1 / 126

Asian Data Privacy Laws 2013 Roundtable

Asian Data Privacy Laws 2013 Roundtable. Professor Graham Greenleaf AM Professor of Law & Information Systems, University of New South Wales Asia -Pacific Editor, Privacy Laws & Business International Report Pinsent Masons, London, 1 October 2013.

kueng
Download Presentation

Asian Data Privacy Laws 2013 Roundtable

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Asian Data Privacy Laws2013 Roundtable Professor Graham Greenleaf AM Professor of Law & Information Systems, University of New South Wales Asia-Pacific Editor,Privacy Laws & Business International Report Pinsent Masons, London, 1 October 2013

  2. Asia – 28 jurisdictions but no centre - No Brussels, Strasbourg, ECJ, ECtHR, Directives, no A29WP

  3. Asia in global context: mid-2013 • Significant 2011-13 events in half of the 28 jurisdictions • 12 Asian jurisdictions now have data privacy Acts, covering both sectors (6) or their public sector (2) or private sector (4) only • Add China & Indonesia with substantial IT sector laws = 14 • 5 of these have very substantially strengthened their laws recently • 2 laws are only yet partially in force • 1 more has a Bill pending for a new law extending existing coverage, and Bills are reported in draft in others • Every law differs substantially from all others • None yet have EU ‘adequacy’ findings or CoE 108 accessions • Information on national laws is very hard to obtain • Key documents are often not available in European languages • Information about enforcement & complaints is even harder to find

  4. Global development of data privacy laws & standards • The global context • How many countries have data privacy laws? • What is the global trajectory of development? • What Principles do these laws apply? • How do we evaluate & compare these laws? • Standards for data privacy principles • Comparing enforcement: responsive regulation • Comparing data export laws (special focus)

  5. How many countries now have data privacy laws? • What is a ‘country’for this purpose? • A separate legal jurisdiction (eg HK, Macau, Jersey, Greenland) • What’s a law? • It’s a law: not self-regulation or trustmarks • But any type of enforcement by law must be accepted • This is only a Q of whether a DP law exists, not ‘adequacy’ • What scope must a law have? • Must cover either or both of private and public sectors • Almost all cover both public & private sectors • 5 Public sector only (must cover national government) • 6 Private sector only (Must cover most of sector) • What content must a data privacy law have? …

  6. 4. What content must a data privacy law have? • The ‘basic’ standard of all international agreements • Initially OECD Guidelines (1980) & CoE Convention (1981) • Also shared by EU (1995) and APEC (2004) • Must include ‘most’basic principles • Can’t require all 15, or too strict • Eg no explicit ‘openness’ principle in 5/10 Asian laws • Testing against 10 Asian laws: averaged 13.6/15 • India & Malaysia’s 11/15 is probably minimum acceptable • Vietnam was 11/15, now 13 through new 2013 Decree • Conclusion:Must include minimum 11/15 • including access/correction + security + some finality principles

  7. Comparison of 10 Asian laws (over 15)

  8. How many countries nowhave a data privacy law? • A: 101(as at 30 August 2013) • Article in materials is to June 2013 • + add Kazakhstan and South Africa • 90/101 cover both sectors • 5 Public sector only (Thailand, Yemen, USA, Nepal, Zimbabwe) • 6 Private sector only (Vietnam, Singapore, Malaysia; India, Qatar & Dubai SEZs)

  9. Result: 101 countries now have data privacy laws To this map, add Kazakhstan and South Africa – new Acts since mid-2013 Map created by interactive maps: http://www.ammap.com

  10. 22 Acts & 19 Bills this decade

  11. 105-10 data privacy laws by 2015? This map adds 20 countries with known official data privacy Bills Map created by interactive maps: http://www.ammap.com

