1 / 110

Asian Data Privacy Laws –  Rapid Change – 2019

Asian Data Privacy Laws –  Rapid Change – 2019. Professor Graham Greenleaf AM Professor of Law & Information Systems, University of New South Wales Asia-Pacific Editor, Privacy Laws & Business International Report UNSW CLE , 4 September 2019, UNSW CBD Campus. Relevant materials.

lukas
Download Presentation

Asian Data Privacy Laws –  Rapid Change – 2019

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Asian Data Privacy Laws – Rapid Change – 2019 Professor Graham Greenleaf AM Professor of Law & Information Systems, University of New South Wales Asia-Pacific Editor,Privacy Laws & Business International Report UNSW CLE, 4 September 2019, UNSW CBD Campus

  2. Relevant materials Greenleaf Asian Data Privacy Laws (OUP, 2014) – Comprehensive text on all 26 Asian jurisdictions, to early 2014 – available in paperback. 2014-19 Update to ADPL (to 08/19) – Handout for this course (not yet online) New online: Twitter @grahamgreenleaf Articles in Privacy Laws & Business International Report –all on SSRN ABLI Regulation of Cross Border Transfers of Personal Data in Asia, 2018 – ABLI Privacy Project International Privacy Law Library …

  3. International Privacy Law Library on WorldLII <http://www.worldlii.org/int/special/privacy/> – free extensive online resources – includes most Asian Acts, in English, in National Data Privacy Laws database – all international agreements – includes cases decided by these Asian DPAs (and others): Hong Kong PCPD Korean PIDMC Macau OPDP Singapore (coming soon) – many journal articles etc

  4. 136 Countries with data privacy Laws (to September 2019) Key Comprehensive Public only Private only Most Private Bills

  5. Plus 30+ countries with official Bills (to September 2019) Key Comprehensive Public only Private only Most Private Bills

  6. Plus non-European countries with Revision Bills (to September 2019) Key Comprehensive Public only Private only Most Private Bills

  7. How many countries nowhave a data privacy law? • Answer: 136(as at September 2019) • 2019 Tables and articles on my web pages/SSRN: 132 • Since then, Uganda, Nigeria, Uzbekistan, Barbados: 136 • Since 2014 the majority of global privacy laws are from outside Europe(now 70%: 89/128); only 20% = EU • About 30 more countries currently have official Bills • Growth of new laws globally has not slowed down • Also many stronger “2nd generation” revised laws (egThailand, Korea, Hong Kong, Taiwan, Japan, Australia) • Others: significant e-commerce/consumer privacy laws • 90% have a separate Data Protection Authority (DPA) • Data export restrictions are global

  8. What fundamentals should we look for? ADPL Ch 2 ‘International’ & Ch 3 ‘Standards’

  9. Standards to compare/assess data privacy laws [ADPL Chs 2&3] A Data privacy principles – 3 generations: • ‘Basic’ principles: CoE Convention 108 1981; OECD Guidelines 1980 • ‘European’ principles: EU Directive 1995; CoE 108 Protocol 2001 • ‘European/globalisedprinciples’: EU GDPR (General Data Protection Regulation) 2016/2018; ‘modernised’CoEConvention 108+ (2018) B Enforcement standards – more difficult (later)

  10. What standards are enacted globally?– ‘OECD / basic’ or ‘European’? • Must first answer: ‘what are European data privacy standards?’ • Approach: What is required by the EU Directive but not required by the OECD Guidelines? • My 2011 study identified the 10 key differences as‘European standards’ (next slide) • Examined 33/37 non-European laws (as at Dec. 2011) against these 10 criteria • On average, data privacy laws outside Europe included 6.9 of these principles, in addition to the minimum OECD principles • Now 89 laws outside Europe (not 33) but no significant change to this distribution, globally, is apparent • Almost the same for ‘top 20 by GDP’ countries outside Europe (2017 study: 6/10) • Post GDPR (ie from mid-2018) GDPR influence is strengthening adoption of 2nd G standards and adding 3rd G elements –> the ‘global standard’ is strengthening

