Post on 13-Jan-2016
description
Asian Data Privacy Laws2013 Roundtable
Professor Graham Greenleaf AMProfessor of Law & Information Systems,
University of New South Wales
Asia-Pacific Editor, Privacy Laws & Business International Report
Pinsent Masons, London, 1 October 2013
Asia – 28 jurisdictions but no centre - No Brussels, Strasbourg, ECJ, ECtHR, Directives, no A29WP
3
Asia in global context: mid-2013• Significant 2011-13 events in half of the 28 jurisdictions
– 12 Asian jurisdictions now have data privacy Acts, covering both sectors (6) or their public sector (2) or private sector (4) only
– Add China & Indonesia with substantial IT sector laws = 14– 5 of these have very substantially strengthened their laws recently– 2 laws are only yet partially in force – 1 more has a Bill pending for a new law extending existing
coverage, and Bills are reported in draft in others
• Every law differs substantially from all others• None yet have EU ‘adequacy’ findings or CoE 108 accessions
• Information on national laws is very hard to obtain– Key documents are often not available in European languages– Information about enforcement & complaints is even harder to find
Global development of data privacy laws & standards
1. The global context• How many countries have data privacy
laws?• What is the global trajectory of
development?• What Principles do these laws apply?
2. How do we evaluate & compare these laws?• Standards for data privacy principles• Comparing enforcement: responsive
regulation• Comparing data export laws (special
focus)4
How many countries now have data privacy laws?
1. What is a ‘country’ for this purpose?– A separate legal jurisdiction (eg HK, Macau, Jersey, Greenland)
2. What’s a law?– It’s a law: not self-regulation or trustmarks– But any type of enforcement by law must be accepted– This is only a Q of whether a DP law exists, not ‘adequacy’
3. What scope must a law have?1. Must cover either or both of private and public sectors
2. Almost all cover both public & private sectors3. 5 Public sector only (must cover national government)
4. 6 Private sector only (Must cover most of sector)
• What content must a data privacy law have? …
5
4. What content must a data privacy law have?
• The ‘basic’ standard of all international agreements– Initially OECD Guidelines (1980) & CoE Convention (1981)– Also shared by EU (1995) and APEC (2004)
• Must include ‘most’ basic principles– Can’t require all 15, or too strict – Eg no explicit ‘openness’ principle in 5/10 Asian laws
• Testing against 10 Asian laws: averaged 13.6/15– India & Malaysia’s 11/15 is probably minimum acceptable
– Vietnam was 11/15, now 13 through new 2013 Decree
• Conclusion: Must include minimum 11/15– including access/correction + security + some finality
principles
6
Comparison of 10 Asian laws (over 15)
7
‘Basic’ principles in 10 Asian laws HK IN JN KR MA MY PH TW SN VN TTL
Collection ‘limits’ (‘not excessive’) 0 0 0 0 0 0 0 0 0 X 9Collection by lawful means 0 X 0 0 0 X 0 0 0 0 7Collection by fair means 0 X 0 0 0 X 0 0 0 0 7Purpose of collection ‘specified’ by time of collection
0 0 0 0 0 0 X 0 0 0 9
Collection with knowledge or consent, when from data subject
0 0 ? 0 0 0 0 0 0 0 9
Data quality – relevant, accurate, complete & up-to-date
0 X 0 0 0 0 0 0 0 0 9
Uses limited to purpose of collection, with consent or by law
0 0 0 0 0 0 0 0 0 0 10
Disclosure limited to collection purpose, with consent or by law
0 0 0 0 0 0 0 0 0 0 10
Secondary uses and disclosures only allowed if compatible
0 0 0 0 0 X 0 0 0 0 9
Secondary purpose ‘specified’ at change of use
X 0 0 0 0 0 0 ? 0 X 7
Security safeguards – ‘reasonable’ 0 0 0 0 0 0 0 0 0 0 10Openness re personal data policies 0 X 0 0 0 X X 0 0 0 6Access to individual personal data 0 0 0 0 0 0 0 0 0 0 9Correction of individual data 0 0 0 0 0 0 0 0 0 0 10Accountable data controller 0 0 0 0 0 0 0 0 0 0 10Total /15 14 11 14 15 15 11 13 15 15 13 13.6
8
How many countries now have a data privacy law?
• A: 101 (as at 30 August 2013)– Article in materials is to June 2013– + add Kazakhstan and South Africa
• 90/101 cover both sectors – 5 Public sector only (Thailand, Yemen,
USA, Nepal, Zimbabwe)– 6 Private sector only (Vietnam, Singapore,
Malaysia; India, Qatar & Dubai SEZs)
Result: 101 countries now have data privacy laws
To this map, add Kazakhstan and South Africa – new Acts since mid-2013Map created by interactive maps: http://www.ammap.com
9
22 Acts & 19 Bills this decadeActs 2010 Acts 2011 Acts 2012 Acts 2013 Bills Bills
Georgia Angola Ghana Kazakhstan Nigeria Thailand
Faroe Is. Costa Rica Nicaragua South Africa Brazil Turkey
Kosovo Gabon Philippines Madagascar Tanzania
Malaysia India Singapore Kenya Jamaica
Vietnam Peru Yemen Falkland Islands
Mali
Mexico St Lucia Georgia Qatar Niger
Trinidad & Tobago
Ivory Coast + 5 others in Caribbean
Ukraine
10
11
105-10 data privacy laws by 2015?
