Professional Documents
Culture Documents
Global Privacy
This is MoFo. 2
And elsewhere …
North America Africa
Canada Angola
Mexico Morocco
United States South Africa (Pending)
Central & South Tunisia
America Asia-Pacific Rim
Argentina Australia
Brazil (Pending) China (Limited)
Chile Hong Kong
Colombia India
Costa Rica Japan
Ecuador (Pending) Macao
Paraguay (Limited) Malaysia
Peru New Zealand
Uruguay Philippines (Pending)
Singapore (Pending)
Middle East South Korea
Israel Taiwan
UAE (DIFC) Thailand (Pending)
Qatar (Financial Vietnam (Limited)
Center only)
This is MoFo. 3
Common Elements in Privacy Laws
Notice
Choice
Access
Security
Audit and Enforcement
Agreements with Third Parties
Cross-border transfers
This is MoFo. 4
Australia
Omnibus law regulates the collection, use, and
disclosure of personal data by the private sector
This is MoFo. 5
Australia (cont’d)
Law amendments under review by Parliament
Amendments would create a unified set of Privacy Principles to
cover both the private and public sectors
This is MoFo. 6
China
No constitutional right to privacy
Criminal law amended in 2009 to make sale or other
unauthorized disclosure of certain personal data a criminal
offense
Tort liability law, effective July 1, 2010, recognizes independent
right of privacy; private rights of action for civil damages
possible
Anti-spam regulations issued in March 2006
Privacy legislation possible – either a separate statutory
protection for the right to privacy or statutory extension of the
right to personal dignity under the Constitution
This is MoFo. 7
China (cont’d)
Internet Regulations issued in December 2011, governing the
collection, storage and use of personal information by Internet
companies
Internet Information Service Providers must provide notice and
obtain users’ prior consent when collecting personal
information or providing it to others
Limitations on use and general security requirements
Breach of the requirements subject to sanctions that include
rectification orders, warnings and penalties ranging from
RMB10,000 to RMB30,000
This is MoFo. 8
Hong Kong
Omnibus law — Personal Data (Privacy) Ordinance
Notice, use and disclosure regulated
No database registration required
Cross-border transfer restriction is not operative and
no implementation date has been set
Statutory penalties and private rights of action possible
Anti-Spam Law enacted in 2007
Voluntary Security and Data Breach Guidelines issued
The Personal Data (Privacy) Amendment Bill introduced into
Hong Kong’s Legislative Council in July 2011; expectation that
will be enacted before the end of 2012
New rules in areas such as direct marketing, data security, data
breach notification, and data transfers possible
This is MoFo. 9
Japan
Omnibus law — Law Concerning the Protection of Personal
Information (“PIPL”)
This is MoFo. 10
Japan (cont’d)
Implied consent not necessary if
Transfer is to a “Delegatee” (service provider)
Transfer compliant with specific notice and opt-out requirements and when
used for direct marketing purposes
This is MoFo. 11
Korea
Consent
“Separate” consent is required for each stage of handling of personal data:
collection and use
transfer to a third party
(handling of) particular identification data
(handling of) sensitive data
Lots of details required — i.e. list up the names of all third-party recipients
Trans-border transfer:
(1) consent from the data subject is required, and/or
(2) transfer contract in line with Korean law
This is MoFo. 12
Korea (cont’d)
Notice (separate from the notification for informed consent):
Items of personal data to be handled
Purposes of use of personal data
Retention and use periods
Information on transfer of personal data to a third party, outsourcing
and destruction of personal data
This is MoFo. 13
Korea (cont’d)
Security – technical, administrative and physical
Supervisory authority (MOPAS) has specified details:
establishment and implementation of internal management plan
keeping access records,
prevention of falsification of such records, access control,
password control,
installation and operation of an access control system anti-virus
programs,
encryption of devices,
This is MoFo. 14
Korea (cont’d)
Data Breach Notification/Report
Notification to affected data subjects, to specify
Items of personal data breached
Date/time of data breach
Measures to take to minimize possible damages
Available remedies
Report to the authority: upon a leak involving 10,000 or more data
subjects
This is MoFo. 15
Korea (cont’d)
Liability/Penalties
Violation: may entail criminal punishment (e.g., imprisonment of up
to 5 years and USD 50K), administrative sanctions, civil liability.