  11. 1st Gen: Basic data privacy Principles(EU & OECD hold in common 1-9) • Collection - limited, lawful & by fair means; generally with consent or knowledge (OECD 7) • Data quality (relevant, accurate, up-to-date) (OECD 8) • Purpose specification at time of collection (OECD 9) • Notice of purpose and rights at time of collection (OECD ambiguous) • Uses (incl. disclosures) limited to purposes specified or compatible (OECD 10) • Security through reasonable safeguards (OECD 11) • Openness re personal data practices (OECD 12) • Access & Correction– individual rights of (OECD 13) • Accountable– Responsible data controllers identified (OECD 14) • Data export restrictions may [only EU 1995 said ‘must] be limited to (a) countries which do not substantially observe these basic rules, and (b) do not prevent circumvention by re-exports (OECD 17) We will assume these 10 basic principles in laws discussed, and focus on (I) where one is absent or (II) principles that go beyond these features

  12. 2nd Gen: 10 ‘European’ standardsEU Directive (1995) & CoE 108 +Add. Protocol (2001) • ‘Minimality’ in collection (relative to purposes); • Legitimate basis for processing defined; • Some prior checking by/notice to DPA required; • ‘Deletion’: Destruction or anonymisation after use; • Sensitive data additional protections; • Limits on automated decision-making; • Objections to processing (incl. ‘opt-out’ of direct marketing). • Has a separate independent DPA; (enforcement) • Allows remedies via the courts; (enforcement) • ‘Border control’ as part of data export restrictions. On average, new data privacy laws outside Europe include 6 or 7 of these principles, in addition to the minimum OECD principles

  13. 2nd generation European standards in Asian laws

  14. 3rd G: New EU GDPR requirements (also included in Convention 108+) • Proportionality required in all aspects of processing; • Stronger consent requirements (‘unambiguous’ etc); • Greater transparency of processing; • Some Mandatory Data Protection Impact Assessments (DPIAs); • Limits on automated decision-making, including the right to know processing logic (was also in EU Directive); • Data protection by design and by default; • Biometric and genetic data require extra protection; • Right to object to processing on legitimate grounds (also in Directive). • Direct liability for processors as well as controllers; • Data breach notification to DPA required for serious breaches; • DPAs to make decisions and issue administrative sanctions/remedies; • Demonstrable accountability required of data controllers • Parties must allow and assist evaluation of effectiveness.

  15. 3rd G: GDPR innovations not explicitly included in Convention 108+ • obligations to apply extra-territorially, if goods or services offered, or behaviour monitored locally; • local representation required of such foreign controllers or processors; • right to portability of data-subject--generated content; • right to erasure/de-linking(right ‘to be forgotten’); • mandatory Data Protection Officers (DPOs) for sensitive processing; • data breach notification (DBN) to data subjects (if high risk); • representative actions before DPAs/courts by public interest privacy groups; and • maximum administrative fines based on global annual turnover; • requirement to cooperate in resolving complaints with international elements, with any other DPA (as distinct from 108+ members). Some of these 9 may be implied by 108+.

  16. Early effects of the GDPR Survey of over 30 countriesoutside Europe, shows these ‘GDPR principles’ enacted by at least 10 countries: • DPAs enabled to make binding decisions and issue administrative sanctions including fines; • Right to object to processing based on controller or public interests; • Data breach notification to DPA &to data subjects (+ US); • Stronger consent requirements; • ‘Sensitive data’ to include biometrics and/or genetic data; • Mandatory Data Protection Officers (DPOs) for some processing. All other new GDPR principles were adopted by 1-9 countries

  17. Standards to compare/assess data privacy laws Enforcement Standards • International agreements are less specific on what counts as effective enforcement • GDPR has the most specific enforcement requirements yet seen • Most widely-agreed necessary element is a specialist enforcement body (DPA) • Preferably an independent one • Theories of ‘responsive regulation’ give the best guide [see ADPL Chs 2&3]

  18. The idea of ‘responsive regulation’:What is needed for effective enforcement? Elements of‘Responsive regulation’ (Braithwaite, Parker et al) Effective regulation requires multiple types of sanctions of escalating seriousness It is an enforcement pyramid: sanctions at the top get used far less than the cheaper bottom layers All forms of sanctions must be actually used when necessary Use of each level of sanction must be visible to those regulated, consumers and the representatives of both The higher levels are incentives for the lower levels to be made to work Enforcement pyramid in a licensing system (Braithwaite 1993)