This map adds 20 countries with known official data privacy BillsMap created by interactive maps: http://www.ammap.com
Jurisdictions by decade: From rare to common
101 jurisdictions with data privacy laws by August 2013
12
Regional spread of data privacy laws
101 laws: 53 European, 48 outside Europe (August 2013) 13
14
Data privacy laws beyond Europe• A: 47/100 jurisdictions are outside Europe
– EU: 28 (all); Other European: 25 (2 not: Turkey, Belarus)
– Asia: 12; Latin America: 9; Sub-Saharan Africa: 10; N.Africa + M-East: 6; Caribbean: 4; A’asia: 2; N. America: 2; Central Asia: 2
• Implications:– Most of the world is adopting data privacy laws: no longer a ‘European thing’
– Most growth will now occur outside Europe– By 2014-16, the majority of laws will be outside Europe
– When most of the commercially significant world has such laws, the focus will not be European ‘data exports’
[4]
Countries with no Acts or Bills Afghanistan; Algeria; Bahrain; Bangladesh; Belarus; Belize; Bermuda; Bhutan; Bolivia; Botswana; British Virgin Islands; Brunei Darussalam; Burundi; Cambodia; Cameroon; Central African Republic; Chad; China; Comoros; Congo, Republic; Congo
Democratic Republic; Cuba; Djibouti; Ecuador; Egypt; El Salvador; Equatorial Guinea; Eritrea; Ethiopia; Fiji; Gambia; Guatemala; Guinea; Guinea-Bissau; Guyana; Haiti; Honduras; Indonesia; Iran; Iraq; Jordan; Kiribati; Korea, North; Kuwait; Lao PDR; Lebanon, Lesotho; Liberia; Libya; Malawi; Maldives; Marshall Islands; Mauritania; Micronesia; Mongolia; Mozambique; Myanmar; Namibia; Nauru; Oman; Pakistan; Palau; Palestine; Panama; Papua New Guinea; Rwanda; Samoa; Sao Tome and Principe; Saudi Arabia; Sierra Leone; Solomon Islands; Somalia; Sri Lanka; Sudan; Suriname; Swaziland; Syria; Tajikistan; Timor Leste; Togo; Tonga; Turkmenistan; Tuvalu; Uganda; United Arab Emirates; Uzbekistan; Vanuatu; Vatican; Venezuela; Zambia
China and Indonesia already have significant IT sector laws15
Jurisdictions by decade: Diffusion to ubiquity
101 jurisdictions with data privacy laws by August 2013, with projections to 2020 (linear = 139; accelerated = 160)
16
Consequences of globalisation• Ubiquity of data privacy laws in countries of
economic/political significance by 2020– USA and China the main outliers (private sector)
• European laws (EU & CoE) soon in a minority– EU laws are only 28% at present, and falling
• Laws with strong data export restrictions are not limited to the EU, or to Europe
• ROW laws expand, strengthen, and are enforced– Google: Korea (TOS) and Macau (Streetview)
• Results: – Weak national laws may cause multilateral complexities – Need for an internationally accepted standard increases– ‘Interoperability’ begs the Question: ‘on what basis?’
17
18
What fundamentals should we look for?
A = Principles; B = Enforcement; C= Data exports
(A) Standards for principles
• Over 30+ years, 2 standards emerged1. 1st Generation - ‘Basic’ Principles
• OECD (1981); CoE (1981); APEC (2005)• Also incorporated in ‘European’ principles
2. 2nd Generation - ‘European’ principles• EU Directive (1995); CoE Additional
Protocol (2001)
• Will 3rd Generation principles emerge?– Possible from EU Regulation and CoE
‘modernisation’– Not from OECD revision or APEC
• Which Principles are enacted globally? 19
20
Basic data privacy Principles(OECD & EU hold 1-10 in common)
1. Collection - limited, lawful and by fair means; generally with consent or knowledge (OECD 7)
2. Purpose specification at time of collection (OECD 9)3. Notice of purpose and rights at time of collection (OECD ambiguous)4. Uses (including disclosures) limited to purposes specified or
compatible (OECD 10)5. Data quality (relevant, accurate, up-to-date) (OECD 8)6. Security through reasonable safeguards (OECD 11)7. Openness re personal data practices (OECD 12) [not specific in EU]8. Access, individual rights of (OECD 13)9. Correction, individual rights of (OECD 13)10. Accountable Data controller with task of compliance (OECD 14)
We will assume these 10 basic principles in laws discussed, and focus on (I) where one is absent or (II) additional principles
What standards are enacted globally?– ‘Basic’ only or ‘European’?
