Asia-Pacific data privacy: 2011, year of revolution?

Download Report

Transcript Asia-Pacific data privacy: 2011, year of revolution?

Asian Data Privacy Laws 2013 Roundtable Professor Graham Greenleaf AM

Professor of Law & Information Systems, University of New South Wales Asia-Pacific Editor,

Privacy Laws & Business International Report

Pinsent Masons, London, 1 October 2013

Asia – 28 jurisdictions but no centre - No Brussels, Strasbourg, ECJ, ECtHR, Directives, no A29WP

Asia in global context: mid-2013

• Significant 2011-13 events in half of the 28 jurisdictions – 12 Asian jurisdictions now have data privacy Acts, covering both sectors (6) or their public sector (2) or private sector (4) only – Add China & Indonesia with substantial IT sector laws = 14 – 5 of these have very substantially strengthened their laws recently – 2 laws are only yet partially in force – 1 more has a Bill pending for a new law extending existing coverage, and Bills are reported in draft in others • Every law differs substantially from all others • None yet have EU ‘ adequacy ’ findings or CoE 108 accessions • Information on national laws is very hard to obtain – Key documents are often not available in European languages – Information about enforcement & complaints is even harder to find 3

Global development of data privacy laws & standards

1. The global context

• • • How many countries have data privacy laws?

What is the global trajectory of development?

What Principles do these laws apply?

2. How do we evaluate & compare these laws?

• • • Standards for data privacy principles Comparing enforcement: responsive regulation Comparing data export laws (special focus) 4

1.

2.

3.

4.

How many countries now have data privacy laws?

What is a

‘country’

for this purpose?

– A separate legal jurisdiction ( eg HK, Macau, Jersey, Greenland) What ’s a

law

?

– It’s a law: not self-regulation or trustmarks – But any type of enforcement by law must be accepted – This is only a Q of whether a DP law exists, not ‘adequacy’ What

scope

must a law have?

– Must cover either or both of private and public sectors – Almost all cover both public & private sectors – 5 Public sector only (must cover national government) – 6 Private sector only (M ust cover

most

of sector) What

content

must a data privacy law have? … 5

4. What content must a data privacy law have?

• The ‘basic’ standard of all international agreements – Initially OECD Guidelines (1980) & CoE Convention (1981) – Also shared by EU (1995) and APEC (2004) • Must include ‘most’ basic principles – Can’t require all 15, or too strict – Eg no explicit ‘openness’ principle in 5/10 Asian laws • Testing against 10 Asian laws: averaged 13.6/15 – India & Malaysia’s 11/15 is probably minimum acceptable – Vietnam was 11/15, now 13 through new 2013 Decree • Conclusion: Must include minimum 11/15 – including access/correction + security + some finality principles 6

‘Basic’ principles in 10 Asian laws HK IN JN KR

Collection by lawful means 0 0 0 X 0 0 Collection by fair means Purpose of collection ‘specified’ by time of collection 0 0 X 0 0 0 0 0 ?

Collection with knowledge or consent, when from data subject Data quality – relevant, accurate, complete & up-to-date Uses limited to purpose of collection, with consent or by law Disclosure limited to collection purpose, with consent or by law 0 0 0 X 0 0 0 0 0 0 0 0 Secondary uses and disclosures only allowed if compatible Secondary purpose ‘specified’ at change of use Security safeguards – ‘reasonable’ Openness re personal data policies Access to individual personal data Correction of individual data Accountable data controller

Total /15

X 0 0 0 0 0 0 0 X 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

14 11 14 15

MA MY PH TW SN VN TTL

0 0 0 0 0 X X 0 0 0 0 X 0 0 0 0 0 0 0 0 X 0 0 0 9 7 7 9 0 0 0 0 0 0 0 0 0 0 0 0 X 0 0 X 0 0 0 0 0 0 0 X 0 0 0 0 0 ?

0 0 0 0 0 0 0 0 0 0 0 0 0 0

15 11 13 15

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X 0 0 0 0 0

15 13

9 9 10 10 9 7 10 6 9 10 10

13.6

7

How many countries now have a data privacy law? • A:

101

(as at 30 August 2013) – Article in materials is to June 2013 – + add Kazakhstan and South Africa • 90/101 cover both sectors – 5 Public sector only (Thailand, Yemen, USA, Nepal, Zimbabwe) – 6 Private sector only (Vietnam, Singapore, Malaysia; India, Qatar & Dubai SEZs)

8

Result: 101 countries now have data privacy laws To this map, add Kazakhstan and South Africa – new Acts since mid-2013

Map created by interactive maps :

http://www.ammap.com

9

22 Acts & 19 Bills this decade

Acts 2010

Georgia Faroe Is.

Kosovo Malaysia Vietnam Mexico

Acts 2011

Angola Costa Rica Gabon India Peru St Lucia Trinidad & Tobago Ukraine

Acts 2012 Acts 2013 Bills Bills

Ghana Nicaragua Philippines Kazakhstan

Nigeria Thailand

South Africa

Brazil Turkey Madagascar Tanzania

Singapore Yemen Georgia

Kenya Falkland Islands Qatar Jamaica Mali Niger Ivory Coast + 5 others in Caribbean

10

105-10 data privacy laws by 2015?

This map adds 20 countries with known official data privacy Bills Map created by interactive maps :

http://www.ammap.com

11

Jurisdictions by decade:

From rare to common

60 40 20 0 120 100 80 1973-79 1980-89 1990-99 2000-09 2010-13

101 jurisdictions with data privacy laws by August 2013

New in Decade Exis ng 12

Regional spread of data privacy laws

By Region

Australasia: 2 Pacific Is: 0 Asia: 12 La n Am: 9 North Am: 2 Sub-S Africa: 11 N. Af/M-East: 6 Central Asia: 2 Caribbean: 4 EU: 28 Other Eur: 25

101 laws: 53 European, 48 outside Europe (August 2013)

13

Data privacy laws beyond Europe • A:

47/100

jurisdictions are outside Europe

– EU: 28 (all); Other European: 25 (2 not: Turkey, Belarus) – Asia: 12; Latin America: 9; Sub-Saharan Africa: 10; N.Africa + M-East: 6; Caribbean: 4; A ’ asia: 2; N. America: 2; Central Asia: 2

• Implications:

– Most of the world is adopting data privacy laws: no longer a ‘ European thing ’ – Most growth will now occur outside Europe – By 2014-16, the majority of laws will be outside Europe – When most of the commercially significant world has such laws, the focus will not be

European

‘ data exports ’ [4] 14

Countries with no Acts or Bills

Afghanistan; Algeria; Bahrain; Bangladesh ; Belarus; Belize; Bermuda; Bhutan; Bolivia; Botswana; British Virgin Islands; Brunei Darussalam ; Burundi; Cambodia; Cameroon; Central African Republic; Chad; China ; Comoros; Congo, Republic; Congo Democratic Republic; Cuba; Djibouti; Ecuador; Egypt ; El Salvador; Equatorial Guinea; Eritrea; Ethiopia ; Fiji; Gambia; Guatemala; Guinea; Guinea-Bissau; Guyana; Haiti; Honduras; Indonesia ; Iran; Iraq; Jordan; Kiribati; Korea, North; Kuwait; Lao PDR; Lebanon, Lesotho; Liberia; Libya; Malawi; Maldives; Marshall Islands; Mauritania; Micronesia; Mongolia ; Mozambique; Myanmar ; Namibia; Nauru; Oman; Pakistan ; Palau; Palestine; Panama; Papua New Guinea; Rwanda; Samoa; Sao Tome and Principe; Saudi Arabia ; Sierra Leone; Solomon Islands; Somalia; Sri Lanka; Sudan; Suriname; Swaziland; Syria; Tajikistan; Timor Leste; Togo; Tonga; Turkmenistan; Tuvalu; Uganda; United Arab Emirates ; Uzbekistan; Vanuatu; Vatican; Venezuela ; Zambia

China and Indonesia already have significant IT sector laws

15

Jurisdictions by decade:

Diffusion to ubiquity

60 40 20 0 180 160 140 120 100 80 Accelera ng Linear Growth New in Decade Exis ng 1973-79 1980-89 1990-99 2000-09 2010-13

101 jurisdictions with data privacy laws by August 2013, with projections to 2020 (linear = 139; accelerated = 160)

16

Consequences of globalisation

• Ubiquity of data privacy laws in countries of economic/political significance by 2020 – USA and China the main outliers (private sector) • European laws (EU & CoE) soon in a minority – EU laws are only 28% at present, and falling • Laws with strong data export restrictions are not limited to the EU, or to Europe • ROW laws expand, strengthen, and are enforced – Google: Korea (TOS) and Macau (Streetview) • Results: – Weak national laws may cause multilateral complexities – Need for an internationally accepted standard increases – ‘Interoperability’ begs the Question: ‘on what basis?’ 17

What fundamentals should we look for?