  19. Global surveillance context of data privacy laws

  20. Regional vs National Structures

  21. I have a feeling we’re not in Brussels anymore

  22. Far away – Asia’s 26 jurisdictions

  23. 15/26 Asian countries with data privacy laws (or close to…) • Japan 1988 (public sector) + private sector 2003 • South Korea 1995 (public sector) + private sector 2001 • Hong Kong 1995 (comprehensive) • Taiwan 1995 (public sector + limited private sector) • Thailand 1997 (public sector) Comprehensive Law 2019 • Macau 2006 (comprehensive) • Nepal 2007 (public sector) • Malaysia 2009 (private sector) • Vietnam 2010 (private sector) • India 2011 (private sector) Draft comprehensive Bill 2018 • Philippines 2012 (comprehensive) • Singapore 2012 (private sector) • Indonesia 2012 + Regulation 2016 (private sector) Comprehensive Bill 2018 • China 2011-18 (most private sector) • Bhutan 2018 (comprehensive) + Bills in Pakistan, Sri Lanka 2ndgeneration laws • Taiwan 2011(comprehensive) • South Korea 2012+++ • Hong Kong 2012 • Japan 2015 • Thailand 2019s

  24. China Map of China in the ‘Warring States’ period

  25. China – The overall picture [ADPL Ch 7 ‘From Warring States to Convergence’] • Context – A one-party state relying on intensifying pervasive surveillance and censorship. • State interests will always override privacy. • Otherwise, consumer privacy is being given a surprising degree of respect and protection – at least for some people • This is necessary to increase trust in e-commerce and e-governance within China. • The sources of privacy protection are extremely complex, and still not comprehensive, even in the private sector. • The key points are to understand (i) their scope; (ii) the interaction of protections; (ii) the extent of their consistency; and (iv) their implications data transfers to and from China.

  26. China – The overall picture (2) New ‘cyber-sovereignty’ ideology of Xi Jinping regime • See work of RogierCreemers, Scott Livingston, Anne Cheung etc • Internet as a central(ised) means of governing society and party: • new Central Leading Group for Cybersecurity and Informatization (Chair: Xi Jinping), • enhanced role of Cyberspace Administration of China (CAC) • Increasingly ‘securitised’ and seen as a threat/counter-threat: • technical security (post-Snowden), affecting banking software etc; • ideological security (greater cultural, social media censorship) • Social credit system merging public and private data sources • More surveillance intensity though CCTV + face recognition • Cyber-security regulations to prevent disclosure/export of data. • A distinct Chinese approach to global cyber-governance • Since White Paper on Internet (2010), Internet seen as an extension of national sovereignty (eglocalisation of health information servers; now generalised) • Rejects multi-stakeholder processes in favour of governments Result: Post-2012 partial retreat from the rule of law

  27. China – Regulation time line • 2006/7: Draft Personal Information Protection Act, from Institute of Law; private & public sectors; included DPA; EU-influenced • Some Provinces enacted consumer privacy codes; Piecemeallaws on money laundering, medical records, insurance, credit reporting etc • 2009-10 Major reforms: Criminal Law and Tort Liability Law From 2011 – 14: Series of largely consistent limited laws • 2011 MIIT (Min. of Industry & Info. Tech.) ‘Internet Information Services Regulations’ • 2012 NPC Standing Committee ‘Decision’ (a law) on Internet Information Protection • 2013 MIIT Internet/telecommunications Regulations • 2013 MIIT Standardization Administration ‘Guidelines’ on Personal Information Protection in ‘computer information systems’ • 2013 Consumer Law amendments by NPC Standing Committee Since 2016: Incomplete new series of laws based around Cybersecurity Law • 2016 Cybersecurity Law – most comprehensive & broadly applicable law yet • 2018 E-commerce law – wide scope and right of access • 2018 Personal Information Security ‘Standard’ (not a law but treated as such) • 2019 Measures on …Cross Border Transfer – broader than expected • Data localisation aspects of ‘Measures’ still not complete • Personal Information Protection Law on NPC work program for period to 2023.

