US-Asian Privacy and Cyber Developments for In-house Counsel

Size: px

Start display at page:

Download "US-Asian Privacy and Cyber Developments for In-house Counsel"

Cornelius Gilmore
5 years ago
Views:

1 US-Asian Privacy and Cyber Developments for In-house Counsel May 11, 2017 Presented By: Khizar Sheikh Mandelbaum Salsburg, Roseland, New Jersey, USA Dominic Wai ONC Lawyers, Hong Kong, Hong Kong J. Paul Zimmerman Christian & Small LLP, Birmingham, Alabama, USA Association of Corporate Counsel 1

Today s Program is Sponsored by The International Society of Primerus Law Firms Primerus is an interna,onal society of the world s finest small to mid-size law firms.

2 Today s Program is Sponsored by The International Society of Primerus Law Firms Primerus is an interna,onal society of the world s finest small to mid-size law firms. Membership in Primerus is by invita,on only, and all Primerus law firms are pre-screened before accepted, and audited annually for their con,nued commitment to providing excellent work product and superior client service at reasonable rates. Currently, there are nearly 3,000 Primerus lawyers in over 180 Primerus firms located in 45+ countries. If you would like to learn more about Primerus, please visit the Primerus website at 2

3 Khizar Sheikh Mandelbaum Salsburg P.C. 3 Becker Farm Road, Suite 105 Roseland, NJ United States ksheikh@lawfirm.ms Tel: Fax: Website: 3

4 Introduction: Many Changes in Asia The newly passed Cybersecurity Law of the People s Republic of China will take effect in June 2017, and it is expected to have a significant impact on multinationals doing business in mainland China. The Attorney General of India disclosed that the government intends to put in place a law to protect data stored and exchanged on digital platforms by August. Also, India will launch the National Cybersecurity Coordination Center in June to monitor and handle cyberattacks in the country. The Sri Lankan cabinet approved the drafting of amendments that would establish a Digital Identity Council, which would oversee the implementation of the national policy on data collection, transfer and storage. The Office of the Privacy Commissioner for Personal Data released the Hong Kong Personal Data (Privacy) Ordinance as an e-book. 4

5 Introduction: Many Changes in Asia (ctn) Singapore s Ministry of Home Affairs announced proposed amendments to existing Computer Misuse and Cybersecurity Act, broadening scope of criminal conduct and territorial reach to prosecute those companies that transact with breached data, even though they were not initially responsible for the breach. Also, Singapore s Personal Data Protection Commission has recently updated its advisory guidelines to help companies comply with the Personal Data Protection Act. Finally, Singapore s Personal Data Protection Commission published Advisory Guidelines on Use of Anonymized Data. Australia s legislature passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, creating a mandatory data breach reporting scheme. Australian companies and government agencies have a year to get into compliance with the new breach notification law. There are changes in Japan s data protection regime when the Act on Protection of Personal Information comes into force at the end of May. 5

6 Introduction: Many Changes in Asia (ctn) New Zealand s Privacy Commissioner has proposed six recommendations to revamp the country s Privacy Act, one would allow the privacy commissioner to apply to the High Court for a civil penalty in the event of a data breach. A new law in Kazakhstan requires all mobile phones to be registered in a government database. The Russian data protection authority, has released its 2017 inspection plans for local companies to measure their compliance. 6

7 APAC Countries with Cross-Border Data Restrictions (sample) Hong Kong. In 1995, HK adopted a law governing cross-border data transfers. In December 2014, HK issued a 19-page guidance note. Its data transfer restriction prohibits transfers of data collected, held, processed or used in HK, or by a company with its principal place of business in HK, outside HK except in limited circumstances, including countries that have been whitelisted, countries that the business has reasonable grounds for believing have laws that are substantially similar to, or serve[] the same purposes as, HK s data protection law, and contractually enforceable agreements with the data recipient to ensure that the data will be protected consistent with HK s privacy standards. Philippines. When sharing data, an agreement must provide adequate safeguards, and the agreement is subject to review by the National Privacy Commission. The law does not apply to the processing of personal information in the Philippines that was lawfully collected from residents of foreign jurisdictions. 7