  12. Jurisdictions by decade: From rare to common 101 jurisdictions with data privacy laws by August 2013

  13. Regional spread of data privacy laws 101 laws: 53 European, 48 outside Europe (August 2013)

  14. Data privacy laws beyond Europe • A: 47/100 jurisdictions are outside Europe • EU: 28 (all); Other European: 25 (2 not: Turkey, Belarus) • Asia: 12; Latin America: 9; Sub-Saharan Africa: 10; N.Africa + M-East: 6; Caribbean: 4; A’asia: 2; N. America: 2; Central Asia: 2 • Implications: • Most of the world is adopting data privacy laws: no longer a ‘European thing’ • Most growth will now occur outside Europe • By 2014-16, the majority of laws will be outside Europe • When most of the commercially significant world has such laws, the focus will not be European ‘data exports’ [4]

  15. Countries with no Acts or Bills Afghanistan; Algeria; Bahrain; Bangladesh; Belarus; Belize; Bermuda; Bhutan; Bolivia; Botswana; British Virgin Islands; Brunei Darussalam; Burundi; Cambodia; Cameroon; Central African Republic; Chad; China; Comoros; Congo, Republic; CongoDemocratic Republic; Cuba; Djibouti; Ecuador; Egypt; El Salvador; Equatorial Guinea; Eritrea; Ethiopia; Fiji; Gambia; Guatemala; Guinea; Guinea-Bissau; Guyana; Haiti; Honduras; Indonesia; Iran; Iraq; Jordan; Kiribati; Korea, North; Kuwait; Lao PDR; Lebanon, Lesotho; Liberia; Libya; Malawi; Maldives; Marshall Islands; Mauritania; Micronesia; Mongolia; Mozambique; Myanmar; Namibia; Nauru; Oman; Pakistan; Palau; Palestine; Panama; Papua New Guinea; Rwanda; Samoa; Sao Tome and Principe; Saudi Arabia; Sierra Leone; Solomon Islands; Somalia; Sri Lanka; Sudan; Suriname; Swaziland; Syria; Tajikistan; Timor Leste; Togo; Tonga; Turkmenistan; Tuvalu; Uganda; United Arab Emirates; Uzbekistan; Vanuatu; Vatican; Venezuela; Zambia China and Indonesia already have significant IT sector laws

  16. Jurisdictions by decade: Diffusion to ubiquity 101 jurisdictions with data privacy laws by August 2013, with projections to 2020 (linear = 139; accelerated = 160)

  17. Consequences of globalisation • Ubiquity of data privacy laws in countries of economic/political significance by 2020 • USA and China the main outliers (private sector) • European laws (EU & CoE) soon in a minority • EU laws are only 28% at present, and falling • Laws with strong data export restrictions are not limited to the EU, or to Europe • ROW laws expand, strengthen, and are enforced • Google: Korea (TOS) and Macau (Streetview) • Results: • Weak national laws may cause multilateral complexities • Need for an internationally accepted standard increases • ‘Interoperability’ begs the Question: ‘on what basis?’

  18. What fundamentals should we look for? A = Principles; B = Enforcement; C= Data exports

  19. (A) Standards for principles • Over 30+ years, 2 standards emerged • 1st Generation - ‘Basic’ Principles • OECD (1981); CoE (1981); APEC (2005) • Also incorporated in ‘European’ principles • 2nd Generation - ‘European’ principles • EU Directive (1995); CoE Additional Protocol (2001) • Will 3rd Generation principles emerge? • Possible from EU Regulation and CoE ‘modernisation’ • Not from OECD revision or APEC • Which Principles are enacted globally?

  20. Basic data privacy Principles(OECD & EU hold 1-10 in common) • Collection - limited, lawful and by fair means; generally with consent or knowledge (OECD 7) • Purpose specification at time of collection (OECD 9) • Notice of purpose and rights at time of collection (OECD ambiguous) • Uses (including disclosures) limited to purposes specified or compatible (OECD 10) • Data quality (relevant, accurate, up-to-date) (OECD 8) • Security through reasonable safeguards (OECD 11) • Openness re personal data practices (OECD 12) [not specific in EU] • Access, individual rights of (OECD 13) • Correction, individual rights of (OECD 13) • Accountable Data controller with task of compliance (OECD 14) We will assume these 10 basic principles in laws discussed, and focus on (I) where one is absent or (II) additional principles