  28. China – Emerging principles in 10+ laws& standards, 2011-19 • Either (i) general ‘fair processing’ principles (in 3); or a detailed set of basic privacy rights(except for access rights). • ‘Personal information’: based on capacity to identify (ie conventional) – 2018 Standard has broadest definition • ‘Sensitive’ data generally not distinguished until 2018 Standard • De-identified data only exempted if identity ‘cannot be recovered’ • Collection: consistently limited to what is necessary for purpose (‘minimal collection’) • Only MIIT Guidelines limit unfair methods of collection • Notifications at time of collection required • Limits on use / disclosure: Uncertain: CyberSec law more clearly limit these to purposes of collection (NPC-SC laws do not). • Data quality: still generally vague on data integrity etc

  29. China – Emerging principles (2) • Security: general requirements only • But data breach notifications to authorities is always required (to data subject only in one) • Accountable controller always required • Public privacy policy required by 2 • User rights are a weakness • Correction explicit in CyberSec Law, impled earlier; • Access not explicit in CyberSec Law, only in 2018 Standard and 2018 E-commerce law • Data export limitations only explicit since Cybersec Law (over) • Direct marketing: Both NPC-SC laws require consent • Restrictions on automated processing – in CyberSec Law Conclusion: An emerging set of consistent principles, now stronger than OECD Guidelines, but diverging widely on data localisation and export limits

  30. China – Cybersecurity, data localisation, & export restrictions • 2019 Update p6; Cybersecuritylaw (2016); draft Security Measures (2017) (withdrawn); draft Measures on Cross-border Transfers (June 2019) • Critical Information Infrastructure (CII) Operators in 2016 law • obligations re personal & ‘important’ data (CII data) • But scope of CIIO definition was uncertain • Two forms of data localisation in 2016 law (attacked in WTO by US/EU) still uncertain because implementing measures not finalised • CII data requires storage in ‘mainland China’ (localisation #1) • Export of some data is prohibited (localisation #2) • Other CII data can be exported (localisation #3) only if • export is ‘truly necessary’ to business; & • security review passed (2019 draft removes self-assessment) & • Data subject consent obtained, after detailed notice. • 2019 draft Measures apply to all transfers of personal information, not only those by CII operators

  31. China – Enforcement of laws & standards • No DPA, complex Ministry-based enforcement, under overall guidance of the Cyberspace Administration of China (CAC), by • Ministry of Industry & Information Technology (MIIT) • State Administration of Industry & Commerce (SAIC) • ‘Telecommunications authorities’ at all levels • Administrative orders, penalties & publicity: 6 types are provided (fairly consistently) by these laws • Issuing warnings • Orders for rectification / cessation of processing • Administrative fines • Confiscation of profits/illegal earnings, + punitive fines • Adverse publicity, including in the press, and reports to MIIT 6 Employment prohibitions; suspension/termination of businesses • Civil damages – Consumer right of court action, often on the same basis as administrative fines (+ emerging actions under the Tort Law and the revised General Provisions of the Civil Law 2017) • Criminal offences – Generally proceed under the Criminal Law

  32. China - Criminal Law • A 253 Criminal Law (7th Amendment, 2009) • Criminal penalties for institution or employee selling, otherwise illegally disposing, or offering to sell personal information if ‘serious’ • Covers employees of government, hospitals, schools, and telecomm, financial, or transportation companies (+ ‘etc’) • Penalties also apply to those ‘illegally obtaining’ such data • Sentence up to 3 years plus monetary penalties • Reinforced by cl 1 of 2012 NPC Standing Committee ‘Decision’ • Enforcement of A 253 • There have now been at least 260 prosecutions; some examples: • Wang Shengrong case (2009): identity theft case to allow daughter to obtain educational credentials of victim (facts like Qi Yulingcase) • Zhou Jianping case (2010): illegal purchase of log of telephone calls by high government officials; sold to others who used it logs to fraudulently impersonate officials. Purchaser sentenced to 18 months, others prosecuted for fraud. (continued over)

  33. China – Criminal law (2) • Art. 253A (cont) • Shanghai Roadway case (2012): jail sentences of up to 2 years for four former executives of D&B’s China subsidiary, for purchasing data on 150M Chinese customers of insurance companies, banks. • Humphrey case (2013): 2017 Update p. 19 – UK expat Humphrey and his US citizen wife ran a business intelligence service (‘ChinaWhys’) in Shanghai. Convicted of illegal obtainment of 256 files of personal data, at about US$200 per file. Given 2.5/2 year jail sentences and US$56K fine. Did not matter that sellers were not from the listed industries (‘etc’ may mean ‘service industries’). What is ‘serious’?: here, files were less numerous than other cases, but may have interfered in a corruption investigation [Livingston & Greenleaf] • Conclusion: A 253A is likely continue to be a significant enforcement aspect of more serious privacy breaches in China • Foreigners are clearly not immune to this aspect of Chinese law