A = Principles; B = Enforcement; C= Data exports 18

(A) Standards for principles • Over 30+ years, 2 standards emerged

1. 1 st Generation • • ‘Basic’ Principles OECD (1981); CoE (1981); APEC (2005) Also incorporated in ‘European’ principles 2. 2 nd • Generation ‘European’ principles EU Directive (1995); CoE Additional Protocol (2001)

• Will 3

rd

Generation principles emerge?

– Possible from EU Regulation and CoE ‘modernisation’ – Not from OECD revision or APEC

• Which Principles are enacted globally?

19

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Basic data privacy Principles

(OECD & EU hold 1-10 in common)

Collection

- limited, lawful and by fair means; generally with consent or knowledge (OECD 7)

Purpose specification

at time of collection (OECD 9)

Notice

of purpose and rights at time of collection (OECD ambiguous)

Uses

(including disclosures) compatible (OECD 10)

limited

to purposes specified or

Data quality

(relevant, accurate, up-to-date) (OECD 8)

Security

through reasonable safeguards (OECD 11)

Openness

re personal data practices (OECD 12) [not specific in EU]

Access,

individual rights of (OECD 13)

Correction,

individual rights of (OECD 13)

Accountable

Data controller with task of compliance (OECD 14)

We will assume these 10 basic principles in laws discussed, and focus on (I) where one is absent or (II) additional principles

20

What standards are enacted globally?

– ‘Basic’ only or ‘European’?

1. Must first answer: ‘what are

European

privacy standards?

’ data 2. Approach: What is required by the EU Directive but

not

required by the OECD Guidelines?

3. Identified the

10 key differences

standards ’ (next slide) as ‘European 4. Examined 33/37 non-European laws (as at Dec. 2011) against these 10 criteria 5. Result: Average 7/10 ‘European’ factors found 6. Now 48 laws (not 33) but no significant change

7. Conclusion:

The current ‘global standard’ is to a significant extent the European standard 21

10 ‘European’ standards

EU Directive (1995) & CoE 108+Add. Protocol (2001

)

1.

2.

3.

4.

5.

6.

7.

Minimality ’ in collection

(relative to purposes); General ‘

fair and lawful processing

’ requirement; Some

‘prior checking’

by DPA required; ‘

Deletion

’: Destruction or anonymisation after use;

Sensitive data

additional protections; Limits on

automated decision-making

; ‘Opt-out’ of

direct marketing

uses required.

8.

9.

10.

Has a

separate independent DPA

;

(enforcement)

Allows

remedies via the courts

;

(enforcement)

Border control

’ data exports restrictions.

An ‘adequate’ law = one implementing

most

of these Invitation to accede to CoE Convention 108 requires similar 22

(B) Standards for enforcement

• No accepted international standards – EU Article 29 Working Party (WP29) Opinion on elements of adequacy is often cited – Proposed EU Regulation may set new standards – Revised OECD Guidelines adds some • Numerous enforcement mechanisms are possible • Few laws include

all

such enforcement mechanisms, it is their combination in an effective system that counts … • Necessary to go back to 1 st principles … 23

Purposes: What should enforcement achieve?

1. Deterrence – inhibits future breaches which are not specific/identified 2. Prevention – Intervention in current/anticipated specific breaches – Occurs before breach complete and damage suffered 3. Guaranteeing assertions of rights – Where individuals have to act to assert a right – Eg some correction or deletion rights 4. Remedies for individuals – Restorative or compensatory remedies – Occurs after breach, damage already suffered 5. Punishment (?) – Is data protection enforcement ever for punishment?

– Fines etc against a unique defendant can still deter others

Types of enforcement measures

Enforcement measures can be characterised as:

1.Whether there is an independent DPA 2.Varieties of complaint investigations 3.Investigative powers and procedures 4.Orders and remedies available from DPA / Ministry 5.Publication of enforcement details (statistics and cases) 6.Offences

7.Rights of court action to enforce Principles (+ of appeal) 8.Data breach notification requirements 9.Systemic (non-complaint) preventative/deterrent measures

The model of ‘responsive regulation’:

What is needed for effective enforcement?

Enforcement pyramid

in a licensing system (Braithwaite 1993)

Elements of ‘Responsive regulation’

(Braithwaite, Parker et al) 1. Effective regulation requires

multiple types of sanctions

seriousness of escalating 2. It is an enforcement

pyramid

: sanctions at the top get used far less than the cheaper bottom layers 3. All forms of sanctions must be

actually used

when necessary 4. Use of each level of sanction must be

visible

to those regulated, consumers and the representatives of both 5. The higher levels are

incentives

for the lower levels to be made to work

High peaks create more pressure down (Anon, NZ origin)

A complaint-driven enforcement pyramid for data protection

A systemic (non-complaint) enforcement pyramid for data protection

(C) Data export restrictions –

Must ask 6 Question for each jurisdiction

1. Does the DP law of the controller ’s jurisdiction assert

extra-territorial

operation?

– Assertion of control over persons/objects outside territory – – DP laws are

in default

not extra-territorial But nothing illegal in international law about assertions 2. Under what conditions are transfers (

data exports

) to a foreign jurisdiction allowed?

– Contracts required?; Notice to data subject required?; Notice to DPA required?

3. Are there

special rules

for controller-to-processor transfers?

– Terminology in every country is different, so are the rules

Issues for each jurisdiction (2) 4. Can the

data subject enforce

the

controller/processor contract against processor?

Does a privity of contract doctrine prevent this?

5. Is the

controller liable

for breaches by the foreign processor? (vicarious liability) 6. Does the processor jurisdiction ’s DP law

exempt outsourced processing

(in full or part)?

North-East Asia – the leaders

• Most countries have recent new or revised data privacy laws • With new laws in China, North-East Asia is the most data-privacy intensive region outside Europe

32

Order of consideration 1. South Korea 2. China 3. Hong Kong SAR 4. Taiwan

Not covered

1. Japan 2. Macau SAR 3. Mongolia

33

South Korea

• OECD and APEC member; APPA member • New comprehensive

Personal Information Protection Act (PIPA)

– In force from 10/11; only enforced from 4/12 – Adds many new features to existing strong foundation • Previous legislation (largely replaced but not entirely) – Private sector – ’Data Protection Act’ 2000 (in a broader Act) • Administered by Korean Internet & Security Agency (KISA) • Scope limited to businesses utilising telecoms services • Active enforcement by Korean Personal Information Dispute Mediation Committees ( PIDMCs ): compensation & documented cases – Public sector -

Public Agency Data Protection Act

• Administered by Ministry of Public Administration and Safety (MOPAS); • Scope covers all public agencies; includes basic principles, but few limits on excessive collection by governments (defect in OECD) • Minimal enforcement: no independence; no publication of cases – Some other specific Acts (eg credit reporting) still over-ride DPAct 35

1.

2.

3.

4.

5.

6.

7.

South Korea Key new features of 2011 PIPA

• One Act now comprehensive of public and private sectors (cf Japan) Now covers whole private sector ‘Personal information processor’ • Independent Personal Information Protection Commission (PIPC) 1st national DPA in a civil law Asian country Privacy Compliance Officers required for most businesses/agencies • Collective meditation for disputes with widespread small damage + representative actions for injunctions • Mandatory data breach notification to affected individuals Also to authorities where significant (cf Taiwan) Mandatory PIAs for potentially dangerous public sector systems Explicit (opt-in) consent required for marketing using own databases • – – Act and Enforcement Decree in English (trans. Prof. Park, Whon-il)

>

> 36

South Korea – Additional principles

2011 Act includes

all basic OECD principles

, plus

these additions

: 1.

2.

3.

Onus of proof Privacy Policy

of almost all requirements is on the processor necessary, and

overrides

where this favours the consumer (A 30) any individual agreements –

Minimal collection

of personal data necessary for purpose (A 16(1) Desirability of ‘ anonymity, if possible ’ of processing (A 3(7))

4.

5.

6.

7.

8.

9.