1. Must first answer: ‘what are European data privacy standards?’
2. Approach: What is required by the EU Directive but not required by the OECD Guidelines?
3. Identified the 10 key differences as ‘European standards’ (next slide)
4. Examined 33/37 non-European laws (as at Dec. 2011) against these 10 criteria
5. Result: Average 7/10 ‘European’ factors found6. Now 48 laws (not 33) but no significant change7. Conclusion: The current ‘global standard’ is to a
significant extent the European standard
21
10 ‘European’ standardsEU Directive (1995) & CoE 108+Add. Protocol (2001)
1. ‘Minimality’ in collection (relative to purposes);2. General ‘fair and lawful processing’ requirement;3. Some ‘prior checking’ by DPA required;4. ‘Deletion’: Destruction or anonymisation after use;5. Sensitive data additional protections;6. Limits on automated decision-making;7. ‘Opt-out’ of direct marketing uses required.
8. Has a separate independent DPA; (enforcement)9. Allows remedies via the courts; (enforcement)10. ‘Border control’ data exports restrictions.
An ‘adequate’ law = one implementing most of these
Invitation to accede to CoE Convention 108 requires similar
22
23
(B) Standards for enforcement• No accepted international standards
– EU Article 29 Working Party (WP29) Opinion on elements of adequacy is often cited
– Proposed EU Regulation may set new standards– Revised OECD Guidelines adds some
• Numerous enforcement mechanisms are possible• Few laws include all such enforcement mechanisms,
it is their combination in an effective system that counts …
• Necessary to go back to 1st principles …
Purposes: What should enforcement achieve?
Types of enforcement measuresEnforcement measures can be characterised as:1.Whether there is an independent DPA2.Varieties of complaint investigations3.Investigative powers and procedures 4.Orders and remedies available from DPA / Ministry5.Publication of enforcement details (statistics and cases)6.Offences7.Rights of court action to enforce Principles (+ of appeal)8.Data breach notification requirements9.Systemic (non-complaint) preventative/deterrent measures
The model of ‘responsive regulation’:What is needed for effective enforcement?
Elements of‘Responsive regulation’ (Braithwaite, Parker et al)
1. Effective regulation requires multiple types of sanctions of escalating seriousness
2. It is an enforcement pyramid: sanctions at the top get used far less than the cheaper bottom layers
3. All forms of sanctions must be actually used when necessary
4. Use of each level of sanction must be visible to those regulated, consumers and the representatives of both
5. The higher levels are incentives for the lower levels to be made to work
Enforcement pyramid in a licensing system (Braithwaite 1993)
High peaks create more pressure down (Anon, NZ origin)
A complaint-driven enforcement pyramid for data protection
A systemic (non-complaint) enforcement pyramid for data
protection
(C) Data export restrictions – Must ask 6 Question for each jurisdiction
1. Does the DP law of the controller’s jurisdiction assert extra-territorial operation?
– Assertion of control over persons/objects outside territory
– DP laws are in default not extra-territorial– But nothing illegal in international law about assertions
2. Under what conditions are transfers (data exports) to a foreign jurisdiction allowed?
– Contracts required?; Notice to data subject required?; Notice to DPA required?
3. Are there special rules for controller-to-processor transfers?
– Terminology in every country is different, so are the rules
Issues for each jurisdiction (2)
4. Can the data subject enforce the controller/processor contract against processor?
– Does a privity of contract doctrine prevent this?