8 APAC Countries with Cross-Border Data Restrictions (sample) (ctn) New Zealand. NZ s privacy commissioner has authority to prohibit data from being exported if the commissioner is reasonably satisfied that (1) the receiving nation lacks comparable safeguards to those that exist in NZ, and (2) the transfer would contravene principles in the OECD privacy guidelines. Australia. An Australian company that wants to disclose the personal information of Australians to a foreign business must take reasonable steps, which generally mean an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information. Health data may not flow across borders in virtually any circumstance. Singapore. Generally prohibits transferring personal data outside of Singapore unless the receiving overseas company provides assurances that it will comply with legal standards - i.e., contracts, laws, or binding corporate rules - that are comparable to the protections in Singapore. But transfers necessary for the performance of a contract between the organization and the individual data subject are deemed to have satisfied the comparable-protection standard, regardless of whether the foreign jurisdiction s privacy laws are comparable to Singapore. 8

9 Cross-border Data Flows (EU-Asia) Cross-border data flows are key to most businesses. These can include moving employee information around, credit card details to complete online transactions, and people's browsing habits to serve them targeted ads. In January, the EU announced that it hopes to finalize data transfer agreements with Japan and South Korea to enhance business ties, with plans to work on removing barriers to the free flow of data. The EU also plans to crack down on member states that force some organizations to store data locally, which it argues increases the cost of cloud computing services and hampers the 54.5 billion euro ($57.7 billion) data market in Europe. 9

10 APEC Framework (US-Asia) In 2012, 21 APEC member economies adopted a system called the Cross Border Privacy Rules (CBPR). The CBPR establishes a voluntary certification system for complying with APEC s Privacy Framework. Countries that opt to participate must designate an accountability agent and a privacy enforcement authority. The accountability agent has responsibility for assessing and certifying a company s compliance with the APEC Privacy Framework and only businesses based in the accountability agent s country (and such businesses foreign and domestic subsidiaries) are eligible for certification by that accountability agent. The role of the privacy enforcement authority is to bring enforcement actions against companies that become CBPR certified but violate their own CBPR-certified privacy policies. (We will discuss FTC enforcement in this area later.) The CBPR system applies only to data controllers, not data processors, although APEC is creating a separate but similar system called Privacy Recognition for Processors. 10

11 APEC Framework (US-Asia) (ctn) To date, participation rates in the CBPR system have been low. Only four of the 21 APEC member countries have chosen to participate: the United States, Japan, Mexico and Canada. Of those four, only one has a qualified accountability agent: the United States, which has TRUSTe. On January 17, 2017, the International Trade Administration ( ITA ) announced that South Korea formally submitted its intent to join the APEC Cross-Border Privacy Rules ( CBPR ) system. South Korea s statement of intent to join the CBPR system follows on the heels of Chinese Taipei s recent announcement that it intends to join the system in the near future, as well as recent indications that other APEC economies are considering or working towards joining the system. Korea, Singapore and the Philippines reported that they plan to join, and Australia, Hong Kong, Russia, Taiwan and Vietnam are considering joining. 11

12 Dominic Wai ONC Lawyers 19th Floor, Three Exchange Square 8 Connaught Place, Central Hong Kong, Hong Kong (SAR) dominic.wai@onc.hk Tel: Fax: Website: 12

13 Recent Developments in Chinese Data, Cyber, and E-commerce Laws This presentation is not an advice on PRC law nor an exhaustive treatment of the area of law discussed and cannot be relied upon as legal advice. No responsibility for any loss occasioned to any person acting or refrain from acting as a result of the materials and contents of this presentation is accepted by ONC Lawyers. 13

14 China s New Cybersecurity Law Enacted on 7 November 2016 Will take effect from 1 June 2017 On 11 April 2017 the Cyberspace Administration of China (CAC) released a draft (Draft) Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (Local Data) to solicit public comments Deadline for submissions: 11 May

15 China s New Cybersecurity Law Key Provisions: Data localization rule: imposed an obligation on operators of Critical Information Infrastructure (CII) to store personal information and other important data collected and generated during operations within China. Outbound data transfer - Conduct security assessment self or government administered assessment (GAA) 15

16 China s New Cybersecurity Law Imposes obligations on CII, Network Operators (NOs) and IT Product Suppliers Data Security NOs Privacy protect personal information & seek consent Cybersecurity incident notification Real name identification 16

17 China s New Cybersecurity Law The Draft Seem to extend the applicability of the data localization rule from CII operators to all NOs If an NO seeks to transfer the Local Data overseas for business needs, it must undergo a security assessment that shall abide by the principles of fairness, objectiveness and effectiveness 17

18 China s New Cybersecurity Law A GAA is triggered if the intended outbound crossborder data transmission involves any of the following circumstances: Personal Information > 500,000 individuals the amount of data exceeds 1,000 GB Sensitive and military/defence data etc Cybersecurity info/vulnerabilities etc Personal information and important data by CII 18