No denial of services

information (A 16(2)) because of refusal to provide unnecessary

Sensitive data

cannot be processed without consent (A 23)

Alternatives to identification

by the Residence Registration Number must be provided (A 24) [RRN use is separately being prohibited] Strict limits on operation of

visual surveillance devices

(A 25) – Notification required if personal data

collected from 3rd Ps Consent

required to disclose to 3rd Ps, who must be

identified

limited exceptions (A 18)

not

including ‘ compatible uses ’ (A 20) (A 17) 37

South Korea – Additional principles (2)

10. Data exports

require

consent

(A 17(3)) - but notice is weak

11. Notice of sub-processing

is required (A26), and must be

identified

10. OR public Privacy Policy (PP) can give notice of sub-processing 11. sub-processors are deemed employees (A 26(6)) (vicarious liability)

12. Deletion

(not de-ID) of personal data required after use (A 21)

13. Suspension of processing

can be required by data subject (A 37)

14. Privacy Officer

must be appointed, with detailed duties (A 31) 10. Draft Guidelines suggest wherever more than 50 employees

15. Data breach notification

always mandatory to data subjects (A34) 10. Also to MOPAS and other authorities if ‘ large scale ’

16. Offences

to improperly deal with, disclose or receive personal data

17. Detailed security measures

are prescribed by Presidential Decree, both locally and for data exports

These 17 points show how far Korea goes beyond the OECD ‘ basics ’

38

South Korea - Strong consent

• Unusual in both where consent is required (most diclosures and change of use, and data exports) and in requirements for consent to be legitimate.

• Notifications required before consent is obtained (A 15(2) or 18(3)) must separate 3 matters: – each matter requiring consent must be stated separately, and each consent obtained separately (no ‘bundling’) (A 22(1)) – information collected requiring consent must be segregated from informaton not requiring consent (A 22(2)) – if consent is to use information ‘to promote goods or services or solicit purchase therefor ’ then data subjects must eplicitly consent to this (ie opt-in to marketing uses) (A 22(3)) • This is reinforced by the ‘ no disadvantage ’ rule

Are these the strongest consent requirements known?

39

• • •

South Korea – Enforcement

– – – The most complex version of the

‘North Asian civil law model’

Japan, Taiwan and China have

Ministry-based

Korea has

added

sectoral enforcement both (I) an independent complaints body and (ii) a DPA

If successful

, the Korean model is likely to influence others Complex

5-way administrative structure

under new Act: 1.

Personal Information Protection Commission (PIPC) 2.

3.

4.

5.

Korea Internet & Security Agency (KISA) (includes Personal Data Protection Center (PDPC)) Personal Information Dispute Mediation Committees (PPDMC/Pico) Ministry of Public Administration and Security (MOPAS) Korea Communications Commission (KCC): regulates ISPs and ICSPs – – –

This structure may be changing after the 2012 election

Complexity in who is representing Korea in international fora PIPC would like to take functions currently(?) exercised by KISA Influence of MOPAS is still everywhere 40

South Korea – Enforcement

1.

• • • • • • •

Personal Information Protection Commission (PIPC)

15 member independent Commission within Presidential Office PIPC ’s website < http://www.pipc.go.kr

> is out-of-date in English President appointed independent Chairman (Park, Tae-Jong) ‘Executive Bureau’ within MOPAS, headed by Director-General ‘Standing Commissioner’ is a ‘government official of political affairs’ who ‘directs the Executive Bureau under the Chairman’s orders’ Roles of setting policy, issuing opinions and reports (A 8) • Organisations can seek something like an ‘advisory opinion’ on the law No clear role in the Act in resolution of individual complaints • • • BUT PIPC claims a role re public sector ‘to rectify violations and misuse of personal information ’ (seeA 8(1)(v) and A 18(2)(v)) PIPC has an ‘Investigation Division’ PIPC decided complaint against Google Terms of Service 41

South Korea – Enforcement (2)

2. Ministry of Public Administration and Security (MOPAS)

– Issues ‘Data Protection Basic Plan’ in consultation with PIPC – Issues ‘Standard Guidelines’, which Ministries can modify for sectors – Accreditation to Data Protection Commissioner’s conference refused in 2011, because not independent of government

3. Personal Information Dispute Mediation Committees (PIDMC)

– Up to 20 persons appointed, with independence provided by Act (A40) – Hear complaints in sub-committees, depending on expertise required – Handles about 90% of privacy disputes (10% in Courts) – ‘Mediates’, deciding breach and recommending remedy; if both parties agree, settlement is binding; otherwise, matter has to go to Court

4. Personal Data Protection Centre (PDPC) within KISA

• • • • Receives and investigates complaints, and mediates minor complaints Assists complainants to prepare complaints to go to PIDMC

KISA still represents Korea at APPA meetings, but PIPC also Presidential Decree must appoint PDPC to this role

(A 40(8)) 42

South Korea – Enforcement (3)

• •

PIDMC ’s mediation record under the old Act

– PIDMC must suggest mediation within 60 days of petition filing – Of 22 reported cases in 2003-04, PIDMC awarded compensation (from $100-$10K) in 17 cases (English translations are on WorldLII ) – Examples: disclosure of telephone records to estranged husband ($10K); surgeon posting photos of clients ’ plastic surgery ($4K) – Usually individual vs business disputes; b/w individuals goes to Court

Additional scope for PIDMC mediation under the new Act

– now has powers to mediate public sector complaints (s43()3) – now has powers for collective dispute mediation (A 49) – PIDMC has been confirmed as mediation agency by Presidential Decree

Korea has established a unique open, independent and effective system of dispute resolution over 10 years

43

South Korea – Enforcement (4)

• • • Data subjects may

sue for damages for breach

(A 39) – Onus of proof of no intent/ negligence is on data user – Many actions before Courts, including class actions: Held that massive data leak did not automatically result in damages for mental distress (2011) – Little information available in English on court cases

Collective dispute mediation

by PIDMC (A 49) – Where multiple data subjects are affected, any parties can request PIDMC to undertake collective dispute mediation – Presidential Decree sets out procedural details Mediation continues even if some complainants go to Court

Class actions

(Part 7 ‘Data protection collective suit’) – If processor rejects collective mediation, various types of NGOs (defined in Act) are entitel to file a class action ( ‘collective suit’) – Suit is filed in the District Court of the defendant’s place of business, or main office of foreign business ’s representative (A 52) 44

South Korea – 2013

• 2013 Bill (3538) for serious data protection breaches – Fines up to KRW 500M (US $500,000) – MOPAS could demand dismissal of senior executives • 2013 PIPA Amendment re ID numbers – No ID numbers can now be collected, online or offline – Existing ID numbers must be deleted (2 yrs for offline) – Increase to US $500,00 fines (online or offline • Self/Co-regulation is not significant – No significant self-regulation under previous Act – No provisions concerning enforceable codes in new Act – MOPAS required to facilitate self-regulation • KISA guidelines strengthened the previous law – Eg RFID & Biometric privacy Guidelines, 2007 – Which enforcement body will do so in future?

45

South Korea – Data exports

1. No explicit extra-territoriality provisions – Normal rules of private international law apply 2. Consent

and

notice required when providing to a ‘3rd P overseas’ (A 17(3)) (Not border control) – – (i) consent of the data subject (must be express); (ii) notice in advance to data subject of identity of recipient, data to be transferred, purpose; – No specific requirement to give notice of destination (country), or state of privacy laws at destination – No vicarious liability for conduct of 3 rd P recipient.

46

South Korea – Data exports (2)

3. Special controller/processor rules (A 26) — A 26 applies if controller ‘consigns processing … to a 3rd party’ – Prior consent is not required; Notice or PP disclosure is required – – Notice must include identity of processor (but not country location) BUT Korean government authorities have previously required all data exports, including for outsourcing, to be with consent – Some argue new Act might be interpreted differently (Lee & Ko, Seoul) 4. No privity of contract problem, so data subjects can enforce — If exporter contracts with overseas 3rd party for benefit of data subject, data subject can enforce against 3 rd P (

Civil Code

A 539) • 5. Controller has vicarious liability (as employer) for processor Applies to compensation for processing contra to Act (A 26(6)) 6. No outsourcing exemption – Processor is also liable for all data protection requirements 47

China

Map of China in the

Warring States

period

48

China – Regulation time line

1.

2.

3.

4.

5.

6.

7.

2006/7: Draft

Personal Information Protection Act,

from Institute of Law; private & public sectors; included DPA; EU-influenced Some Provinces have enacted data privacy codes, for consumers Piecemeal laws on money laundering, medical records, insurance, consumer protection and credit reporting 2009-10 Major reforms: Criminal Law and Tort Liability Law 2011 MIIT (Min. of Industry & Info. Tech.) ‘Internet Information Services Regulations ’, in force 3/12 2012 NPC Standing Committee ‘Decision’ (a law) on Internet Information Protection, in force 12/12 2013 MIIT Standardization Administration ‘Guidelines’ on Personal Information Protection in ‘computer information systems’ 2013 MIIT ‘User Data Protection’ Regulations’ 8.