This is MoFo. 16
Malaysia
Personal Data Protection Bill 2009 given Royal Assent and
published in June 2010; however, date of entry into force still to
be determined
Personal Data Protection Commission expected to be set up in
2012; implementing regulations need to be issued
Notice, use and disclosure regulated
Classes of data users that must register their databases to be determined
Cross-border transfer restrictions
Fines and imprisonment possible
Directors equally liable for offenses committed by the organization
This is MoFo. 17
New Zealand
Privacy Act 1993 applies to private and public sectors
Notice, use and disclosure regulated
No database registration required
This is MoFo. 18
Philippines
Constitutional right to privacy
EU-style draft legislation has been approved by both the House
and the Senate
Senate version of the bill (SB 2965) will need to be reconciled
by bicameral conference committee with HB 4115 and then sent
to President Benigno Aquino to consider and sign
Draft legislation would create a national Privacy Commission to
enforce regulations, receive complaints, institute
investigations, issue injunctions and recommend penalties to
department of Justice
This is MoFo. 19
Singapore
No data protection law is in place
Voluntary Model Data Protection Code sets out 11 data protection principles
for adoption by the private sector
Processing of employment data and data for personal, journalistic
and scientific research use are exempt from the Code
Continued reliance on self-regulatory regime will depend on whether
companies adopt the voluntary guidelines
Ministry of Information, Communications and the Arts issued
detailed proposals for a draft Personal Data Protection Bill;
public comment period ended April 30, 2012
Government plans to introduce the bill in Parliament by the
third quarter of 2012
Anti-Spam Law enacted in 2007
This is MoFo. 20
Taiwan
Computer Processed Personal Data Protection Act
This is MoFo. 21
Taiwan (cont’d)
This is MoFo. 22
Argentina
Very similar to Spain
The scope of the law is relatively narrow — Applies to databases
that are shared
Requires notice and opt-in consent to process personal
information or to share information with affiliated companies
Prohibits transborder transfers to countries without “adequate”
data protection
Protective contracts or consent of individual is required if no
adequacy finding
• Argentina has not issued any adequacy findings, so organizations
must rely on protective contracts or the consent of individual
Criminal sanctions, administrative penalties, and private right of
action possible
This is MoFo. 23
Brazil
Draft privacy legislation pending in Congress
Public consultation on a draft bill started in April 2011; Ministry of Justice will
now revise and present draft bill to Congress
Current bill requires: express consent to process all personal information;
express consent to disclose personal information to third parties with no
exceptions; express consent, or another exception, to transfer personal
information to inadequate countries; provision of unfettered rights of access
to personal information
This is MoFo. 24
Chile
First country in Latin America to enact data privacy law
Notice and consent required
Written consent required to disclose sensitive information
No database registration
Access and correction rights
Must keep personal information secret and confidential
No cross border restrictions but confidentiality agreements
must be in place to transfer nonpublic personal information to
third parties
New legislation introduced in 2008 but no action has been taken
by the legislature
This is MoFo. 25
Colombia
Habeas data law enacted in 2008 gives individuals the
constitutional right to know, update, and correct information about
them contained in databases
Controversy regarding the scope of 2008 Law about whether it
applies only to financial data or more broadly regulates the
collection, use, storage and transfer of financial, credit, services
and commercial data
Comprehensive new data privacy law approved by Congress in
late 2010; Constitutional Court upheld majority of the law’s
provisions
The law, which must be signed by the President before it enters
into force, requires an individual’s specific consent to collect, use,
store, and/or transfer personal data
Timetable for enactment unknown
This is MoFo. 26
Mexico
Data privacy law approved by Congress in April 2010 and
entered into force July 5, 2010
Regulations Issued in September 2011
Notices must be provided at the time of collection
Access and Correction Rights
A data privacy person or office must be designated to process
requests from individuals who wish to exercise their rights
under the law
Consent
Implied (opt-out) sufficient in most instances
Written express consent to process financial or asset data and sensitive
personal information
This is MoFo. 27
Mexico (cont’d)
Individuals must be notified immediately in the event of a security
