Data Protection Masterclass VI:

Global Privacy

©2012 Morrison & Foerster LLP | All Rights Reserved | mofo.com

May 24, 2012
Ann Bevitt
Karin Retzer
Miriam Wugmeister
 Data Protection Laws in Europe
 30 Member States of the
European Economic Area
 Azerbaijan
 Belarus
 Bosnia & Herzegovina
 Channel Islands
 Croatia
 Isle of Man
 Russia
 Serbia
 Switzerland
 Ukraine

This is MoFo. 2
 And elsewhere …
 North America Africa
 Canada  Angola
 Mexico  Morocco
 United States  South Africa (Pending)
 Central & South  Tunisia
America Asia-Pacific Rim
 Argentina  Australia
 Brazil (Pending)  China (Limited)
 Chile  Hong Kong
 Colombia  India
 Costa Rica  Japan
 Ecuador (Pending)  Macao
 Paraguay (Limited)  Malaysia
 Peru  New Zealand
 Uruguay  Philippines (Pending)
 Singapore (Pending)
 Middle East  South Korea
 Israel  Taiwan
 UAE (DIFC)  Thailand (Pending)
 Qatar (Financial  Vietnam (Limited)
Center only)

This is MoFo. 3
 Common Elements in Privacy Laws
 Notice
 Choice
 Access
 Security
 Audit and Enforcement
 Agreements with Third Parties
 Cross-border transfers

This is MoFo. 4
 Australia
 Omnibus law regulates the collection, use, and
disclosure of personal data by the private sector

 An organization may transfer personal data to a recipient in a

foreign country only if it is subject to a “substantially similar”
privacy regime. Organizations must determine for themselves
what constitutes “substantially similar”

• Administrative penalties and private right of action possible

• No limits on damages

This is MoFo. 5
 Australia (cont’d)
 Law amendments under review by Parliament
 Amendments would create a unified set of Privacy Principles to
cover both the private and public sectors

 Second stage of amendments to clarify or remove certain exemptions

such as the employee records exemption, require breach notification,
establish a private right of action, and harmonize national, state and
provincial privacy laws

This is MoFo. 6
 China
 No constitutional right to privacy
 Criminal law amended in 2009 to make sale or other
unauthorized disclosure of certain personal data a criminal
offense
 Tort liability law, effective July 1, 2010, recognizes independent
right of privacy; private rights of action for civil damages
possible
 Anti-spam regulations issued in March 2006
 Privacy legislation possible – either a separate statutory
protection for the right to privacy or statutory extension of the
right to personal dignity under the Constitution

This is MoFo. 7
 China (cont’d)
 Internet Regulations issued in December 2011, governing the
collection, storage and use of personal information by Internet
companies
 Internet Information Service Providers must provide notice and
obtain users’ prior consent when collecting personal
information or providing it to others
 Limitations on use and general security requirements
 Breach of the requirements subject to sanctions that include
rectification orders, warnings and penalties ranging from
RMB10,000 to RMB30,000

This is MoFo. 8
 Hong Kong
 Omnibus law — Personal Data (Privacy) Ordinance
 Notice, use and disclosure regulated
 No database registration required
 Cross-border transfer restriction is not operative and
no implementation date has been set
 Statutory penalties and private rights of action possible
 Anti-Spam Law enacted in 2007
 Voluntary Security and Data Breach Guidelines issued
 The Personal Data (Privacy) Amendment Bill introduced into
Hong Kong’s Legislative Council in July 2011; expectation that
will be enacted before the end of 2012
 New rules in areas such as direct marketing, data security, data
breach notification, and data transfers possible

This is MoFo. 9
 Japan
 Omnibus law — Law Concerning the Protection of Personal
Information (“PIPL”)

 Framework legislation, implemented by Ministry Regulations

(34 guidelines issued by 12 ministries)

 No cross-border limitation — based on accountability

 Opt-in consent for transfer of personal information to third

parties
 “Third parties” include subsidiaries, affiliates, group companies, franchisees,
foreign companies, and joint marketing partners