Result: No national law yet, but consistency emerging 2011-13

– – Considerable consistency in principles; private sector only Ministry-based enforcement, with no sign of a DPA 49

China: Internet Information Services Regulations 2011

This is still the single most important regulation

•Adopted by MIIT (Min. of Industry & Info. Tech.) 12/11 •Scope: Applies only to ‘IISPs’, with a broad meaning – Anyone providing information to Internet users – Does not include the public sector • ‘User’s personal information’ is any PI, but some cls only apply to ‘information uploaded by a user’ •‘Telecommunications authorities’ at all levels can enforce, but some aspects may go to the Ministry – Administrative orders to change practices, fines, and adverse publicity can result (at discretion of authorities) – No explicit civil damages, but could arise under Tort Liability Law

[U11]

50

China: Internet Information Services Regulations 2011 (2)

Content of the data privacy principles

1.

Collection must be the minimum required for purpose 2.

Express notice of purpose and use required at collection from user (not from 3rd Ps) 3.

4.

5.

6.

7.

8.

• Use of any PI must be limited to purpose of collection disclosure limits might only apply to info uploaded by user No data quality requirements except not to modify Very general data security obligations • Data breach notification (to telecoms. Authorities only) required if ‘serious consequences’ but MIIT requires user notification, on past occurrences A data controller to receive complaints must be publicised OMISSIONS : (1) Any user rights of access, correction etc; (2) data export limitations; (3) Sensitive data 51

China: NPC Standing Committee ‘Decision’ on Internet info. 2012

• Highest level law yet enacted in China to deal specifically with data protection – Despite its name, it is legislation – Ranks higher than a Ministry regulation (MIIT) • Scope – Cl 1 declares protection of personal ‘electronic and digital information ’ and prohibits its illegal use – Other clauses only regulate IISPs • Decision also includes ‘real name’ regulation – ISPs etc must know real identities of users – Does not abolish online pseudonyms 52

China: NPC Standing Committee ‘Decision’ on Internet info. 2012 (2) What does Decision add to the MIIT regulation?

1.Adds an opt-out from direct marketing 2.Adds a right to require ‘take downs’ by IISPs 3.Explicit right to file criminal complaints 4.Explicit right to seek civil liability (Tort Law?) 5.Omits many key principles (eg access)

– Leaves ambiguous whether ‘finality’ applies to PI collected from 3 rd parties

Nor a codification, but must be added to the MIIT regulation – cumulative effect is significant

53

China – MIIT Personal Information Protection Guidelines 2013

• Only ‘Guidelines’, but could an Internet business safely ignore MIIT ‘advice’?

– May well indicate standards to be followed under other laws (eg Tort Liability Law) • Scope – Applies to all private sector ‘computer information systems’, not only IISPs – ‘personal info.’ has a conventional definition – ‘sensitive personal information’ is defined (for first time) and made industry-specific – Adds a controller (‘administrator’) / processor (‘receiver’) distinction (for first time) • Unofficial translation is at 54

China – MIIT Personal Information Protection Guidelines 2013 (2)

What do the Guidelines (although ‘advisory’) add to the Regulation and Decision

?

1.The 8 ‘Basic Principles’ are China’s most coherent set (but omit user rights) 2.But 4 phase ‘life cycle’ procedures add much more: 1.

2.

3.

4.

5.

6.

7.

Distinguishes where express consent and opt-out allowed Detailed notifications, including of outsourced processing Minimal and non-deceptive collection required Sensitive data protections for minors etc Rights of access and correction (for first time) Data export restrictions requiring express consent or government permission (for first time) Deletion requirements, on expiry of purpose, or request 55

China - MIIT ‘User Data Protection’ Regulations, 2013

Telecommunications and Internet Personal User Data Protection Regulations 2013

– Cover both IISPs and telecommunications business operators (TBOs)

What does this add to the previous list?

– Potentially broader definition of ‘personal user data ’ not requiring capacity to identify – Requirement to publish a privacy policy – Cannot collect data ‘without user permission’ – Collection must cease with cessation of account – (Possibly strict) liability for 3 rd party processors 56

China - MIIT ‘User Data Protection’ Regulations, 2013 (2)

New aspects of administration and enforcement

– Additional data breach notification requirements – Annual self-inspection of security measures – Details of inspections by ‘telecomms management organs ’ (TMOs) – Violations and fines will be published on the ‘Social Credit Register ’ (‘name & shame’) – Fines and penalties for TMOs and employees that fail to enforce the law

• A template emerging for all the private sector?

57

China - Criminal Law

• 7th Amendment to the Criminal Law of the PRC (2009), A 253 – Criminal penalties for institution or employee selling, otherwise illegally disposing, or offering to sell personal information – Covers employees of government, hospitals, schools, and telecomm, financial, or transportation companies – Penalties also apply to those illegally obtaining data – Sentence up to 3 years plus monetary penalties • Enforcement – First prosecution reported (Jan 2010): Zhuhai man’s illegally purchased log of telephone calls by high government officials, then sold to others who used it logs to fraudulently impersonate officials. Purchaser sentenced to 18 months, others prosecuted for fraud.

– Recent prosecutions [U32] are mainly under the Criminal Law – Significant jail sentences have resulted • Reinforced by cl 1 of 2012 NPC Standing Committee ‘Decision’ 58

China – Tort law

• • • • Constitutional right to privacy cannot found civil cases (Supreme People ’s Court) Under

General Principles of Civil Law

(pre-2009) – Privacy issues treated as defamation cases, following Judicial Interpretation (SPC) holding privacy to be subsidary to the right of reputation - some succeeded. – Example: Website operator held liable for defamation, for website about the husband of a woman who committed suicide, resulting in him being harassed. Apology and compensation of about $1,000.

( Appeal decision in ‘human flesh search engine’ case)

Tort Liability Law

2009 (Enacted 26/12/09, in force from 1/7/2010) – A ‘right to privacy’ (undefined) is included in the list of ‘civil rights and interests ’, the breach of which leads to civil liability – Employers are vicariously responsible; ISPs are liable for torts committed using their networks, unless they take sufficient steps after notice (A 36) – There are some recent minor cases under this law

Civil (administrative) actions against government

– now recognised by SPC Provisions (2011) for misuse of confidential information 59

China – Draft data protection Act (2006)

• Draft

Personal Information Protection Act

(2006) – 2006 draft by Prof Zhou HANHUA, Director of the Institute of Law, Chinese Academy of Social Sciences, + team of experts.

– Depending on implementing regulations, could have been more like an EU law than an OECD/APEC implementation – Considerable consultation between EU and Chinese bodies – Went to the State Council for consultation, but no further • No evidence it is proceeding at present (last mentioned 2009) • Why different from 2011-13 MIIT / NPC developments?

– Covered (1) public sector and (2) whole of private sector – No data protection authority, but a more coherent set of remedies • Why still significant?

– Indicates type of law supported by part of PRC elite opinion – Best point of comparison for any new comprehensive law – Details are therefore included on following PPTs – See my detailed analysis at http://ssrn.com/abstract=2023065 60

China - Draft data protection Act 2006 (2)

1.

2.

3.

‘General Provisions’/Principles (Ch 1) Purpose Lawfulness Protection of rights (access and correction) 4.

5.

Balance of interests Information quality (incl collection and use limits) 6.

7.

Information security Professional duties (like ‘accountability’) 8.