  21. What standards are enacted globally?– ‘Basic’ only or ‘European’? • Must first answer: ‘what are European data privacy standards?’ • Approach: What is required by the EU Directive but not required by the OECD Guidelines? • Identified the 10 key differences as‘European standards’ (next slide) • Examined 33/37 non-European laws (as at Dec. 2011) against these 10 criteria • Result: Average 7/10 ‘European’ factors found • Now 48 laws (not 33) but no significant change • Conclusion: The current ‘global standard’ is to a significant extent the European standard

  22. 10 ‘European’ standardsEU Directive (1995) & CoE 108+Add. Protocol (2001) • ‘Minimality’ in collection (relative to purposes); • General ‘fair and lawful processing’ requirement; • Some ‘prior checking’by DPA required; • ‘Deletion’: Destruction or anonymisation after use; • Sensitive data additional protections; • Limits on automated decision-making; • ‘Opt-out’ of direct marketing uses required. • Has a separate independent DPA; (enforcement) • Allows remedies via the courts; (enforcement) • ‘Border control’ data exports restrictions. An ‘adequate’ law = one implementing most of these Invitation to accede to CoE Convention 108 requires similar

  23. (B) Standards for enforcement • No accepted international standards • EU Article 29 Working Party (WP29) Opinion on elements of adequacy is often cited • Proposed EU Regulation may set new standards • Revised OECD Guidelines adds some • Numerous enforcement mechanisms are possible • Few laws include all such enforcement mechanisms, it is their combination in an effective system that counts … • Necessary to go back to 1st principles …

  24. Purposes: What should enforcement achieve? • Deterrence • inhibits future breaches which are not specific/identified • Prevention • Intervention in current/anticipated specific breaches • Occurs before breach complete and damage suffered • Guaranteeing assertions of rights • Where individuals have to act to assert a right • Eg some correction or deletion rights • Remedies for individuals • Restorative or compensatory remedies • Occurs after breach, damage already suffered • Punishment (?) • Is data protection enforcement ever for punishment? • Fines etc against a unique defendant can still deter others

  25. Types of enforcement measures Enforcement measures can be characterised as: • Whether there is an independent DPA • Varieties of complaint investigations • Investigative powers and procedures • Orders and remedies available from DPA / Ministry • Publication of enforcement details (statistics and cases) • Offences • Rights of court action to enforce Principles (+ of appeal) • Data breach notification requirements • Systemic (non-complaint) preventative/deterrent measures

  26. The model of ‘responsive regulation’:What is needed for effective enforcement? Elements of‘Responsive regulation’ (Braithwaite, Parker et al) Effective regulation requires multiple types of sanctions of escalating seriousness It is an enforcement pyramid: sanctions at the top get used far less than the cheaper bottom layers All forms of sanctions must be actually used when necessary Use of each level of sanction must be visible to those regulated, consumers and the representatives of both The higher levels are incentives for the lower levels to be made to work Enforcement pyramid in a licensing system (Braithwaite 1993)

  27. High peaks create more pressure down (Anon, NZ origin)

  28. A complaint-driven enforcement pyramid for data protection

  29. A systemic (non-complaint) enforcement pyramid for data protection

  30. (C) Data export restrictions – Must ask 6 Question for each jurisdiction • Does the DP law of the controller’s jurisdiction assert extra-territorial operation? • Assertion of control over persons/objects outside territory • DP laws are in default not extra-territorial • But nothing illegal in international law about assertions • Under what conditions are transfers (data exports) to a foreign jurisdiction allowed? • Contracts required?; Notice to data subject required?; Notice to DPA required? • Are there special rules for controller-to-processor transfers? • Terminology in every country is different, so are the rules

  31. Issues for each jurisdiction (2) • Can the data subject enforce the controller/processor contract against processor? • Does a privity of contract doctrine prevent this? • Is the controller liable for breaches by the foreign processor? (vicarious liability) • Does the processor jurisdiction’s DP law exempt outsourced processing (in full or part)?