 Criminal sanctions and administrative penalties for violations

This is MoFo. 10
 Japan (cont’d)
 Implied consent not necessary if
 Transfer is to a “Delegatee” (service provider)
 Transfer compliant with specific notice and opt-out requirements and when
used for direct marketing purposes

 Transfer is pursuant to M&A transaction or

 Other exceptions — if transfer is pursuant to a law or ordinance; if necessary
to protect life, person or property and consent is difficult to obtain; if
necessary to improve public safety or protect children and consent is difficult
to obtain; or if cooperation is required by
government agencies

This is MoFo. 11
 Korea
 Consent
 “Separate” consent is required for each stage of handling of personal data:
 collection and use
 transfer to a third party
 (handling of) particular identification data
 (handling of) sensitive data
 Lots of details required — i.e. list up the names of all third-party recipients
 Trans-border transfer:
(1) consent from the data subject is required, and/or
(2) transfer contract in line with Korean law

This is MoFo. 12
 Korea (cont’d)
 Notice (separate from the notification for informed consent):
Items of personal data to be handled
Purposes of use of personal data
Retention and use periods
Information on transfer of personal data to a third party, outsourcing
and destruction of personal data

Rights of data subjects

Protective measures for data security

This is MoFo. 13
 Korea (cont’d)
 Security – technical, administrative and physical
Supervisory authority (MOPAS) has specified details:
establishment and implementation of internal management plan
keeping access records,
prevention of falsification of such records, access control,
password control,
installation and operation of an access control system anti-virus
programs,

encryption of devices,

This is MoFo. 14
 Korea (cont’d)
 Data Breach Notification/Report
Notification to affected data subjects, to specify
Items of personal data breached
Date/time of data breach
Measures to take to minimize possible damages
Available remedies
Report to the authority: upon a leak involving 10,000 or more data
subjects

This is MoFo. 15
 Korea (cont’d)
 Liability/Penalties
Violation: may entail criminal punishment (e.g., imprisonment of up
to 5 years and USD 50K), administrative sanctions, civil liability.

Companies subject to hacking — are sanctioned — criminal /

administrative / civil liabilities.

This is MoFo. 16
 Malaysia
 Personal Data Protection Bill 2009 given Royal Assent and
published in June 2010; however, date of entry into force still to
be determined
 Personal Data Protection Commission expected to be set up in
2012; implementing regulations need to be issued
 Notice, use and disclosure regulated
 Classes of data users that must register their databases to be determined
 Cross-border transfer restrictions
 Fines and imprisonment possible
 Directors equally liable for offenses committed by the organization

 Once Act becomes effective, organizations have three months

to come into compliance

This is MoFo. 17
 New Zealand
 Privacy Act 1993 applies to private and public sectors
 Notice, use and disclosure regulated
 No database registration required

 Government currently conducting full scale law review

 Enacted the Privacy (Cross-border Information) Amendment Act
in 2010, empowering the Privacy Commissioner to prohibit the
onward transfer of personal information received from overseas
 In April 2011, EU’s Article 29 Working Party adopted an
adequacy opinion

This is MoFo. 18
 Philippines
 Constitutional right to privacy
 EU-style draft legislation has been approved by both the House
and the Senate
 Senate version of the bill (SB 2965) will need to be reconciled
by bicameral conference committee with HB 4115 and then sent
to President Benigno Aquino to consider and sign
 Draft legislation would create a national Privacy Commission to
enforce regulations, receive complaints, institute
investigations, issue injunctions and recommend penalties to
department of Justice

This is MoFo. 19
 Singapore
 No data protection law is in place
 Voluntary Model Data Protection Code sets out 11 data protection principles
for adoption by the private sector
 Processing of employment data and data for personal, journalistic
and scientific research use are exempt from the Code
 Continued reliance on self-regulatory regime will depend on whether
companies adopt the voluntary guidelines
 Ministry of Information, Communications and the Arts issued
detailed proposals for a draft Personal Data Protection Bill;
public comment period ended April 30, 2012
 Government plans to introduce the bill in Parliament by the
third quarter of 2012
 Anti-Spam Law enacted in 2007