Remedy (incl admin remedies and compensation) + ‘Scope of’ and ‘Exceptions to’ applicability • • + ‘Cross border transfer’ (A48) No automatic restriction ‘may restrict’ Grounds for restriction include that recipient country/area ‘cannot give sufficient legal protection ’ 61

China - Draft data protection Act 2006 (3)

• Application to government authorities – Very broad exceptions to use restrictions • Application to ‘other data processors’ – Applies to all private sector organisations – Registration required before collection begins – Collection only for ‘clear and specific purposes’; – Secondary uses strictly limited • Administration (Ch 4) – widely distributed among all agencies ‘above county level’; no ‘Privacy Commissioner’ – General regulations to be made at State Council level 62

China- Draft data protection Act 2006 (4) • Safeguards and remedies (Ch 4 & 5)

– Administrative review always available, with right of appeal to Peoples ’ Court – Alternative judicial remedy at any time in People’s Court – All data processors ‘should bear liability for compensation in accordance with law ’ – Administrative liabilities and criminal liabilities (Ch 5) 63

Hong Kong SAR

• • • HK SAR part of PRC; APEC & APPA member • Basic Law provides constitutional protection – Used to find telecommunications surveillance unlawful

Personal Data Protection Ordinance

1996 – Combination of EU, OECD and UK influences: first comprehensive data protection law in Asia – Privacy Commissioner for Personal Data (PCPD): first ‘ European ’ model of a DPA in Asia

Amendment Ordinance 2012

– passed by LegCo 27/6/12; in force since 1 April 2013 – first significant change in 15 years; strengthens Act – Administration ’ s Bill makes far less change than Privacy Commissioner proposed, but he welcomes it 65

Hong Kong SAR – Principles

• HK Ordinance covers all basic principles • Some additional principles: – deletion; – data matching; – direct marketing opt-out; – public registers – Also no exemption for ‘publicly available information’ • s31 data export limitations not in force – Only section not in force; applies ‘outside Hong Kong’ – Privacy Commissioner is obtaining a consultant’s report on how the s31 ‘white list’ could operate; expected Dec 2013 – Business could be advised to operate as if s33 was in force 66

Hong Kong SAR – Data exports (1)

1. Extra-territorial application remains unclear – AAB decision in (DPP(1)(3)(b)(i)) overseas law

Yahoo! Case

not a data user (s2(12)) did not clarify 2. No explicit export controls (s33 is not in force) – No need to inform data subject of overseas transfer – Commissioner’s Model Contract (1997) is non-statutory – s33 only provision of Ordinance not in force • s33 includes ‘White List’; but Commissioner is preparing one • s33 includes exemptions based on exporters ‘belief’ concerning 3. No special rules for controller/processor transfers – New 2012 controller (‘data user’)/processor distinction • Only requires controller to require data deletion after use (s2(3)) – If only ‘hold, process or use’ data on behalf of others, then – Relationship of agency was always recognised (s65(2)) – Note: scope of what ‘processing’ includes (s2) is not yet settled 67

Hong Kong SAR – Data exports (2)

4. Privity of contract now prevents data subject enforcing contracts against processors, but might not soon – Data subject cannot now take action against foreign cloud processor – BUT

Contracts (Rights of Third Parties) Bill 2013 (see

benefiting 3 6. May be an comply.

rd P that it is for the benefit of the data subject – No liability for acts of processor outside its authority Consultation Paper) expected to be in effect by 2014; requires express terms – Commissioner’s Model Contract (1997) implies (but is not express) 5. Controller is liable for [some] acts of foreign processor – Acts done by an agent (processor) within its authority are considered to be the acts of the principal (controller) (s65(2)) – No distinction whether the agent is overseas or in HK ‘outsourcing exemption’ in HK – If a cloud provider fits s2(12) it is not a ‘data user’ and need not – S65(2) does not impose any liability on the processor (agent)

• •

Hong Kong SAR – Existing enforcement (1)

Attempted enforcement, but a defective Ordinance

– Commissioner does investigate and use powers frequently Commissioner finds breaches, but unless they are continuing/likely to be repeated, cannot issue enforcement order, or prosecute for failure to observe – Increasing prosecutions and fines, but for minor matters (for Ricacorp and CITIC prosecutions see U27) – For 2012 statistics etc see PLBIR 124:27 – No explicit power to mediate complaints, practice uncertain – Damages only available via Court (s66) but never yet used

Massive data spills and data sales scandals since 2007

– Data spill of complaints against Police by 20K people; Hospital operators data spill; Octopus card operator, and 5 banks each sold consumer ’s data – But Commissioner is powerless to punish or compensate 69

Hong Kong – Existing enforcement (2)

Commissioner ’s new uses of existing Ordinance powers

• Reporting complaint respondent’s identity (ie use

‘name and shame ’

) where Ordinance breached – See Octopus and CITIC case s48(2) reports (

U27

) – For recent s48(2) reports, see PLBIR 124:28 – AEGON Direct Marketing example PLBIR 124:30 • Found media intrusions are collection by unfair means – Sudden Weekly breach findings now on appeal to AAB (

U29

) • Proposes to require ‘data user returns’ (DURs) from agencies and corporate sectors which pose most risk – Proposed initially from public sector, banking, telecomms, and insurance industries, and organisations with large customer databases of (eg loyalty schemes) – Data required will include overseas transfer practices – Amended Ordinance allows him to require verification – Would be first (limited) ‘registration’ system in Asia-Pacific 70

1.

2.

3.

4.

5.

HK Amendment Ordinance 2012 Offences

Sale of personal data (no matter how collected) is subject to notice + opt-out; otherwise, criminal offence • • Blanket objections to sale of personal data possible Over-rides current requirement of consent (DPP 3) Direct marketing for data user ’s own purposes (or providing to others for DM) is subject to notice + opt-out Disclosure of PD obtained from a data user, without consent, now an offence – – Commissioner can now direct a data user to remedy a breach, and specify how Failure to do so is now an offence Repeating the same breaches also now an offence – – Still no data breach notification requirement Government agencies have agreed to immediately report Private sector failures to do so may result in s48(2) reports 71

HK Amendment Ordinance (2) Compensation

1. Compensation proceedings moved to District Court • Standard costs order is ‘no order as to costs’ 2. Commissioner can prescribe forms to assist complainant to ask Qs of respondents – Replies admissible and must not mislead 3. Commissioner can assist complainants with advice, legal representation and even the negotiation of ‘compromises’ • Commissioner ’s costs are a charge against any compensation 4. No applications made since 1 April 2013 have yet been accepted 72

Taiwan

• APEC (as Chinese Taipei); not ASEAN or OECD • • Current protections

– Explicit Civil Code protection (s195(1)) – Evolving constitutional protections (significant cases)

Computer Processed Personal Data Protection Act 1995

(CPPDPA) – was in force until October 2012

– Scope limited: public sector + 8 industry sectors – No single oversight body, left to sectoral Ministries – Little enforcement [U32] – One of the less successful ‘ North Asian civil law ’ Acts 74

Taiwan -

New Act (Overview)

New

Personal Data Protection Act

(PDPA) • Enacted 05/10, in force in October 2012 – Rules (by Min. Justice) have been finalised by Executive Yuan – A 6 (sensitive info.) and A 54 (notification) to be held back until amended (Bill to do so is before Executive Yuan) • Comprehensive of all sectors • No DPA - Still Ministry-based enforcement – Did not work with previous Act; but Ministry of Justice will now coordinate, and this is expected to work better • Stronger Principles: Notice; sensitive data; narrow mandatory data breach notification • Much stronger enforcement: Representative actions

Result

: Raises Taiwan closer to international standards 75

Taiwan - Principles

• • New Act covers all basic principles; Additions: • Restrictive grounds for using

sensitive data Notice

required for collection from 3rd parties (before use) as well as from data subjects • Opt-out required for

direct marketing

uses •

Cessation of processing

where purpose of use complete • Mandatory

data breach notification

(A 12) – Notice to affected persons (not to Ministry); Rules define method • – Only where a breach of the Act is involved (weakness) • Weaknesses in Principles – Over-broad exceptions for secondary use, access – Security principle is ill-defined, with no stated standard

Conclusion:

Modest strengthening, far short of Korea 76

Taiwan - Enforcement (1)

• Individual rights to damages for breaches – Strict liability on public agencies (A 28); procedure is under State Compensation Act – Private sector has onus to show no wilful or negligent acts (A 29); procedure is under Civil Code • Class actions are by defined representative NGOs – Allowed once they have 20 claimants – Mass claims are capped at US6.7M damages • No transparency requirements – No annual reports, reporting of complaints, fines etc • Offences and administrative penalties extensive – Enforced by Ministries responsible for each sector 77

Taiwan - Enforcement (2)

• Ministry enforcement of current Act – Enforcement actions are almost entirely lacking – No agencies saw this as a core role – New Act identifies MOJ as responsible for coordinating enforcement • Enforcement of current Act in the Courts (since 1995) – 3 actions for damages successful (from 40) • Largest award A$2,700 (insurance Co. disclosure) – 100 criminal prosecutions, 60% convictions, usually as a lesser offence • Enforcement by Financial Supervisory Commission (FSC) – Privacy enforcement actions against banks, insurers and insurance brokers, based on its own regulations, with fines up to A$130,00 – Only lesser fines are possible when it proceeds under the DP Act 78

Taiwan – Data exports

1.

2.

3.

No specific extra-territoriality provisions with one exception – Applies to ‘collection, processing or use’ outside Taiwan of data of Taiwanese nationals (A 51) – Does this only apply to companies otherwise subject to the Act?