  32. North-East Asia – the leaders • Most countries have recent new or revised data privacy laws • With new laws in China, North-East Asia is the most data-privacy-intensive region outside Europe

  33. Order of consideration • South Korea • China • Hong Kong SAR • Taiwan Not covered • Japan • Macau SAR • Mongolia

  34. South Korea • OECD and APEC member; APPA member • New comprehensive Personal Information Protection Act (PIPA) • In force from 10/11; only enforced from 4/12 • Adds many new features to existing strong foundation • Previous legislation (largely replaced but not entirely) • Private sector – ’Data Protection Act’ 2000 (in a broader Act) • Administered by Korean Internet & Security Agency (KISA) • Scope limited to businesses utilising telecoms services • Active enforcement by Korean Personal Information Dispute Mediation Committees (PIDMCs): compensation & documented cases • Public sector - Public Agency Data Protection Act • Administered by Ministry of Public Administration and Safety (MOPAS); • Scope covers all public agencies; includes basic principles, but few limits on excessive collection by governments (defect in OECD) • Minimal enforcement: no independence; no publication of cases • Some other specific Acts (eg credit reporting) still over-ride DPAct

  35. South Korea - Key new features of 2011 PIPA One Act now comprehensive of public and private sectors (cf Japan) Now covers whole private sector - ‘Personal information processor’ Independent Personal Information Protection Commission (PIPC) 1st national DPA in a civil law Asian country Privacy Compliance Officers required for most businesses/agencies Collective meditation for disputes with widespread small damage + representative actions for injunctions Mandatory data breach notification to affected individuals Also to authorities where significant (cf Taiwan) Mandatory PIAs for potentially dangerous public sector systems Explicit (opt-in) consent required for marketing using own databases Act and Enforcement Decree in English (trans. Prof. Park, Whon-il) <http://www.koreanlii.or.kr/w/images/9/98/DPAct1110en.pdf> <http://http://www.koreanlii.or.kr/w/images/d/d7/DPAct_EnforceDecree.pdf>

  36. South Korea –Additional principles 2011 Act includes all basic OECD principles, plus these additions: • Onus of proof of almost all requirements is on the processor • Privacy Policy necessary, and overrides any individual agreements where this favours the consumer (A 30) • Minimal collection of personal data necessary for purpose (A 16(1) • Desirability of ‘anonymity, if possible’ of processing (A 3(7)) • No denial of services because of refusal to provide unnecessary information (A 16(2)) • Sensitive data cannot be processed without consent (A 23) • Alternatives to identification by the Residence Registration Number must be provided (A 24) [RRN use is separately being prohibited] • Strict limits on operation of visual surveillance devices (A 25) • Notification required if personal data collected from 3rd Ps (A 20) • Consent required to disclose to 3rd Ps, who must be identified (A 17) • limited exceptions (A 18) not including ‘compatible uses’

  37. South Korea –Additional principles (2) • Data exports require consent (A 17(3)) - but notice is weak • Notice of sub-processing is required (A26), and must be identified • OR public Privacy Policy (PP) can give notice of sub-processing • sub-processors are deemed employees (A 26(6)) (vicarious liability) • Deletion (not de-ID) of personal data required after use (A 21) • Suspension of processing can be required by data subject (A 37) • Privacy Officer must be appointed, with detailed duties (A 31) • Draft Guidelines suggest wherever more than 50 employees • Data breach notification always mandatory to data subjects (A34) • Also to MOPAS and other authorities if ‘large scale’ • Offences to improperly deal with, disclose or receive personal data • Detailed security measures are prescribed by Presidential Decree, both locally and for data exports These 17 points show how far Korea goes beyond the OECD ‘basics’

  38. South Korea - Strong consent • Unusual in both where consent is required (most diclosures and change of use, and data exports) and in requirements for consent to be legitimate. • Notifications required before consent is obtained (A 15(2) or 18(3)) must separate 3 matters: • each matter requiring consent must be stated separately, and each consent obtained separately (no ‘bundling’) (A 22(1)) • information collected requiring consent must be segregated from informaton not requiring consent (A 22(2)) • if consent is to use information ‘to promote goods or services or solicit purchase therefor’ then data subjects must eplicitly consent to this (ie opt-in to marketing uses) (A 22(3)) • This is reinforced by the ‘no disadvantage’ rule Are these the strongest consent requirements known?