  34. China – Tort law • Constitutional right to privacy cannot found civil cases • Supreme People’s Court 2008 declaration that its Qi Yulingdecision (2001) (on ID theft and the right to an education) no longer applied. • General Principles of Civil Law(CPCL) 2017 • Little progress under previous version – Privacy issues treated as defamation cases, following Judicial Interpretation (SPC) holding privacy to be subsidiary to the right of reputation - some succeeded. • Example – Wang Fei Case (2008): Website operator held liable for defamation, for website about the husband of a woman who committed suicide, resulting in him being harassed. Apology and compensation of about $1,000. (Appeal decision in ‘human flesh search engine’ case). Importance of case continues in the factors it sets out as to what constitutes an infringement of privacy. • 2017 new GPCL: ‘right to privacy is now a specific individual right (2018 Update p. 23) • Tort Liability Law 2009 – 2017 Update pp. 19-20 • A ‘right to privacy’ (undefined) is included in the list of ‘civil rights and interests’, the breach of which leads to civil liability • Employers are vicariously responsible; ISPs are liable for torts committed using their networks, unless they take sufficient steps after notice (A 36)

  35. China – Tort law (2) • Supreme People’s Court Regulations (2014) 2017 Update p. 20 • ‘Concerning .. Handling civil dispute cases involving the use of information networks to harm personal rights and interests’ • Only deals with privacy interferences via networks (A 36 of TLL), not ‘off line’ interferences. • Comprehensive 19 Article direction to all Chinese courts on handling cases under GPCL, TLL and NPC-SC Decision • Deals with substantive as well as procedural issues • Covers jurisdiction, joinder of parties, procedure, standards courts will apply on key questions of fact, sensitive information, remedies (apologies, damages etc) • Its application will affect all future cases of ‘privacy torts via networks’, and make such cases much more likely to arise. • Some minor cases, mainly to resolve disputes between individuals, and not commercial matters – but new cases under SPC Reg are not known. • Result: GPCL, Tort Law, & SPC regsprovide a legislative civil action that Qi Yuling’s Case ultimately failed to constitutionalise, but as yet civil actions are not a major feature of Chinese privacy law.

  36. [IDPL Ch 4 ‘Hong Kong SAR – New Life for an Established Law’]

  37. Hong Kong SAR • Context: A liberal but only partly democratic SAR of the PRC; strong rule of law and non-corrupt courts. • 2019 crisis over extradition law & PRC hostility to democracy • APEC & APPA member; not part of APEC-CBPR • Basic Law provides constitutional protection • Used to find telecommunications surveillance unlawful • No common law privacy right or extended confidence • Personal Data Protection Ordinance 1996 • Combination of EU, OECD and UK influences: first comprehensive data protection law in Asia • Privacy Commissioner for Personal Data (PCPD): first ‘European’ model of a DPA in Asia • Amendment Ordinance 2012 (in force April 2013) • first significant change in 15 years; strengthens Act • fewer changes than Privacy Commissioner proposed

  38. Hong Kong SAR – Principles (1) • HK Ordinance covers all basic principles • Eastweek v PCO (2000): CA limited meaning of ‘personal data’ to exclude data collected without intention to identify (even though data otherwise sufficient for identification) • Additional principles (stronger than OECD basics) • ‘Publicly available information’ is still ‘personal data’ • ‘Do No Evil’ s48(2) decision (2013) – government purpose (express or implied) limited use, not company’s purpose (p96); controversial eg Deane (Deacons) • All public registers may have some implied limits on use • Collection by ‘unfair’ means • Sudden Weekly decision upheld by AAB (p95) – Media intrusive practices were in breach, as ‘unfair’; Campbell distinguished; public figures have some privacy in HK • ‘Blind’ ‘recruitment’ advertisements used to gather personal data

  39. Hong Kong SAR – Principles (2) • Deletion required • Hang Seng Bank decision: reduced holding bankruptcy data from 99 years to 8 years • Data matching controlled • PCPD authorisation required if comparing more than 10. • Direct marketing severely restricted • Pre-2012, mere opt-out at time of marketing required • Post-2012, consent to own marketing use must be obtained in advance (Part VIA); US$64K fine (p100) • For sale to others, similar opt-in, but fines up to US$125K. • Voluntary data breach notifications (all sectors) • 61 DBNs 2012-13; compliance check follows in all cases • ID numbers have largely unlimited use in public sector (except for data matching), and for avoidance of non-trivial losses in private sector • PCPD vigilance/complaints prevents unrestricted private sector use (p 104) • s33 data export limitations (not in force) - no effective export limits– 2014 draft Guidelines not followed-up; Cannot bring into force – applies to PRC mainland