Data exports: Default position is ‘no limitations’ – Restrictions at option of relevant Ministry (A 21) – One ground: receiving country lacks adequate protections – Until prohibited, no restriction on cloud processing Special controller/processor provisions – Anyone retained to process personal data is ‘one and the same as the retaining agency (Enforcement Rules, A 8) ’ (A 4) – Controller must exercise careful monitoring over processor – failure to do so will be a breach

Taiwan – Data exports (2)

4. Data subject can enforce controller/processor contracts against processor if expressed for benefit –

Assumed so

, as a civil law jurisdiction (no privity bar) 5. Controller is vicariously liable for processor ’s acts (A 4) – Controller is responsible for all exercise of rights by data subject (Enforcement Rules, A 8) 6. No outsourcing exemption – Data imported into Taiwan is subject to its Act

ASEAN - New growth area

81

ASEAN & privacy commitments

• • • Association of South East Asian Nations (ASEAN) has 11 members – 7 also in APEC: Singapore, Malaysia, Philippines, Vietnam, Brunei, Indonesia, Thailand (4 are not: Cambodia, Laos, Myanmar, Timor-Leste) ASEAN Human Rights Declaration (Dec 2012) – First human rights instrument many ASEAN countries have entered – Similar terms to International Covenant on Civil and Political Rights (ICCPR) – A21: ‘Every person has the right to be free from arbitrary interference with his or her privacy, family, home or correspondence including personal data ’ Committed to establish ASEAN Economic Community by 2015 – Harmonised e-commerce framework includes in its targets adoption of best practice on data protection (no commitment to legislate) – Did adopt harmonised e-commerce laws in 8 countries in 5 years • ASEAN may become a significant driver of privacy law developments, but: – Only private-sector-wide law yet fully implemented is in Singapore – Minority of fully democratic members means privacy laws governing the public sector are unlikely (except Philippines, Indonesia and Thailand) 82

ASEAN: Order of consideration

1.

2.

3.

4.

Malaysia:

Bill (with DPA) enacted 2010, not yet in force,

Thailand

: Bill (with DPA) since 2009, before Cabinet

Indonesia

: new Regulation under IT law; Draft Bill?

Philippines

: Bill (with DPA) passed 2012; not effectively in force Not covered in presentation:

5.

Singapore

: Bill (with DPA) enacted 2012, in force

6.

7.

Vietnam

: e-commerce & consumer laws, in force

Other countries:

Brunei and Lao may be developing Bills 83

Malaysia

• Malaysia legislated in 2010, but not yet in force – Personal Data Protection Act covers private sector only – Only data in ‘commercial transactions’ (broadly defined) – Principles are EU-flavoured, with weaknesses – ‘Whitelist’ approach to data exports, with over-broad exceptions – Commissioner lacks independence for international accreditation – No effective enforcement by DPA, only prosecutions for offences –

Result: A weak model for other ASEAN nations

• Current position on bringing into force – New Personal Data Protection Department established 2012 – Regulations and guidelines drafting ‘90% complete’ – No decision whether a Commissioner will be appointed, but July 2013 rumour of imminent appointment [U55] – Minister announced intention to bring in force 16 August 2013 for all new data collection, + existing data required to comply in 3 months 85

Malaysia – Privacy principles

• Requires consent to processing of data – Processing (collection, use and disclosure) must be directly related to a lawful activity of user and not excessive; Many exceptions (s6(2), s39, s40, s45) – Allows withdrawal of consent to processing (s38, s42) • Other non-OECD principles include written notice (s7), retention limitations (s10), opt-out from direct marketing • Weaknesses of principles in the Bill – vague security principle; – notice of intention to disclose can circumvent limitations; – broad and discretionary exemptions

Overall, principles are EU-influenced, somewhat weak

86

Malaysia – Data exports (1)

1.

2.

Extra-territoriality – Some limited operation – No application to any processing outside Malaysia – Exception if data is to be re-imported into Malaysia (s3(2)): Indirect protection for Malaysians whose data is processed in overseas clouds?

– Otherwise, Act applies to anyone who is ‘established in Malaysia’ or uses equipment in Malaysia for processing data (except transit) (s2) Data exports

-

‘Border control’ with numerous exceptions – ‘White list’ - exports prohibited unless Minister (on advice of Commissioner) determines a place provides either (a) a law substantially similar ‘or that serves the same purpose’ or (b) provides at least equivalent protection (s129) – usual exceptions (as in Directive A26) – + Exception (3)(f): reasonable precautions + due diligence to ensure overseas processing would not breach the Act (if in Malaysia)

Malaysia – Data exports (2)

3.

4.

5.

6.

Special controller/ processor rules — ‘data processor’ processes solely on behalf of someone else; ‘data user ’ is anyone else doing, controlling or authorising processing (s4) — Only a ‘data user’ is liable for breaches of Data Protection Principles • Data subject cannot enforce controller/processor contract against processor privity of contract restrictions on 3 rd P benefit contracts apply If s129(3)(f) due diligence applies, then no liability on controller irrespective of breaches by processor — no vicarious liability, weakest protection • [If processing is in Malaysia] Outsourcing exemption?

— The Malaysian processor will not be a ‘data user’, so no application Any use of equipment in Malaysia for processing attracts operation of Act (s2(3)(b)) – Foreign controller may be (in theory) subject to Act

Malaysia –

DPA

• • • •

Personal Data Protection Commissioner

– Not appointed after nearly 2 years, possibly may not be

[U36]

– Can the Act function with no Commissioner, only prosecutions?

Fails all tests of independence (but only covers private sector) – Can be sacked at will by Minister (s54) – Minister determines remuneration (s57) – Minister can give Commissioner ‘directions of a general character’ consistent with Act (s59) Functions (s48), include: – To investigate complaints and issue enforcement notices – To advise the Minister on data protection policy – To advise which other countries provide substantially similar protection to Malaysia Registration – Minister may require registration of specific classes of data users (as may HK Commissioner) 89

Malaysia – Enforcement

• • • • Any breach of a Principle is an

offence

(s5(2)), prosecuted by decision of the Public Prosecutor, before Supreme Court – Unusual to have offences as the principal form of enforcement – Other offences for 3rd parties collecting, or disclosing without consent, data held by a data user (s130) If

Commissioner finds contravention

of Act is continuing or likely to be repeated, can issue enforcement notice (s108) – Offence for data user to fail to comply – No remedies where breaches are unlikely to recur – Same defects as Hong Kong and pre-2011 UK – Rights of appeal by either party to Appeal Tribunal (Pt VII) Commissioner has

no power to award damages

or role of conciliating

No individual rights

to seek compensation or proceed in court

Enforcement is likely to deliver minimal benefits to consumers, because neither individuals nor the Commissioner can take effective action – weakest enforcement in Asia (Japan excepted)

90

Thailand

• APEC and ASEAN member, not OECD • Current protections – Constitutional protection since 2007 of ‘a person's family rights, dignity, reputation, and the right of privacy ’ – Official Information Act, 1997 • Only covers State agencies (unusual in APEC) • Administered by 32 person Official Information Commission (OIC) and the Office of the OIC • Limits personal data collection and retention; limits disclosure; requires security; provides access and correction rights (most elements of information privacy) • Statistics to 2005 show 880 appeals (to OIC or Information Disclosure Tribunal) from 1300 complaints against government at all levels – Some industry sectoral requirements (eg telecomms) 91

Thailand – Principles (2012 Bill)

Personal Data Protection Bill

2012 – Bill forwarded by Council of State to Cabinet in 2009, but did not progress – New Shinawatra government (2011) did not include it in its legislative program, but it was apparently still the basis for drafting of the 2012 Bill – August 2012: Cabinet approved Bill going to Coordinating Committee of Parliament, which is to forward it to Parliament • Principles (only covers private sector; not so in 2009 draft) – All basic principles are included – General principle of no processing (‘collected, used or disclosed’) without consent, and right to revoke consent – Strict limits on collection by surveillance/ observation – Broad sensitive information restrictions, but must be prescribed in Regulations – Deletion/de-identification required after use complete 92

Thailand – Data exports

• Data exports – ‘Border control’ approach: exports limited to countries with ‘laws [no] less stringent ’, plus usual exceptions – Will this appear in the final Bi ll?