  39. South Korea – Enforcement • The most complex version of the ‘North Asian civil law model’ • Japan, Taiwan and China have Ministry-based sectoral enforcement • Korea has added both (I) an independent complaints body and (ii) a DPA • If successful, the Korean model is likely to influence others • Complex 5-way administrative structure under new Act: • Personal Information Protection Commission (PIPC) • Korea Internet & Security Agency (KISA) (includes Personal Data Protection Center (PDPC)) • Personal Information Dispute Mediation Committees (PPDMC/Pico) • Ministry of Public Administration and Security (MOPAS) • Korea Communications Commission (KCC): regulates ISPs and ICSPs • This structure may be changing after the 2012 election • Complexity in who is representing Korea in international fora • PIPC would like to take functions currently(?) exercised by KISA • Influence of MOPAS is still everywhere

  40. South Korea – Enforcement • Personal Information Protection Commission (PIPC) • 15 member independent Commission within Presidential Office • PIPC’s website <http://www.pipc.go.kr> is out-of-date in English • President appointed independent Chairman (Park, Tae-Jong) • ‘Executive Bureau’ within MOPAS, headed by Director-General • ‘Standing Commissioner’ is a ‘government official of political affairs’ who ‘directs the Executive Bureau under the Chairman’s orders’ • Roles of setting policy, issuing opinions and reports (A 8) • Organisations can seek something like an ‘advisory opinion’ on the law • No clear role in the Act in resolution of individual complaints • BUT PIPC claims a role re public sector ‘to rectify violations and misuse of personal information’ (seeA 8(1)(v) and A 18(2)(v)) • PIPC has an ‘Investigation Division’ • PIPC decided complaint against Google Terms of Service

  41. South Korea – Enforcement (2) • Ministry of Public Administration and Security (MOPAS) • Issues ‘Data Protection Basic Plan’ in consultation with PIPC • Issues ‘Standard Guidelines’, which Ministries can modify for sectors • Accreditation to Data Protection Commissioner’s conference refused in 2011, because not independent of government • Personal Information Dispute Mediation Committees (PIDMC) • Up to 20 persons appointed, with independence provided by Act (A40) • Hear complaints in sub-committees, depending on expertise required • Handles about 90% of privacy disputes (10% in Courts) • ‘Mediates’, deciding breach and recommending remedy; if both parties agree, settlement is binding; otherwise, matter has to go to Court • Personal Data Protection Centre (PDPC) within KISA • Receives and investigates complaints, and mediates minor complaints • Assists complainants to prepare complaints to go to PIDMC • KISA still represents Korea at APPA meetings, but PIPC also • Presidential Decree must appoint PDPC to this role (A 40(8))

  42. South Korea – Enforcement (3) • PIDMC’s mediation record under the old Act • PIDMC must suggest mediation within 60 days of petition filing • Of 22 reported cases in 2003-04, PIDMC awarded compensation (from $100-$10K) in 17 cases (English translations are on WorldLII) • Examples: disclosure of telephone records to estranged husband ($10K); surgeon posting photos of clients’ plastic surgery ($4K) • Usually individual vs business disputes; b/w individuals goes to Court • Additional scope for PIDMC mediation under the new Act • now has powers to mediate public sector complaints (s43()3) • now has powers for collective dispute mediation (A 49) • PIDMC has been confirmed as mediation agency by Presidential Decree Korea has established a unique open, independent and effective system of dispute resolution over 10 years