5. Is the controller liable for breaches by the foreign processor? (vicarious liability)
6. Does the processor jurisdiction’s DP law exempt outsourced processing (in full or part)?
32
North-East Asia – the leaders• Most countries have recent new or revised data privacy laws
• With new laws in China, North-East Asia is the most data-privacy-intensive region outside Europe
Order of consideration
1. South Korea
2. China
3. Hong Kong SAR
4. Taiwan
Not covered
1. Japan
2. Macau SAR
3. Mongolia33
35
South Korea• OECD and APEC member; APPA member• New comprehensive Personal Information Protection Act (PIPA)
– In force from 10/11; only enforced from 4/12 – Adds many new features to existing strong foundation
• Previous legislation (largely replaced but not entirely)– Private sector – ’Data Protection Act’ 2000 (in a broader Act)
• Administered by Korean Internet & Security Agency (KISA) • Scope limited to businesses utilising telecoms services• Active enforcement by Korean Personal Information Dispute Mediation
Committees (PIDMCs): compensation & documented cases
– Public sector - Public Agency Data Protection Act• Administered by Ministry of Public Administration and Safety (MOPAS);• Scope covers all public agencies; includes basic principles, but few
limits on excessive collection by governments (defect in OECD)• Minimal enforcement: no independence; no publication of cases
– Some other specific Acts (eg credit reporting) still over-ride DPAct
36
South Korea - Key new features of 2011 PIPA
1. One Act now comprehensive of public and private sectors (cf Japan)• Now covers whole private sector - ‘Personal information processor’
2. Independent Personal Information Protection Commission (PIPC)• 1st national DPA in a civil law Asian country
3. Privacy Compliance Officers required for most businesses/agencies
4. Collective meditation for disputes with widespread small damage• + representative actions for injunctions
5. Mandatory data breach notification to affected individuals• Also to authorities where significant (cf Taiwan)
6. Mandatory PIAs for potentially dangerous public sector systems
7. Explicit (opt-in) consent required for marketing using own databases
• Act and Enforcement Decree in English (trans. Prof. Park, Whon-il)– <http://www.koreanlii.or.kr/w/images/9/98/DPAct1110en.pdf>– <http://http://www.koreanlii.or.kr/w/images/d/d7/
DPAct_EnforceDecree.pdf>
37
South Korea – Additional principles
2011 Act includes all basic OECD principles, plus these additions:1. Onus of proof of almost all requirements is on the processor2. Privacy Policy necessary, and overrides any individual
agreements where this favours the consumer (A 30)3. Minimal collection of personal data necessary for purpose (A
16(1)– Desirability of ‘anonymity, if possible’ of processing (A 3(7))
4. No denial of services because of refusal to provide unnecessary information (A 16(2))
5. Sensitive data cannot be processed without consent (A 23)6. Alternatives to identification by the Residence Registration
Number must be provided (A 24) [RRN use is separately being prohibited]
7. Strict limits on operation of visual surveillance devices (A 25)
8. Notification required if personal data collected from 3rd Ps (A 20)
9. Consent required to disclose to 3rd Ps, who must be identified (A 17) 1. limited exceptions (A 18) not including ‘compatible uses’
38
South Korea – Additional principles (2)
10. Data exports require consent (A 17(3)) - but notice is weak11. Notice of sub-processing is required (A26), and must be
identified 10. OR public Privacy Policy (PP) can give notice of sub-processing11. sub-processors are deemed employees (A 26(6)) (vicarious
liability)
12. Deletion (not de-ID) of personal data required after use (A 21)
13. Suspension of processing can be required by data subject (A 37)
14. Privacy Officer must be appointed, with detailed duties (A 31) 10. Draft Guidelines suggest wherever more than 50 employees
15. Data breach notification always mandatory to data subjects (A34)10. Also to MOPAS and other authorities if ‘large scale’
16. Offences to improperly deal with, disclose or receive personal data
17. Detailed security measures are prescribed by Presidential Decree, both locally and for data exports
These 17 points show how far Korea goes beyond the OECD ‘basics’
39
South Korea - Strong consent• Unusual in both where consent is required (most
diclosures and change of use, and data exports) and in requirements for consent to be legitimate.
• Notifications required before consent is obtained (A 15(2) or 18(3)) must separate 3 matters:– each matter requiring consent must be stated separately, and
each consent obtained separately (no ‘bundling’) (A 22(1))– information collected requiring consent must be segregated
from informaton not requiring consent (A 22(2))– if consent is to use information ‘to promote goods or services
or solicit purchase therefor’ then data subjects must eplicitly consent to this (ie opt-in to marketing uses) (A 22(3))
• This is reinforced by the ‘no disadvantage’ ruleAre these the strongest consent requirements known?