This is MoFo. 20
 Taiwan
 Computer Processed Personal Data Protection Act

 Covers limited private entities — financial, securities,

insurance, mass media, and telecommunications companies
 Database registration and opt-in consent required

• Amendment approved by Parliament in April 2010 eliminated

the registration requirement and will extend coverage to all
sectors, public and private, once fully implemented

 Criminal, civil, and administrative penalties for violations;

private right of action
 However, new government took office in February 2012 and
delayed implementation

This is MoFo. 21
 Taiwan (cont’d)

 Concern about the draft implementing regulations issued in

October 2011
• Government to consult with businesses and the financial sector
and research cross border-related issues
• Any revisions to the underlying law would be sent to Parliament
for approval
 Unclear if Cabinet would be able to finalize a proposal and get it
to lawmakers before the end of the legislative session in late
June 2012

This is MoFo. 22
 Argentina
 Very similar to Spain
 The scope of the law is relatively narrow — Applies to databases
that are shared
 Requires notice and opt-in consent to process personal
information or to share information with affiliated companies
 Prohibits transborder transfers to countries without “adequate”
data protection
 Protective contracts or consent of individual is required if no
adequacy finding
• Argentina has not issued any adequacy findings, so organizations
must rely on protective contracts or the consent of individual
 Criminal sanctions, administrative penalties, and private right of
action possible

This is MoFo. 23
 Brazil
 Draft privacy legislation pending in Congress
 Public consultation on a draft bill started in April 2011; Ministry of Justice will
now revise and present draft bill to Congress
 Current bill requires: express consent to process all personal information;
express consent to disclose personal information to third parties with no
exceptions; express consent, or another exception, to transfer personal
information to inadequate countries; provision of unfettered rights of access
to personal information

 Sensitive information, such as health information, is protected

under the Constitution; consumer data is protected under the
Consumer Defense Code
 For consumer data, there are notice, access, and correction
obligations as well as consent requirement in order to transfer
data

This is MoFo. 24
 Chile
 First country in Latin America to enact data privacy law
 Notice and consent required
 Written consent required to disclose sensitive information

 No database registration
 Access and correction rights
 Must keep personal information secret and confidential
 No cross border restrictions but confidentiality agreements
must be in place to transfer nonpublic personal information to
third parties
 New legislation introduced in 2008 but no action has been taken
by the legislature

This is MoFo. 25
 Colombia
 Habeas data law enacted in 2008 gives individuals the
constitutional right to know, update, and correct information about
them contained in databases
 Controversy regarding the scope of 2008 Law about whether it
applies only to financial data or more broadly regulates the
collection, use, storage and transfer of financial, credit, services
and commercial data
 Comprehensive new data privacy law approved by Congress in
late 2010; Constitutional Court upheld majority of the law’s
provisions
 The law, which must be signed by the President before it enters
into force, requires an individual’s specific consent to collect, use,
store, and/or transfer personal data
 Timetable for enactment unknown

This is MoFo. 26
 Mexico
 Data privacy law approved by Congress in April 2010 and
entered into force July 5, 2010
 Regulations Issued in September 2011
 Notices must be provided at the time of collection
 Access and Correction Rights
 A data privacy person or office must be designated to process
requests from individuals who wish to exercise their rights
under the law
 Consent
 Implied (opt-out) sufficient in most instances
 Written express consent to process financial or asset data and sensitive
personal information

This is MoFo. 27
 Mexico (cont’d)
 Individuals must be notified immediately in the event of a security
breach that significantly affects their "equity or legal rights"
 Organizations must have contracts in place with third parties that
require the third parties to treat the data in accordance with the privacy
notice provided to the individual and assume the same obligations as
the organization that is transferring the data
 Data Transfers
 Domestic or international transfers of data without consent to affiliated entities that
operate under the same internal processes and policies
 Other exceptions such as contractual necessity
 No Registration