19 China s New Cybersecurity Law Other circumstances that may affect national security or public interests A GAA should be completed by the relevant industry regulator within 60 working days and be reported to CAC upon completion. Draft Important Data refers to data that is closely related to national security, economic development and public interest. 19

20 Draft E-Commerce Law On 27 December 2016, the Standing Committee of National People's Congress (NPC) issued the draft E- commerce Law for public opinion. Apply to e-commerce activities which occur within the territory of China and e-commerce activities involving domestic e-commerce business entities or consumers. 20

21 Draft E-commerce Law The definition of e-commerce refers to business activities in which goods or services are traded through information networks such as the Internet. excludes financial products and services and content services E-commerce operators require business licenses. Explicit prohibition of behaviour that damages the e- commerce credit system. 21

22 Draft E-commerce Law Clarification of the obligations and liabilities of third party e-commerce platforms. Payment service providers to be liable for losses caused by unauthorized payments Improved personal information security for e- commerce providers and third party providers. responsible for personal information security through internal control and technology management Electronic contracts and electronic payments are allowed 22

23 Draft E-commerce Law The government shall promote the digitalization of cross-border e-commerce related import and export declarations, tax payments, and inspection and quarantine processes. Where an e-commerce business entity violates the E-commerce Law, the relevant government agencies may impose a warning or a fine (ranging from RMB 30,000 to RMB 500,000) on the entity, order the entity to make rectifications, or suspend or revoke the business license. 23

24 J. Paul Zimmerman Christian & Small LLP 1800 Financial Center 505 North 20th Street Birmingham, AL United States Tel: Fax: Website: 24

25 U.S. Regulatory Enforcement - The Landscape As to data breaches, the U.S. landscape is a confusing mix of federal and state laws. 48 of 50 states have data breach notification statutes. The U.S. does not have one single federal data protection law it has several. Applicable law can depend on type of data, industry sector, and public versus private company. Any number of regulatory agencies could be involved. As for privacy laws and regulation of commerce, the legal framework is mostly, but not exclusively, federal. 25

26 U.S. Regulatory Enforcement - Federal Enforcement At least 20 federal statutes relate to data protection in various ways Regulatory actions can include: Civil enforcement Injunctive relief Criminal proceedings 26

27 U.S. Regulatory Enforcement - Federal Enforcement The most commonly encountered are: Fair Credit Reporting Act Gramm Leach Bliley Act Health Insurance Portability and Accountability Act Children s Online Privacy Protection Act Federal Trade Commission Act Section 5 APEC CPBR system 27

28 FTC Enforcement Trend FTC is relatively new in the data privacy enforcement space, but is increasingly active. FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD cases confirmed its role in data privacy regulation in the U.S. Generally leading to sanctions or injunctive relief consent settlements Related criminal investigations generally turned over to FBI, IRS, Secret Service, etc. 28

29 FTC Enforcement and APEC While the APEC CPBR system is voluntary, it is enforceable, with the FTC as the relevant authority in the U.S. The FTC has taken action regarding the APEC CPBR Very Incognito Technologies Warning letters to 28 companies claiming to participate in CBPR, but without indication of having met the requirements 29

30 Regulation of Data by the States States regulate data to varying degrees, mostly with regard to consumer data breach notification. Some states have more expansive regulations or more aggressive enforcement. California Massachusetts New York 30

31 In Contrast to Many Other Countries, the U.S. Has: A tangled network of laws, regulations, and agencies. Very little restriction on offshore transfer of data. Technical requirements in some types of data or particular industries to facilitate transactions Military applications Little restriction on storing data outside the U.S. Jurisdictional limits that generally restrict enforcement to U.S. commerce. 31

32 Thank You Presenters J. Paul Zimmerman Christian & Small LLP 1800 Financial Center 505 North 20th Street Birmingham, AL United States Tel: Fax: Website: Khizar Sheikh Mandelbaum Salsburg P.C. 3 Becker Farm Road, Suite 105 Roseland, NJ United States ksheikh@lawfirm.ms Tel: Fax: Website: Dominic Wai ONC Lawyers 19th Floor, Three Exchange Square 8 Connaught Place, Central Hong Kong, Hong Kong (SAR) dominic.wai@onc.hk Tel: Fax: Website: 32

Moving Data Around Asia-Pacific. Sam Pfeifle, IAPP Josh Harris, TRUSTe Michael Rose, US Dept. of Commerce

Moving Data Around Asia-Pacific Sam Pfeifle, IAPP Josh Harris, TRUSTe Michael Rose, US Dept. of Commerce Who We Are Sam Pfeifle, Content Director, IAPP Michael Rose, International Trade Specialist, Office