40
South Korea – Enforcement• The most complex version of the ‘North Asian civil law model’
– Japan, Taiwan and China have Ministry-based sectoral enforcement– Korea has added both (I) an independent complaints body and (ii) a DPA– If successful, the Korean model is likely to influence others
• Complex 5-way administrative structure under new Act:1. Personal Information Protection Commission (PIPC)2. Korea Internet & Security Agency (KISA) (includes Personal Data
Protection Center (PDPC))3. Personal Information Dispute Mediation Committees (PPDMC/Pico)4. Ministry of Public Administration and Security (MOPAS)5. Korea Communications Commission (KCC): regulates ISPs and ICSPs
• This structure may be changing after the 2012 election– Complexity in who is representing Korea in international fora– PIPC would like to take functions currently(?) exercised by KISA– Influence of MOPAS is still everywhere
41
South Korea – Enforcement1. Personal Information Protection Commission (PIPC)
• 15 member independent Commission within Presidential Office• PIPC’s website <http://www.pipc.go.kr> is out-of-date in English• President appointed independent Chairman (Park, Tae-Jong)• ‘Executive Bureau’ within MOPAS, headed by Director-General• ‘Standing Commissioner’ is a ‘government official of political affairs’
who ‘directs the Executive Bureau under the Chairman’s orders’• Roles of setting policy, issuing opinions and reports (A 8)
• Organisations can seek something like an ‘advisory opinion’ on the law
• No clear role in the Act in resolution of individual complaints• BUT PIPC claims a role re public sector ‘to rectify violations and misuse
of personal information’ (seeA 8(1)(v) and A 18(2)(v)) • PIPC has an ‘Investigation Division’• PIPC decided complaint against Google Terms of Service
42
South Korea – Enforcement (2)2. Ministry of Public Administration and Security (MOPAS)
– Issues ‘Data Protection Basic Plan’ in consultation with PIPC– Issues ‘Standard Guidelines’, which Ministries can modify for sectors– Accreditation to Data Protection Commissioner’s conference refused in
2011, because not independent of government
3. Personal Information Dispute Mediation Committees (PIDMC)– Up to 20 persons appointed, with independence provided by Act (A40)– Hear complaints in sub-committees, depending on expertise required– Handles about 90% of privacy disputes (10% in Courts)– ‘Mediates’, deciding breach and recommending remedy; if both parties
agree, settlement is binding; otherwise, matter has to go to Court
4. Personal Data Protection Centre (PDPC) within KISA• Receives and investigates complaints, and mediates minor complaints• Assists complainants to prepare complaints to go to PIDMC• KISA still represents Korea at APPA meetings, but PIPC also• Presidential Decree must appoint PDPC to this role (A 40(8))
43
South Korea – Enforcement (3)• PIDMC’s mediation record under the old Act
– PIDMC must suggest mediation within 60 days of petition filing – Of 22 reported cases in 2003-04, PIDMC awarded compensation (from
$100-$10K) in 17 cases (English translations are on WorldLII)– Examples: disclosure of telephone records to estranged husband ($10K);
surgeon posting photos of clients’ plastic surgery ($4K)– Usually individual vs business disputes; b/w individuals goes to Court
• Additional scope for PIDMC mediation under the new Act– now has powers to mediate public sector complaints (s43()3)– now has powers for collective dispute mediation (A 49)– PIDMC has been confirmed as mediation agency by Presidential Decree
Korea has established a unique open, independent and effective system of dispute resolution over 10 years
44
South Korea – Enforcement (4)• Data subjects may sue for damages for breach (A 39)
– Onus of proof of no intent/ negligence is on data user– Many actions before Courts, including class actions: Held that
massive data leak did not automatically result in damages for mental distress (2011)
– Little information available in English on court cases
• Collective dispute mediation by PIDMC (A 49)– Where multiple data subjects are affected, any parties can request
PIDMC to undertake collective dispute mediation – Presidential Decree sets out procedural details Mediation continues
even if some complainants go to Court
• Class actions (Part 7 ‘Data protection collective suit’)– If processor rejects collective mediation, various types of NGOs
(defined in Act) are entitel to file a class action (‘collective suit’)– Suit is filed in the District Court of the defendant’s place of business,
or main office of foreign business’s representative (A 52)
45
South Korea – 2013 • 2013 Bill (3538) for serious data protection breaches
– Fines up to KRW 500M (US $500,000)– MOPAS could demand dismissal of senior executives
• 2013 PIPA Amendment re ID numbers– No ID numbers can now be collected, online or offline– Existing ID numbers must be deleted (2 yrs for offline)– Increase to US $500,00 fines (online or offline
• Self/Co-regulation is not significant– No significant self-regulation under previous Act– No provisions concerning enforceable codes in new Act– MOPAS required to facilitate self-regulation
• KISA guidelines strengthened the previous law – Eg RFID & Biometric privacy Guidelines, 2007– Which enforcement body will do so in future?
South Korea – Data exports
1. No explicit extra-territoriality provisions– Normal rules of private international law apply
2. Consent and notice required when providing to a ‘3rd P overseas’ (A 17(3)) (Not border control)
– (i) consent of the data subject (must be express); – (ii) notice in advance to data subject of identity of recipient,
data to be transferred, purpose;– No specific requirement to give notice of destination
(country), or state of privacy laws at destination– No vicarious liability for conduct of 3rd P recipient.