 Possible penalties include large fines and jail time

This is MoFo. 28
 Peru
 Omnibus data privacy law enacted July 5, 2011
 Regulates the collection, use and disclosure of personal
information by private sector organizations
 Establishes a Data Protection Authority that will report to the
Ministry of Justice
 Requirements include:
 Express consent needed in many instances to collect, use and disclose
personal information
 Database registration
 Data may not be transferred to third countries that do not
provide an adequate level of protection
 Grants DPA the power to impose sanctions on organizations
that violate the law

This is MoFo. 29
 Peru (cont’d)
 Only Title II provisions establishing the data protection
principles and creating the DPA and the multi-sectoral
commission responsible for developing the implementing
regulations now in effect
 Other provisions to become effective 30 days after the
implementing regulations are published
 Timetable for issuance of regulations unknown

This is MoFo. 30
 Uruguay
 EU style data protection law enacted in August 2008 (Implementing
Decree in August 2009)
 Prior notice and opt-in consent are required to process personal data
unless an exception applies
 Access must be provided and individuals may request rectification,
updating, inclusion, or deletion of personal data
 Database registration required
 Obligation to report security violations that significantly affect the
interests of the individuals concerned; however, unclear to whom
notice must be given
 Cross-border transfers of personal data to countries not deemed
“adequate” are prohibited without opt-in consent, unless an exception
applies
 Administrative penalties and a private right of action

This is MoFo. 31
 Forest/Trees
 Focus on core substantive obligations
 Notice
 Choice
 Security
 Service Providers

 Look for commonalities

 Stay involved – changes weekly

This is MoFo. 32
 Evaluate Risky Areas
 Collection of information over the Internet and email
 Access to sensitive files by employees and independent
contractors
 Access to credit card information
 Transmission, storage, and disposal of computerized data,
including data contained on disks and hard drives
 Data to be transmitted to any third party
 Storage and disposal of paper records
 Data center moves/consolidations
 Transfer and use by service provider/outsourcing

This is MoFo. 33
 How Must Information Be Protected?
 Technical
 Firewalls, anti-virus, and anti-spyware protections
 Periodic changing of (non-default) IDs and passwords
 Access controls (important when someone leaves the company)
 Encryption
 Limit access to that which is necessary to perform duties
 Basic rules for employees
 Do not email sensitive or special PI
 Do not access more than that which is needed
 Create and use secure documents
 Use passwords

This is MoFo. 34
 How Must Information Be Protected? (cont’d)
 Physical
 Lock file cabinets
 Shred appropriately (do not put PI in the garbage)
 Check litigation/document holds before disposing of any documents
 Control movement of personnel into, through, and out of offices
 Enforce procedures for card keys and other access controls
 Monitor employees with access to customer and Human Resources data

This is MoFo. 35
 How Must Information Be Protected? (cont’d)
 Administrative
 Technology use policy
 Blogging and social networking, peer to peer file sharing programs,
remote access, use of laptops
 Security breach notification procedure
 How is unauthorized access or acquisition reported?
 Who is on the immediate response team?
 Confidentiality policy
 Does it cover confidential information and Personal Information?
 Training
 Audit

This is MoFo. 36
 Specific Controls
 Background checks
 Non-Disclosure Agreements
 Video cameras on site
 Physical segregation of customer data
 Fire walls/virus controls
 Servers locked to shelves
 Separate and locked server room
 Encryption of laptops
 Limitations on remote access
 USB/Memory Sticks
 Cell phones/iPods in service centers

This is MoFo. 37
 Employee Training and Awareness
 All employees with access to PI should be trained in data
security policy and procedures and refresher training should be
provided as necessary
 Important to have follow-up to assess employees’ awareness
 Consider Non-Disclosure Agreements (NDAs) with employees
 Employees should be advised that violations of data protection
policy will result in disciplinary action
 Think creatively about training

This is MoFo. 38
 Questions?
 Ann Bevitt, London
abevitt@mofo.com

 Karin Retzer, Brussels

kretzer@mofo.com

 Miriam Wugmeister, New York

mwugmeister@mofo.com

 Mofoprivacy.com

This is MoFo. 39