installation and operation of an access control system anti-virus programs,  encryption of devices,

15 15 This is MoFo. 15 Korea (cont’d)  Data Breach Notification/Report  Notification to affected data subjects, to specify  Items of personal data breached  Date/time of data breach  Measures to take to minimize possible damages  Available remedies  Report to the authority: upon a leak involving 10,000 or more data subjects

16 16 This is MoFo. 16 Korea (cont’d)  Liability/Penalties  Violation: may entail criminal punishment (e.g., imprisonment of up to 5 years and USD 50K), administrative sanctions, civil liability.  Companies subject to hacking — are sanctioned — criminal / administrative / civil liabilities.

17 17 This is MoFo. 17 Malaysia  Personal Data Protection Bill 2009 given Royal Assent and published in June 2010; however, date of entry into force still to be determined  Personal Data Protection Commission expected to be set up in 2012; implementing regulations need to be issued  Notice, use and disclosure regulated  Classes of data users that must register their databases to be determined  Cross-border transfer restrictions  Fines and imprisonment possible  Directors equally liable for offenses committed by the organization  Once Act becomes effective, organizations have three months to come into compliance

18 18 This is MoFo. 18 New Zealand  Privacy Act 1993 applies to private and public sectors  Notice, use and disclosure regulated  No database registration required  Government currently conducting full scale law review  Enacted the Privacy (Cross-border Information) Amendment Act in 2010, empowering the Privacy Commissioner to prohibit the onward transfer of personal information received from overseas  In April 2011, EU’s Article 29 Working Party adopted an adequacy opinion

19 19 This is MoFo. 19 Philippines  Constitutional right to privacy  EU-style draft legislation has been approved by both the House and the Senate  Senate version of the bill (SB 2965) will need to be reconciled by bicameral conference committee with HB 4115 and then sent to President Benigno Aquino to consider and sign  Draft legislation would create a national Privacy Commission to enforce regulations, receive complaints, institute investigations, issue injunctions and recommend penalties to department of Justice

20 20 This is MoFo. 20 Singapore  No data protection law is in place  Voluntary Model Data Protection Code sets out 11 data protection principles for adoption by the private sector  Processing of employment data and data for personal, journalistic and scientific research use are exempt from the Code  Continued reliance on self-regulatory regime will depend on whether companies adopt the voluntary guidelines  Ministry of Information, Communications and the Arts issued detailed proposals for a draft Personal Data Protection Bill; public comment period ended April 30, 2012  Government plans to introduce the bill in Parliament by the third quarter of 2012  Anti-Spam Law enacted in 2007

21 21 This is MoFo. 21 Taiwan  Computer Processed Personal Data Protection Act  Covers limited private entities — financial, securities, insurance, mass media, and telecommunications companies  Database registration and opt-in consent required Amendment approved by Parliament in April 2010 eliminated the registration requirement and will extend coverage to all sectors, public and private, once fully implemented  Criminal, civil, and administrative penalties for violations; private right of action  However, new government took office in February 2012 and delayed implementation

22 22 This is MoFo. 22 Taiwan (cont’d)  Concern about the draft implementing regulations issued in October 2011 Government to consult with businesses and the financial sector and research cross border-related issues Any revisions to the underlying law would be sent to Parliament for approval  Unclear if Cabinet would be able to finalize a proposal and get it to lawmakers before the end of the legislative session in late June 2012

23 23 This is MoFo. 23 Argentina  Very similar to Spain  The scope of the law is relatively narrow — Applies to databases that are shared  Requires notice and opt-in consent to process personal information or to share information with affiliated companies  Prohibits transborder transfers to countries without “adequate” data protection  Protective contracts or consent of individual is required if no adequacy finding Argentina has not issued any adequacy findings, so organizations must rely on protective contracts or the consent of individual  Criminal sanctions, administrative penalties, and private right of action possible

24 24 This is MoFo. 24 Brazil  Draft privacy legislation pending in Congress  Public consultation on a draft bill started in April 2011; Ministry of Justice will now revise and present draft bill to Congress  Current bill requires: express consent to process all personal information; express consent to disclose personal information to third parties with no exceptions; express consent, or another exception, to transfer personal information to inadequate countries; provision of unfettered rights of access to personal information  Sensitive information, such as health information, is protected under the Constitution; consumer data is protected under the Consumer Defense Code  For consumer data, there are notice, access, and correction obligations as well as consent requirement in order to transfer data

25 25 This is MoFo. 25 Chile  First country in Latin America to enact data privacy law  Notice and consent required  Written consent required to disclose sensitive information  No database registration  Access and correction rights  Must keep personal information secret and confidential  No cross border restrictions but confidentiality agreements must be in place to transfer nonpublic personal information to third parties  New legislation introduced in 2008 but no action has been taken by the legislature

26 26 This is MoFo. 26 Colombia  Habeas data law enacted in 2008 gives individuals the constitutional right to know, update, and correct information about them contained in databases  Controversy regarding the scope of 2008 Law about whether it applies only to financial data or more broadly regulates the collection, use, storage and transfer of financial, credit, services and commercial data  Comprehensive new data privacy law approved by Congress in late 2010; Constitutional Court upheld majority of the law’s provisions  The law, which must be signed by the President before it enters into force, requires an individual’s specific consent to collect, use, store, and/or transfer personal data  Timetable for enactment unknown

27 27 This is MoFo. 27 Mexico  Data privacy law approved by Congress in April 2010 and entered into force July 5, 2010  Regulations Issued in September 2011  Notices must be provided at the time of collection  Access and Correction Rights  A data privacy person or office must be designated to process requests from individuals who wish to exercise their rights under the law  Consent  Implied (opt-out) sufficient in most instances  Written express consent to process financial or asset data and sensitive personal information