46
47
South Korea – Data exports (2) 3. Special controller/processor rules (A 26)
— A 26 applies if controller ‘consigns processing … to a 3rd party’– Prior consent is not required; Notice or PP disclosure is required– Notice must include identity of processor (but not country location)– BUT Korean government authorities have previously required all data
exports, including for outsourcing, to be with consent– Some argue new Act might be interpreted differently (Lee & Ko,
Seoul)
4. No privity of contract problem, so data subjects can enforce
— If exporter contracts with overseas 3rd party for benefit of data subject, data subject can enforce against 3rd P (Civil Code A 539)
5. Controller has vicarious liability (as employer) for processor
• Applies to compensation for processing contra to Act (A 26(6))
6. No outsourcing exemption– Processor is also liable for all data protection
requirements
48Map of China in the ‘Warring States’ period
China
49
China – Regulation time line1. 2006/7: Draft Personal Information Protection Act, from Institute of
Law; private & public sectors; included DPA; EU-influenced 2. Some Provinces have enacted data privacy codes, for consumers3. Piecemeal laws on money laundering, medical records, insurance,
consumer protection and credit reporting 4. 2009-10 Major reforms: Criminal Law and Tort Liability Law 5. 2011 MIIT (Min. of Industry & Info. Tech.) ‘Internet Information
Services Regulations’, in force 3/126. 2012 NPC Standing Committee ‘Decision’ (a law) on Internet
Information Protection, in force 12/127. 2013 MIIT Standardization Administration ‘Guidelines’ on Personal
Information Protection in ‘computer information systems’8. 2013 MIIT ‘User Data Protection’ Regulations’ Result: No national law yet, but consistency emerging 2011-13
– Considerable consistency in principles; private sector only– Ministry-based enforcement, with no sign of a DPA
50
China: Internet Information Services Regulations 2011
This is still the single most important regulation•Adopted by MIIT (Min. of Industry & Info. Tech.) 12/11•Scope: Applies only to ‘IISPs’, with a broad meaning
– Anyone providing information to Internet users– Does not include the public sector
• ‘User’s personal information’ is any PI, but some cls only apply to ‘information uploaded by a user’•‘Telecommunications authorities’ at all levels can enforce, but some aspects may go to the Ministry
– Administrative orders to change practices, fines, and adverse publicity can result (at discretion of authorities)
– No explicit civil damages, but could arise under Tort Liability Law
[U11]
51
China: Internet Information Services Regulations 2011 (2)
Content of the data privacy principles
1. Collection must be the minimum required for purpose
2. Express notice of purpose and use required at collection from user (not from 3rd Ps)
3. Use of any PI must be limited to purpose of collection• disclosure limits might only apply to info uploaded by user
4. No data quality requirements except not to modify
5. Very general data security obligations
6. Data breach notification (to telecoms. Authorities only) required if ‘serious consequences’
• but MIIT requires user notification, on past occurrences
7. A data controller to receive complaints must be publicised
8. OMISSIONS: (1) Any user rights of access, correction etc; (2) data export limitations; (3) Sensitive data
China: NPC Standing Committee ‘Decision’ on Internet info. 2012
• Highest level law yet enacted in China to deal specifically with data protection– Despite its name, it is legislation– Ranks higher than a Ministry regulation (MIIT)
• Scope – Cl 1 declares protection of personal ‘electronic and digital
information’ and prohibits its illegal use– Other clauses only regulate IISPs
• Decision also includes ‘real name’ regulation– ISPs etc must know real identities of users– Does not abolish online pseudonyms
52
China: NPC Standing Committee ‘Decision’ on Internet info. 2012 (2)
What does Decision add to the MIIT regulation?
1.Adds an opt-out from direct marketing
2.Adds a right to require ‘take downs’ by IISPs
3.Explicit right to file criminal complaints
4.Explicit right to seek civil liability (Tort Law?)
5.Omits many key principles (eg access)– Leaves ambiguous whether ‘finality’ applies to PI
collected from 3rd parties
Nor a codification, but must be added to the MIIT regulation – cumulative effect is significant
53
China – MIIT Personal Information Protection Guidelines 2013
• Only ‘Guidelines’, but could an Internet business safely ignore MIIT ‘advice’?– May well indicate standards to be followed under other laws
(eg Tort Liability Law)
• Scope– Applies to all private sector ‘computer information systems’,
not only IISPs– ‘personal info.’ has a conventional definition– ‘sensitive personal information’ is defined (for first time) and
made industry-specific– Adds a controller (‘administrator’) / processor (‘receiver’)
distinction (for first time)• Unofficial translation is at <http://ssrn.com/abstract=2280037>
54
China – MIIT Personal Information Protection Guidelines 2013 (2)
What do the Guidelines (although ‘advisory’) add to the Regulation and Decision?
1.The 8 ‘Basic Principles’ are China’s most coherent set (but omit user rights)
2.But 4 phase ‘life cycle’ procedures add much more:1. Distinguishes where express consent and opt-out allowed
2. Detailed notifications, including of outsourced processing
3. Minimal and non-deceptive collection required
4. Sensitive data protections for minors etc
5. Rights of access and correction (for first time)
6. Data export restrictions requiring express consent or government permission (for first time)
7. Deletion requirements, on expiry of purpose, or request55
China - MIIT ‘User Data Protection’ Regulations, 2013
– Telecommunications and Internet Personal User Data Protection Regulations 2013
– Cover both IISPs and telecommunications business operators (TBOs)
• What does this add to the previous list?– Potentially broader definition of ‘personal user
data’ not requiring capacity to identify– Requirement to publish a privacy policy– Cannot collect data ‘without user permission’– Collection must cease with cessation of account – (Possibly strict) liability for 3rd party processors
56
China - MIIT ‘User Data Protection’ Regulations, 2013 (2)
• New aspects of administration and enforcement– Additional data breach notification requirements– Annual self-inspection of security measures– Details of inspections by ‘telecomms management
organs’ (TMOs)– Violations and fines will be published on the ‘Social
Credit Register’ (‘name & shame’)– Fines and penalties for TMOs and employees that
fail to enforce the law
• A template emerging for all the private sector? 57
58
China - Criminal Law• 7th Amendment to the Criminal Law of the PRC (2009), A 253
– Criminal penalties for institution or employee selling, otherwise illegally disposing, or offering to sell personal information
– Covers employees of government, hospitals, schools, and telecomm, financial, or transportation companies
– Penalties also apply to those illegally obtaining data– Sentence up to 3 years plus monetary penalties
• Enforcement– First prosecution reported (Jan 2010): Zhuhai man’s illegally purchased log
of telephone calls by high government officials, then sold to others who used it logs to fraudulently impersonate officials. Purchaser sentenced to 18 months, others prosecuted for fraud.