breach that significantly affects their "equity or legal rights"
Organizations must have contracts in place with third parties that
require the third parties to treat the data in accordance with the privacy
notice provided to the individual and assume the same obligations as
the organization that is transferring the data
Data Transfers
Domestic or international transfers of data without consent to affiliated entities that
operate under the same internal processes and policies
Other exceptions such as contractual necessity
No Registration
This is MoFo. 28
Peru
Omnibus data privacy law enacted July 5, 2011
Regulates the collection, use and disclosure of personal
information by private sector organizations
Establishes a Data Protection Authority that will report to the
Ministry of Justice
Requirements include:
Express consent needed in many instances to collect, use and disclose
personal information
Database registration
Data may not be transferred to third countries that do not
provide an adequate level of protection
Grants DPA the power to impose sanctions on organizations
that violate the law
This is MoFo. 29
Peru (cont’d)
Only Title II provisions establishing the data protection
principles and creating the DPA and the multi-sectoral
commission responsible for developing the implementing
regulations now in effect
Other provisions to become effective 30 days after the
implementing regulations are published
Timetable for issuance of regulations unknown
This is MoFo. 30
Uruguay
EU style data protection law enacted in August 2008 (Implementing
Decree in August 2009)
Prior notice and opt-in consent are required to process personal data
unless an exception applies
Access must be provided and individuals may request rectification,
updating, inclusion, or deletion of personal data
Database registration required
Obligation to report security violations that significantly affect the
interests of the individuals concerned; however, unclear to whom
notice must be given
Cross-border transfers of personal data to countries not deemed
“adequate” are prohibited without opt-in consent, unless an exception
applies
Administrative penalties and a private right of action
This is MoFo. 31
Forest/Trees
Focus on core substantive obligations
Notice
Choice
Security
Service Providers
This is MoFo. 32
Evaluate Risky Areas
Collection of information over the Internet and email
Access to sensitive files by employees and independent
contractors
Access to credit card information
Transmission, storage, and disposal of computerized data,
including data contained on disks and hard drives
Data to be transmitted to any third party
Storage and disposal of paper records
Data center moves/consolidations
Transfer and use by service provider/outsourcing
This is MoFo. 33
How Must Information Be Protected?
Technical
Firewalls, anti-virus, and anti-spyware protections
Periodic changing of (non-default) IDs and passwords
Access controls (important when someone leaves the company)
Encryption
Limit access to that which is necessary to perform duties
Basic rules for employees
Do not email sensitive or special PI
Do not access more than that which is needed
Create and use secure documents
Use passwords
This is MoFo. 34
How Must Information Be Protected? (cont’d)
Physical
Lock file cabinets
Shred appropriately (do not put PI in the garbage)
Check litigation/document holds before disposing of any documents
Control movement of personnel into, through, and out of offices
Enforce procedures for card keys and other access controls
Monitor employees with access to customer and Human Resources data
This is MoFo. 35
How Must Information Be Protected? (cont’d)
Administrative
Technology use policy
Blogging and social networking, peer to peer file sharing programs,
remote access, use of laptops
Security breach notification procedure
How is unauthorized access or acquisition reported?
Who is on the immediate response team?
Confidentiality policy
Does it cover confidential information and Personal Information?
Training
Audit
This is MoFo. 36
Specific Controls
Background checks
Non-Disclosure Agreements
Video cameras on site
Physical segregation of customer data
Fire walls/virus controls
Servers locked to shelves
Separate and locked server room
Encryption of laptops
Limitations on remote access
USB/Memory Sticks
Cell phones/iPods in service centers
This is MoFo. 37
Employee Training and Awareness
All employees with access to PI should be trained in data
security policy and procedures and refresher training should be
provided as necessary
Important to have follow-up to assess employees’ awareness
Consider Non-Disclosure Agreements (NDAs) with employees
Employees should be advised that violations of data protection
policy will result in disciplinary action
Think creatively about training
This is MoFo. 38
Questions?
Ann Bevitt, London
abevitt@mofo.com
Mofoprivacy.com
This is MoFo. 39