28 28 This is MoFo. 28 Mexico (cont’d)  Individuals must be notified immediately in the event of a security breach that significantly affects their "equity or legal rights"  Organizations must have contracts in place with third parties that require the third parties to treat the data in accordance with the privacy notice provided to the individual and assume the same obligations as the organization that is transferring the data  Data Transfers  Domestic or international transfers of data without consent to affiliated entities that operate under the same internal processes and policies  Other exceptions such as contractual necessity  No Registration  Possible penalties include large fines and jail time

29 29 This is MoFo. 29 Peru  Omnibus data privacy law enacted July 5, 2011  Regulates the collection, use and disclosure of personal information by private sector organizations  Establishes a Data Protection Authority that will report to the Ministry of Justice  Requirements include:  Express consent needed in many instances to collect, use and disclose personal information  Database registration  Data may not be transferred to third countries that do not provide an adequate level of protection  Grants DPA the power to impose sanctions on organizations that violate the law

30 30 This is MoFo. 30 Peru (cont’d)  Only Title II provisions establishing the data protection principles and creating the DPA and the multi-sectoral commission responsible for developing the implementing regulations now in effect  Other provisions to become effective 30 days after the implementing regulations are published  Timetable for issuance of regulations unknown

31 31 This is MoFo. 31 Uruguay  EU style data protection law enacted in August 2008 (Implementing Decree in August 2009)  Prior notice and opt-in consent are required to process personal data unless an exception applies  Access must be provided and individuals may request rectification, updating, inclusion, or deletion of personal data  Database registration required  Obligation to report security violations that significantly affect the interests of the individuals concerned; however, unclear to whom notice must be given  Cross-border transfers of personal data to countries not deemed “adequate” are prohibited without opt-in consent, unless an exception applies  Administrative penalties and a private right of action

32 32 This is MoFo. 32 Forest/Trees  Focus on core substantive obligations  Notice  Choice  Security  Service Providers  Look for commonalities  Stay involved – changes weekly

33 33 This is MoFo. 33 Evaluate Risky Areas  Collection of information over the Internet and email  Access to sensitive files by employees and independent contractors  Access to credit card information  Transmission, storage, and disposal of computerized data, including data contained on disks and hard drives  Data to be transmitted to any third party  Storage and disposal of paper records  Data center moves/consolidations  Transfer and use by service provider/outsourcing

34 34 This is MoFo. 34 How Must Information Be Protected?  Technical  Firewalls, anti-virus, and anti-spyware protections  Periodic changing of (non-default) IDs and passwords  Access controls (important when someone leaves the company)  Encryption  Limit access to that which is necessary to perform duties  Basic rules for employees  Do not email sensitive or special PI  Do not access more than that which is needed  Create and use secure documents  Use passwords

35 35 This is MoFo. 35 How Must Information Be Protected? (cont’d)  Physical  Lock file cabinets  Shred appropriately (do not put PI in the garbage)  Check litigation/document holds before disposing of any documents  Control movement of personnel into, through, and out of offices  Enforce procedures for card keys and other access controls  Monitor employees with access to customer and Human Resources data

36 36 This is MoFo. 36 How Must Information Be Protected? (cont’d)  Administrative  Technology use policy  Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops  Security breach notification procedure  How is unauthorized access or acquisition reported?  Who is on the immediate response team?  Confidentiality policy  Does it cover confidential information and Personal Information?  Training  Audit

37 37 This is MoFo. 37 Specific Controls  Background checks  Non-Disclosure Agreements  Video cameras on site  Physical segregation of customer data  Fire walls/virus controls  Servers locked to shelves  Separate and locked server room  Encryption of laptops  Limitations on remote access  USB/Memory Sticks  Cell phones/iPods in service centers

38 38 This is MoFo. 38 Employee Training and Awareness  All employees with access to PI should be trained in data security policy and procedures and refresher training should be provided as necessary  Important to have follow-up to assess employees’ awareness  Consider Non-Disclosure Agreements (NDAs) with employees  Employees should be advised that violations of data protection policy will result in disciplinary action  Think creatively about training

39 39 This is MoFo. 39 Questions?  Ann Bevitt, London abevitt@mofo.com  Karin Retzer, Brussels kretzer@mofo.com  Miriam Wugmeister, New York mwugmeister@mofo.com  Mofoprivacy.com

Download ppt "©2012 Morrison & Foerster LLP | All Rights Reserved | mofo.com Data Protection Masterclass VI: Global Privacy May 24, 2012 Ann Bevitt Karin Retzer Miriam."

Similar presentations

The Latest Developments in Ukraines Intellectual Property Laws and Data Protection.

The Latest Developments in Ukraines Intellectual Property Laws and Data Protection.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
AN OVERVIEW OF DATA PROTECTION LAW IN THE GCC NICK OCONNELL, Senior Associate – TMT JUNE 2013.

AN OVERVIEW OF DATA PROTECTION LAW IN THE GCC NICK OCONNELL, Senior Associate – TMT JUNE 2013.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
© 2005 Morrison & Foerster LLP All Rights Reserved Data Security and Incident Notification: The Impact of Foreign Law Presented April 26, 2006 to EDUCAUSE.

© 2005 Morrison & Foerster LLP All Rights Reserved Data Security and Incident Notification: The Impact of Foreign Law Presented April 26, 2006 to EDUCAUSE.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.
Per Anders Eriksson

Per Anders Eriksson

Similar presentations

Ads by Google