  40. HK Amendment Ordinance 2012Enforcement (1) • PCPD powers still limited: cannot fine or compensate • Cathay Pacific data breach re 9.4M people (2019 Update p. 18): PCPD found numerous breaches, but could not fine or compensate; compensation cases before HK courts possible; potential GDPR extra-territorial liability • PCPD’s compliance notices (on complaint or own motion) • PCPD can direct a data user to remedy a breach, and specify how • No longer any need for likelihood of continuation before notice • Failure to comply is now an offence • Repeating the same breaches also now an offence (ADPL p.109) • Offences • Pre-2012, penalties for non-compliance were derisory • First jail sentence (4 weeks) for misleading PCPD (Dec 2014) • Rights of appeal to AAB • Complainants can appeal to Administrative Appeals Board against failure of PCPD to issue enforcement notice, or failure to investigate • Compensation cases before courts • District Court can award damages under s66, including for injury to feelings; • Full defence if D can show ‘reasonable care’, or inaccurate data from 3rd P • Since 2012, PCPD can assist with preparation of case, or providing legal aid (repaid from damages; no evidence this has been utilised.

  41. Hong Kong – Enforcement (2)Post-2014 decline? • 2017 Update pp.11-12: apparent decline in enforcement & transparency since 2014; 2019 Update p.18 indicates reversal • New Commissioner 2015; hosted ICDPPC 2017 (distraction). • Transparency? • Use of s48(2) ‘name & shame’ reports resumed; now 5 since 2015. • AAB appeal decision summaries resumed; most in Chinese only. • Case Notes resumed and updated; around 15 p/a. • Media statement on contentious issues were often Chinese-only, but during 2019 crisis in English as well. • Enforcement? • Two August 2018 prosecutions of Hutchison Telecom for failure to observe direct marketing opt-out: HK$20K fine (A$4K) • Hundreds of current cases of ‘doxing’ of both police and protesters • PCPD has no power to order ‘take downs’ or obtain injunctions; can only request • PCPD has referred 692 cases to Police for possible prosecution • Cathay Pacific data breach demonstrates weaknesses most clearly Result:Transparency restored, but enforcement powers now obviously too limited; no longer one of Asia’s leading jurisdictions

  42. [ADPL Ch 8 ‘Japan – The Illusion of Protection’]

  43. Japan • Privacy rights outside PPIA • Implied constitutional protection of privacy under A 13; never yet breached! • Civil CodeL some negligent disclosure and ‘right to forget’ cases • Complexity of the main legislative structure (2003-) • Protection of Personal Information Act 2003 (PPIA) covers both private sector (principles and enforcement) & public sector (principles only) • 4 other Acts cover enforcement in the public sector etc • The ‘Basic Policy’ and the Cabinet Order on enforcement (both rev 2008) are relevant to all • 38 (non-binding) Guidelines for the private sector(s) set by each Ministry • Rationalisationbased on METI Guidelines (rev 2009) • 1799 municipal Ordinances on data protection • 2015 PPIA Amendments – see 2017 Update pp 24-25 • Major changes, closer to international standards • Created a DPA (PIPC) for 1st time, with independent status • Only in effect since May 2017: no track record yet

  44. Japan – Privacy Principles (post-2017) 2019 update p.8 • Access and correction rights are now explicit • Deletion requirement for the first time • Disclosurelimitation is undermined by ability to merely publish on a website (non-identified) details of intended disclosures and invite opt-outs (A 23(2)); • Notice also required to PIPC , who must also publish it • Collection is not explicitly limited to what is necessary for the specified purpose (A 17) • Data export limitations, with PIPC to decide Whitelist; PIPC can allow exports to APEC CBPRs compliant companies (the ‘Japanese back door’) [But not from EU-sourced data] • Some notification of data breaches (DBN) required • Many weaknesses remain, compared with EU: 2019 update, p.8 Result:Japan’s principles were OECD basics or less; now closer to Asian average of 5/10 ‘European’ principles