– Recent prosecutions [U32] are mainly under the Criminal Law – Significant jail sentences have resulted
• Reinforced by cl 1 of 2012 NPC Standing Committee ‘Decision’
59
China – Tort law• Constitutional right to privacy cannot found civil cases (Supreme People’s Court)• Under General Principles of Civil Law (pre-2009)
– Privacy issues treated as defamation cases, following Judicial Interpretation (SPC) holding privacy to be subsidary to the right of reputation - some succeeded.
– Example: Website operator held liable for defamation, for website about the husband of a woman who committed suicide, resulting in him being harassed. Apology and compensation of about $1,000. (Appeal decision in ‘human flesh search engine’ case)
• Tort Liability Law 2009 (Enacted 26/12/09, in force from 1/7/2010)– A ‘right to privacy’ (undefined) is included in the list of ‘civil rights and
interests’, the breach of which leads to civil liability– Employers are vicariously responsible; ISPs are liable for torts committed
using their networks, unless they take sufficient steps after notice (A 36)– There are some recent minor cases under this law
• Civil (administrative) actions against government – now recognised by SPC Provisions (2011) for misuse of confidential
information
60
China – Draft data protection Act (2006)
• Draft Personal Information Protection Act (2006)– 2006 draft by Prof Zhou HANHUA, Director of the Institute of Law,
Chinese Academy of Social Sciences, + team of experts.– Depending on implementing regulations, could have been more like
an EU law than an OECD/APEC implementation– Considerable consultation between EU and Chinese bodies– Went to the State Council for consultation, but no further
• No evidence it is proceeding at present (last mentioned 2009)• Why different from 2011-13 MIIT / NPC developments?
– Covered (1) public sector and (2) whole of private sector– No data protection authority, but a more coherent set of remedies
• Why still significant?– Indicates type of law supported by part of PRC elite opinion– Best point of comparison for any new comprehensive law– Details are therefore included on following PPTs – See my detailed analysis at http://ssrn.com/abstract=2023065
61
China - Draft data protection Act 2006 (2)
‘General Provisions’/Principles (Ch 1)1. Purpose 2. Lawfulness3. Protection of rights (access and correction)4. Balance of interests5. Information quality (incl collection and use limits)6. Information security7. Professional duties (like ‘accountability’)8. Remedy (incl admin remedies and compensation)+ ‘Scope of’ and ‘Exceptions to’ applicability+ ‘Cross border transfer’ (A48) • No automatic restriction - ‘may restrict’• Grounds for restriction include that recipient country/area ‘cannot give
sufficient legal protection’
62
China - Draft data protection Act 2006 (3)
• Application to government authorities– Very broad exceptions to use restrictions
• Application to ‘other data processors’– Applies to all private sector organisations– Registration required before collection begins– Collection only for ‘clear and specific purposes’; – Secondary uses strictly limited
• Administration (Ch 4) – widely distributed among all agencies ‘above county level’;
no ‘Privacy Commissioner’– General regulations to be made at State Council level
63
China- Draft data protection Act 2006 (4)
• Safeguards and remedies (Ch 4 & 5)– Administrative review always available, with right of
appeal to Peoples’ Court– Alternative judicial remedy at any time in People’s
Court– All data processors ‘should bear liability for
compensation in accordance with law’– Administrative liabilities and criminal liabilities (Ch
5)
65
Hong Kong SAR• HK SAR part of PRC; APEC & APPA member• Basic Law provides constitutional protection
– Used to find telecommunications surveillance unlawful
• Personal Data Protection Ordinance 1996– Combination of EU, OECD and UK influences: first comprehensive data protection law in Asia
– Privacy Commissioner for Personal Data (PCPD): first ‘European’ model of a DPA in Asia
• Amendment Ordinance 2012 – passed by LegCo 27/6/12; in force since 1 April 2013
– first significant change in 15 years; strengthens Act
– Administration’s Bill makes far less change than Privacy Commissioner proposed, but he welcomes it
66
Hong Kong SAR – Principles
• HK Ordinance covers all basic principles• Some additional principles:
– deletion; – data matching; – direct marketing opt-out; – public registers– Also no exemption for ‘publicly available information’
• s31 data export limitations not in force– Only section not in force; applies ‘outside Hong Kong’– Privacy Commissioner is obtaining a consultant’s report on
how the s31 ‘white list’ could operate; expected Dec 2013– Business could be advised to operate as if s33 was in force