  43. South Korea – Enforcement (4) • Data subjects may sue for damages for breach (A 39) • Onus of proof of no intent/ negligence is on data user • Many actions before Courts, including class actions: Held that massive data leak did not automatically result in damages for mental distress (2011) • Little information available in English on court cases • Collective dispute mediation by PIDMC (A 49) • Where multiple data subjects are affected, any parties can request PIDMC to undertake collective dispute mediation • Presidential Decree sets out procedural details Mediation continues even if some complainants go to Court • Class actions (Part 7 ‘Data protection collective suit’) • If processor rejects collective mediation, various types of NGOs (defined in Act) are entitel to file a class action (‘collective suit’) • Suit is filed in the District Court of the defendant’s place of business, or main office of foreign business’s representative (A 52)

  44. South Korea – 2013 • 2013 Bill (3538) for serious data protection breaches • Fines up to KRW 500M (US $500,000) • MOPAS could demand dismissal of senior executives • 2013 PIPA Amendment re ID numbers • No ID numbers can now be collected, online or offline • Existing ID numbers must be deleted (2 yrs for offline) • Increase to US $500,00 fines (online or offline • Self/Co-regulation is not significant • No significant self-regulation under previous Act • No provisions concerning enforceable codes in new Act • MOPAS required to facilitate self-regulation • KISA guidelines strengthened the previous law • Eg RFID & Biometric privacy Guidelines, 2007 • Which enforcement body will do so in future?

  45. South Korea – Data exports • No explicit extra-territoriality provisions • Normal rules of private international law apply • Consent and notice required when providing to a ‘3rd P overseas’ (A 17(3)) (Not border control) • (i) consent of the data subject (must be express); • (ii) notice in advance to data subject of identity of recipient, data to be transferred, purpose; • No specific requirement to give notice of destination (country), or state of privacy laws at destination • No vicarious liability for conduct of 3rd P recipient.

  46. South Korea – Data exports (2) • Special controller/processor rules (A 26) • A 26 applies if controller ‘consigns processing … to a 3rd party’ • Prior consent is not required; Notice or PP disclosure is required • Notice must include identity of processor (but not country location) • BUT Korean government authorities have previously required all data exports, including for outsourcing, to be with consent • Some argue new Act might be interpreted differently (Lee & Ko, Seoul) • No privity of contract problem, so data subjects can enforce • If exporter contracts with overseas 3rd party for benefit of data subject, data subject can enforce against 3rd P (Civil Code A 539) • Controller has vicarious liability (as employer) for processor • Applies to compensation for processing contra to Act (A 26(6)) • No outsourcing exemption • Processor is also liable for all data protection requirements

  47. China Map of China in the ‘Warring States’ period

  48. China – Regulation time line • 2006/7: Draft Personal Information Protection Act, from Institute of Law; private & public sectors; included DPA; EU-influenced • Some Provinces have enacted data privacy codes, for consumers • Piecemeal laws on money laundering, medical records, insurance, consumer protection and credit reporting • 2009-10 Major reforms: Criminal Law and Tort Liability Law • 2011 MIIT (Min. of Industry & Info. Tech.) ‘Internet Information Services Regulations’, in force 3/12 • 2012 NPC Standing Committee ‘Decision’ (a law) on Internet Information Protection, in force 12/12 • 2013 MIIT Standardization Administration ‘Guidelines’ on Personal Information Protection in ‘computer information systems’ • 2013 MIIT ‘User Data Protection’ Regulations’ Result: No national law yet, but consistency emerging 2011-13 • Considerable consistency in principles; private sector only • Ministry-based enforcement, with no sign of a DPA

  49. China: Internet Information Services Regulations 2011 This is still the single most important regulation • Adopted by MIIT (Min. of Industry & Info. Tech.) 12/11 • Scope: Applies only to ‘IISPs’, with a broad meaning • Anyone providing information to Internet users • Does not include the public sector • ‘User’s personal information’ is any PI, but some cls only apply to ‘information uploaded by a user’ • ‘Telecommunications authorities’ at all levels can enforce, but some aspects may go to the Ministry • Administrative orders to change practices, fines, and adverse publicity can result (at discretion of authorities) • No explicit civil damages, but could arise under Tort Liability Law [U11]

More Related