93

Thailand – Enforcement

• •

Not certain that all these details are in the 2012 Bill Committee on Data Protection

to oversee Act – 14 members, majority of officials: criticism within Thailand for insufficient independence – Director of Office of the Official Information Commission is member and provides secretariat (s7) which deals with data users and the public (s15) – Board advises PM on policy, making of regulations, criteria for marks or standards etc – Board sets Codes of Ethics for data controllers

Personal Data Inspection Board/Committees

to handle disputes – Board may appoint many Committees to mediate disputes – If mediation fails, Committees can make orders including remedial actions and injunctions (monetary remedies may be via Courts) – Administrative fines and criminal penalties possible – Vicarious liability of directors etc unless they prove no knowledge 94

Indonesia

• Information and Electronic Transactions Law 2008 – Highest form of Indonesian legislation – A26 requires consent for use of any person’s personal data ‘by use of electronic media’ – ‘Elucidation’ implies rights of access and correction – A26(2) Courts can award compensation for breaches (No cases yet) • Regulation on the Operation of Electronic Systems and Transactions (2012) A15 expands A26 of Law – 2 nd highest form of Indonesian legislation – Scope may apply to both private and public sectors – A15(1) amounts to a concise data privacy code [U57] – A15(2) adds a data breach notification requirement [U57] 95

Indonesia - Enforcement • Breaches of A15 can result in administrative sanctions (fines) • A26 of 2008 law provded right to sue for compensation (under Civil Code)

96

Indonesia – Comprehensive law?

Other Ministries may now be working on comprehensive laws

• Draft Personal Data Bill 2007 – Task of Minister of Administrative Reform since 2007 – Also has task of creating a National ID Card – Draft existed (2008) but never submitted to Parliament – Proposed Principles influenced by OECD, EU and APEC – Covers basic principles plus data retention limits – Role and independence of Privacy Commissioner not settled 97

Philippines

• • APEC and ASEAN Member, not OECD • Very limited rights until 2012 – Some constitutional protections in theory – Right of ‘Habeas data’ (constitutional right of access and correction) adopted by Supreme Court (2008) - No known uses as yet – Electronic Commerce Act (2000) s3(e) general principles – not used

Data Privacy Act 2012

now enacted, but not effective – Previous House and Senate Bills ‘reconciled’ by bicameral committee mid-June, then enacted by both houses before they rose – Resulting reconciled Bill was largely similar to previous House Bill – Aquino signed on 15 August 2012, so became law 30 August – BUT National Privacy Commission (NPC) is not yet appointed – NPC must make Implementing Rules & Regulations IIRRs) within 90 days of appointment – ‘Existing industries [etc] affected’ are given 1 year transition from date of IRR (s42) 99

Philippines – Principles

• • • • Covers both public and private sectors, all data

Collection

limited to ‘not excessive’ data (not ‘minimal’) • Subsequent

use/disclosure

requires consent (express/implied) or a broad exception requiring balancing of necessary interests of controller/ 3rd P against constitutional rights of data subject (ie weak protection) • Processing of

sensitive data

generally prohibited, and very broadly defined - much stricter than elsewhere

Data breach notifications Deletion or blocking

to both Commission & individuals of data required after use completed

All OECD basic principles covered; Strong influence of EU Directive throughout - except data exports

100

Philippines – Enforcement

• National Privacy Commission (NPC) – Within the Office of the President; Commissioner + 2 Deputies – Oversight and coordination role in both sectors; advice, codes etc • Civil actions, orders and compensation – NPC has strong powers to investigate complaints – Can ‘adjudicate’ and ‘award indemnity’ (compensatory damages) – Can ban processing, temporarily or permanently – Specific power to publicise the sanctions it has used – Actions for damages (‘restitution’) under Civil Code possible, but only as a consequence of a criminal breach • • Criminal penalties – NPC can recommend prosecutions – Many criminal penalties for breaches of principles, including unauthorised processing Privacy Codes – NPC can approve or reject Codes, but consequences are uncertain

Potentially one of the strongest ranges of enforcement measures

101

Philippines – Data exports (1)

1. Some extra-territorial application (s5) – Covers acts done outside Phil concerning (a) Phil citizen or resident; or (b)/(c) many different links with Phil – Scope includes all controllers and processors using equipment located in Phil. or maintaining office etc in Phil. (s4) 2.

No express data export limitations ( s9A ‘Accountability’ ) – Makes controller ‘responsible’ for international transfers, ‘subject to cross-border arrangements and cooperation a3rd party ’ ’; – Also ‘accountable for complying with the … Act’ and for ‘using contractual or other reasonable means to provide a comparable level of protection while the information are being processed by 3.

Special controller / processor rules (s12) – Controller is responsible for complying with the Act; – Processor is also required to comply with the Act 102

Philippines – Data exports (2)

4. Data subject can enforce any controller/processor contract if there is one stated to be for his/her benefit 5. Vicarious liability of controller for breaches by processor is unclear (s12) 6. [Cloud processing in Philippines] Outsourcing exemption explicitly provided – excludes all personal information originally collected from residents of foreign jurisdictions in accordance with their laws, being processed in Phil. (s4(f)) – Intended to exempt all outsourced processing – May fail to exempt call centres operated from the Philippines 103

South Asia

104

India

India in 1857 –

The Great Rebellion

India

- Prior to 2011

• India’s pre-2011 piecemeal privacy protections still operate – For details see on my home page 'The Illusion of Personal Data Protection in Indian Law ’ (2011) 1 (1): 47-69

International Data Privacy Law

• Indian Constitution implies privacy right – A 21 protection of ‘personal liberty’ is the basis – Mainly used to limit search and surveillance – Naz Foundation Case (2009) extends previous case by holding unconstitutional legislation criminalising homosexuality, based on autonomy – Supreme Court could, but has not, • expanded this right to ‘informational self-determination’ • Forced the government to legislate, as it did with the Right to Information • Right to Information Acts – Right of access to own file in all public sectors – Supreme Court ordered Parliament to legislate 106

India – pre-2011 (2)

• • •

Credit Information (Companies) Regulation Act

2005 – Establishes extensive credit surveillance system – Has basic privacy principles, and more (in theory) – No Reserve Bank enforcement, law ignored by industry and government Consumer Disputes Redressal Commissions – Established under

Consumer Protection Law

1986 – Allows complaints about unfair/deficient practices/services – National Commission used complaint about mass disclosure of subscriber information to force Telemarketing legislation (

Nivedita Sharma Case

) Unique ID number system ( ‘Aadhaar’) – Allocation of 1.2BN ID numbers by 2015 planned; over 600M issued – Is overshadowing developments in data protection –

Unique Identification Authority of India (UIDAI) Bill

before Lok Sabha – Report of Lok Sabha Finance committee Dec 2011 very critical – For details see on my home page ‘India’s National ID System: Danger Grows in a Privacy Vacuum ’,

Computer Law & Security Report

, 2010 – Only one of many extensive government surveillance systems 107

India – Self-regulation

• Data Security Council of India (DSCI) – Established by NASSCOM (industry association for information processing) 2007 – DSCI’s

Framework for Data Protection

2009 aims to reassure overseas data sources that Indian outsourcing providers observe proper security, integrity etc procedures – DSCI’s dispute resolution mechanism does NOT deal with complaints by data subjects, only by overseas data sources – DSCI may provide indirect data protection benefits, but

is not data protection self regulation

, as it ignores data subjects • NASSCOM operates register of IT sector employees – it only has 25% coverage of industry workers as yet for its ‘security checks’ of employees 108

India - The U-turns of 2011

• Twice sought an ‘adequacy assessment’ from EU – 2009/10 and 2012/13: No announced results – To protect Indian outsourcing (BPO) from Europe • April 2011: Rules made under s43A of the

IT Act 2000

to add a whole data privacy code – Possibly

ultra vires

(the Rules are not about ‘security practices ’) or even unconstitutional (nature of Tribunal) – But it is prudent to assume validity until challenged • August 2011: ‘Press Note’ attempts to change Rules – It says Rules 5 and 6 (most Principles) do not apply to data processed in India on behalf of overseas data controllers – All four propositions in the Press Note are arguably incorrect – The prudent course is to follow the Rules, until Court clarifies 109

India - Principles in 2011 Rules, applied to an Indian data subject

NOTE: My interpretation has changed – Summary at [U64] is preferable to older articles at [46] and [50] (some errors based on draft Rules)

Application of Rules to data collected from a consumer in India

1.All basic OECD principles + retention limits are provided – Collection of person data requires written consent of the ‘provider’. – Compliance requires a Privacy Policy 2.BUT ‘sensitive personal data’ is defined much more narrowly than ‘personal data’, and half the Rules only apply to ‘sensitive’ data 3.ALSO some rules only apply to benefit the ‘provider’ of the data; so will not apply to data collected from third parties in India; but rules will apply when the ‘provider’ is also the data subject 4.Uncertain whether consumers can claim compensation under s43A 5.Uncertain whether the Rules are intra vires s43A

Conclusion: Very questionable whether the Rules provide any or most normal data protection principles for transactions within India

110

India - Principles in 2011 Rules, applied to foreign outsourcing

Application of Rules to data collected from foreign controller

1.The foreign consumer (data subject) is not the provider, so the rules that only apply to providers will not apply to them – Indian processor must only comply with non-disclosure, security and deletion rules 2.The result is much the same irrespective of whether the ‘Press Note ’ has legal effect (my view is that it does not) 3.Does this stop the Indian Rules from being ‘adequate’?