  45. Japan – (non)Enforcement (pre-2017) • No basis for damages claims before Courts (or anyone else) • No provisions in Act for payment of compensation • Breach of PPIA does not give civil damages claim (2007 Tokyo District Court) • 2018 Benesse decision that birthdates of 35M children was ‘not private enough’ • Investigation of complaints under PPIA (pre-2017) • Complaints may be filed with 4 types of bodies: (i) the business; (ii) 39 APIPOs (sectoral business bodies); (iii) local government; or (iv) National Consumer Affairs Centre – BUT not the relevant Ministry (which has enforcement power). But PPIA set out no procedures. • Only published outcomes are for 13 complaints to the National Consumer Affairs body from 2004-07: they explain nothing • No evidence of any outcomes by other mediation • The complaints system had zero transparency • Enforcement by Ministries • Ministries cannot issue fines; they could collect reports (often); make recommendations (7 in 7 years); and issue compliance orders (ø in 7 years) – so there were ø prosecutions for non-compliance. Bottom line = no evidence of enforcement Question: Has anything changed?

  46. Japan – Enforcement? (post-2017) • Personal Information Protection Commission (PIPC) [from 2017] • Previous ‘Ministry-based’ system replaced by PIPC as a DPA for the private sector • Ministry of Internal Affairs (MIC) is DPA for public sector • PIPC (9 Commissioners) has strong legal independence • PIPC Rules implement Act & Cabinet Order (delegated legislation) • PIPC powers • strong powers to investigate, find breaches, and give advice/recommendations/orders • No PIPC administrative penalty (except US$3K for disobeying PIPC orders) • Fines following prosecutions are trivial (US $10K) • Still no powers to obtain compensation from courts or from PIPC Q: Will PIPC use powers any more than Ministries didn’t? • PIPC website (English version) gives zero information on enforcement actions since 2017, or anything more than translations of regulations • Conclusion: Evidence is still absent of any enforcement of Japan’s law

  47. Japan – Legalising ‘Big Data’ • See 2017 update p.25; 2019 Update p.8; 2015 article • ‘Anonymous processed information’ (API) – PPIA requires PIPC to specify de-ID procedures which may be impossible – uncertainties • But API status results from following procedures, not from achieving making re-identification impossible • Bulk API then becomes able to be disclosed/sold to others, but both discloser and recipient still have significant security and publicity obligations • Is there be a business case for use of API? • Report by PIPC on API (Feb. 2017) • Extent of use of these procedures is unknown • API procedures do not apply to data originating from EU • Excluded under ‘Supplementary Rules’, to obtain EU adequacy

  48. Japan – EU adequacy status • See 2018 Update pp. 6-7; 2019 Update pp. 9-10 • EU Commission Decision held Japan’s private sector laws ‘adequate’ under art. 45 of the GDPR (Jan. 2019): unrestricted transfer of personal data from EU to Japan • European Data Protection Board (EDPB) and EU Parliament (via LIBE Committee) neither endorsed nor rejected the EU COM decision. • In order to obtain adequacy, Japan’s PIPC issued ‘Supplementary Rules’ applying only to EU-sourced data: • Additional ‘special categories’ (sensitive data). • Preservation of protections with no time limits. • Preventing adding disclosures simply by website notice • Requiring that API be ‘irreversible for anyone’ (ie objective) • Onward transfers to US companies based solely on APEC-CBPRs certification (the ‘Japanese back door’ is blocked – replaced with a consent requirement

  49. Japan – EU adequacy status (2) • Main grounds for criticising COM’s Japan decision: • Can an ‘essentially equivalent’ law exclude Japanese citizens? • Still no evidence of enforcement; How is Japan’s enforcement regime ‘essentially equivalent’ to GDPR? • Is consent a sufficient basis for an onward transfer regime? • How significant are other gaps between Japan and EU? • automated decisions; design & default; DBN; data portability • how important are these to adequacy? (‘essentially equivalent’) • Limits on public sector access to private sector data? (vital in Schrems case) might not be strong enough • Annexures to Decision, signed by Japan, purport to limit this • ‘Readily collated’ requirement in Japan’s definition of PI • will some EU personal data not be protected? (not raised)

  50. Japan – EU adequacy status (3) • Result • Only CJEU can reverse COM decisions (as occurred under the Directive with EU-US ‘Safe Harbor’ Schrems Case) • egif NOYB NGO (Schrems) challenged a transfer to Japan • But EDPB pushed COM to agree to review the decision in 2 years, not 4: pressure on Japan? • Decision is vital to the future credibility of adequacy • Will other countries say ‘I’ll have what Japan had’?

More Related