– – Could argue that the other protections are provided under EU law Uncertain: This would be a new form of adequacy, ‘for Europeans only’ 4.Many other potential defects in relation to outsourcing: – – Narrow definition of ‘sensitive personal data’ Uncertain application of s43A to benefit consumers

Result: s43A and Rules are so confusing, result is difficult to predict

111

• • –

Additional complication concerning call centres in India

Where the ‘provider’ to a call centre / ‘help desk’ opera is the overseas data subject, the exemptions favouring foreign controllers will not apply It is necessary (and OK) for the foreign client (ie outsourcer) to collect consents in advance from data subjects, or for the Indian company to collect verbal consents, in order to comply with the Rules • but they may have to tell their customers why (Rule 5(3))

The complex and uncertain operation of the Rules cannot be assisting India ’s competition with the Philippines in attracting outsourced processing

112

India

– Data exports (1)

1.

2.

3.

Extra-territorial reach?

– Whole Rules do not have extra-territorial reach; s75(2) applies only if a contravention ‘involves a computer [or] network located in India’ – BUT Rule 6(4) requires foreign 3rd P receiving data from Indian company ‘shall not disclose it further’, even in the that country Data export limitations (Rule 7) – ‘Border control’ approach: overseas recipient must ‘ensure the same level of data protection ’ as the Rules require; – Transfer must

also

be pursuant to a contract with the provider, or with the consent of the data subject No special rules for controller/processors transfers – BUT for ‘same level of protection’, processor need only observe use limitation, security and data retention Rules 113

India

– Data exports (2) 4. Controller/processor contracts cannot protect Indian data subject under Indian law

– Indian contract law generally requires privity of contract; will not allow ‘third party beneficiaries’ to enforce

5. Indian controller is not liable for breaches by foreign processor

114

India - Enforcement of Rules • Enforcement of s43A Rules is via special system

– Adjudicating Officers (AO) at first instance – Appeal to Cyber Appellate Tribunal (CAT) – But how do AO or CAT investigate complaints?

– No DPA in IT Act

• AO or CAT can award compensation (unlimited)

– But damage must result from intentional or negligent act – No other remedies available – No examples yet of compensation under s43A

• Result?: Untested and imperfect, but plausible

115

India - A comprehensive privacy law?

• ‘Group of Experts’ (Chair A P Shah) reported Oct 2012 to Planning Commission, recommending elements of a draft Bill • In 2011, two versions of a Bill drafted by a high-level Inter Departmental Committee were leaked • No Bill has yet been endorsed by the Government • E.g. Key elements of leaked draft

Privacy Bill

(April 2011) – 3 person Data Protection Authority of India (DPAI) – Covers public sectors as well as private sector – Creates tort of interference with privacy + data privacy – Very strong EU-influenced Principles, well beyond OECD – Data exports: border control – ‘adequate level of protection’ – Creates Register of all Data Controllers!

– Strong enforcement powers via DPAI and CAT – BUT limits its protection to Indian citizens (?) • The ‘Group of Experts’ recommendations improved on this 116

India - TOC of draft Privacy Bill 2011

There is also a later version from September 2011

117

India – Uncertainty in 2013 • EU ‘adequacy’ remains unresolved

– EU has obtained another expert report – India attempting to use free trade negotiations to obtain ‘data secure status’ – Indian civil society groups lobby EU to deny adequacy etc until a data privacy law is passed

• Dept of Personnel & Training (DoPT) has carriage of

Privacy Bill

originating from 2011

– Revised draft has gone to the Union Law Ministry, after which it will go to Cabinet – Have the Shah Committee proposal had effect?

118

The rest of South Asia/SAARC • Nepal – has a public sector data protection law within its

Right to Information Act

2007 • Bangladesh, Pakistan, Sri Lanka, Nepal etc

– No private sector data privacy initiatives – Development of digital ID cards, as in India – Often influenced by Indian developments

• No SAARC initiatives

– ‘ South Asian Area of Regional Cooperation ’ – Unlike ASEAN, no interest shown in data privacy as yet

• As with India, outsourcing may become a factor

119

International agreements and data export restrictions affecting Asia

APEC Privacy Framework - Failure or promise?

• APEC (Asia-Pacific Economic Cooperation) grouping of of 21 economies (Chile to Singapore) has 1/2 world trade and GDP • • • A regional agreement was logical: – To create a minimum privacy standard – To help ensure free flow of personal data Developed by APEC ECSG Privacy Sub-group (2003-05) – Business orgs included, consumer NGOs excluded APEC Ministers announce Framework (2004), finalised it 2005

Question: After 8 years, what has the Framework achieved?

– In influencing more countries to protect privacy?

• Need to compare with the effect of European standards – In developing effective means of regional personal data flows?

• Need to consider APEC’s CBPR proposals 121

APEC Framework's 9 Privacy Principles

I II III IV V VI VII VIII IX Preventing Harm Notice Collection limitation Uses of personal information Choice Integrity of Personal Information Security Safeguards Access and Correction Accountability (includes due diligence in transfers)

Generally ‘OECD Lite’, a slightly weaker version of the OECD Guidelines, plus principles I and V which add nothing of value, and IX which is a dangerous substitute for any real controls on data exports

122

APEC implementation standards

• Framework Part IV(A): ‘Domestic Implementation’ – non-prescriptive in the extreme • Any form of regulation is OK – Legislation not required or even recommended – Choice of remedies supported • No central enforcement body required – But CBPR scheme assume one or more ‘government enforcement entities ’ • No accountability for implementation of the APEC Framework – Few Individual Action Plans yet online 8 years after agreed

Weaker than any other international privacy instrument

– Part IV exhorts APEC members to implement the Framework without requiring or proposing any particular means of doing so, or any means of assessing whether they have done so 123

APEC ’s nascent CBPR (1)

• • • APEC finalised its CBPR system in Sept 2011, endorsed by leaders Joint Oversight Panel (JoP) established Moscow 2012 – At least 4 APEC ‘economies’ meeting criteria to participate in CBPR must agree to form JoP: US (chair), Taiwan, Mexico and Canada (reserve) have agreed. (How do they meet the criteria?) – JoP then assesses Accountability Agent (AA) applications – Waters: Sceptical that countries with privacy laws, DPAs and cross-border legislative requirements will see any advantage in participating (Membership bears this out) Stewart: explains steps companies must then take – Company does self-assessment against APEC standards – Company assessed (and assisted) by an Accountability Agent (separate APEC recognition process) – If ‘APEC-compliant’, added to directory – AAs and/or DPAs enforce compliance with APEC standards – Companies get periodically re-assessed for compliance 124

APEC ’s nascent CBPR (2)

• Waters: ‘business case … to seek certification under the CBPR system remains elusive ’ – Application process is onerous, involving ‘registration’ requirements Asia-Pacific laws avoid; costs are unknown – Benefits in countries with privacy laws elusive – Sceptical of possibility of ‘interoperability’ with EU CBPR or Trustmark schemes, as JoP is unlikely to be competent to assess (Stewart sees this as a step toward ‘global solutions’).

• APEC approval of TRUSTe as first AA (2013) – Critics say breach of its own standards damages credibility • IBM USA first company accredited by TRUSTe (2013) 125

APEC ’s nascent CBPR (3)

• Factors favouring APEC CBPR – Other countries will join (Mexico and Japan next) – EU and APEC exploring CBPR/BCR interoperability – USA is willing to fund any country willing to develop CBPR • Factors against APEC CBPR – It only assists with data imports from some APEC countries – APEC countries with data export restrictions have to find ways to reconcile APEC CBPR with their laws – Business case for companies to invest in getting CBPR accreditation is not clear. Will any but US companies do so?

– Low standard of APEC Framework, and credibility loss with TRUSTe AA accreditation may damage prospects of EU (or other) interoperability

Conclusion: Viability of APEC CBPR still unknown

126