67
Hong Kong SAR – Data exports (1)
1. Extra-territorial application remains unclear– AAB decision in Yahoo! Case did not clarify
2. No explicit export controls (s33 is not in force)– No need to inform data subject of overseas transfer (DPP(1)
(3)(b)(i))– Commissioner’s Model Contract (1997) is non-statutory– s33 only provision of Ordinance not in force
• s33 includes ‘White List’; but Commissioner is preparing one• s33 includes exemptions based on exporters ‘belief’ concerning
overseas law
3. No special rules for controller/processor transfers– New 2012 controller (‘data user’)/processor distinction
• Only requires controller to require data deletion after use (s2(3))– If only ‘hold, process or use’ data on behalf of others, then
not a data user (s2(12))– Relationship of agency was always recognised (s65(2))– Note: scope of what ‘processing’ includes (s2) is not yet settled
Hong Kong SAR – Data exports (2)
4. Privity of contract now prevents data subject enforcing contracts against processors, but might not soon– Data subject cannot now take action against foreign cloud
processor – BUT Contracts (Rights of Third Parties) Bill 2013 (see Consultation
Paper) expected to be in effect by 2014; requires express terms benefiting 3rd P
– Commissioner’s Model Contract (1997) implies (but is not express) that it is for the benefit of the data subject
5. Controller is liable for [some] acts of foreign processor– Acts done by an agent (processor) within its authority are
considered to be the acts of the principal (controller) (s65(2))– No liability for acts of processor outside its authority – No distinction whether the agent is overseas or in HK
6. May be an ‘outsourcing exemption’ in HK– If a cloud provider fits s2(12) it is not a ‘data user’ and need not
comply.– S65(2) does not impose any liability on the processor (agent)
69
Hong Kong SAR – Existing enforcement (1)
• Attempted enforcement, but a defective Ordinance– Commissioner does investigate and use powers frequently
Commissioner finds breaches, but unless they are continuing/likely to be repeated, cannot issue enforcement order, or prosecute for failure to observe
– Increasing prosecutions and fines, but for minor matters (for Ricacorp and CITIC prosecutions see U27)
– For 2012 statistics etc see PLBIR 124:27– No explicit power to mediate complaints, practice uncertain– Damages only available via Court (s66) but never yet used
• Massive data spills and data sales scandals since 2007 – Data spill of complaints against Police by 20K people; Hospital
operators data spill; Octopus card operator, and 5 banks each sold consumer’s data
– But Commissioner is powerless to punish or compensate
70
Hong Kong – Existing enforcement (2)
Commissioner’s new uses of existing Ordinance powers• Reporting complaint respondent’s identity (ie use ‘name and
shame’) where Ordinance breached– See Octopus and CITIC case s48(2) reports (U27)– For recent s48(2) reports, see PLBIR 124:28– AEGON Direct Marketing example PLBIR 124:30
• Found media intrusions are collection by unfair means– Sudden Weekly breach findings now on appeal to AAB (U29)
• Proposes to require ‘data user returns’ (DURs) from agencies and corporate sectors which pose most risk– Proposed initially from public sector, banking, telecomms, and
insurance industries, and organisations with large customer databases of (eg loyalty schemes)
– Data required will include overseas transfer practices– Amended Ordinance allows him to require verification– Would be first (limited) ‘registration’ system in Asia-Pacific
71
HK Amendment Ordinance 2012 - Offences
1. Sale of personal data (no matter how collected) is subject to notice + opt-out; otherwise, criminal offence • Blanket objections to sale of personal data possible• Over-rides current requirement of consent (DPP 3)
2. Direct marketing for data user’s own purposes (or providing to others for DM) is subject to notice + opt-out
3. Disclosure of PD obtained from a data user, without consent, now an offence
4. Commissioner can now direct a data user to remedy a breach, and specify how
– Failure to do so is now an offence– Repeating the same breaches also now an offence
5. Still no data breach notification requirement– Government agencies have agreed to immediately report– Private sector failures to do so may result in s48(2) reports
72
HK Amendment Ordinance (2) - Compensation
1. Compensation proceedings moved to District Court• Standard costs order is ‘no order as to costs’
2. Commissioner can prescribe forms to assist complainant to ask Qs of respondents– Replies admissible and must not mislead
3. Commissioner can assist complainants with advice, legal representation and even the negotiation of ‘compromises’ • Commissioner’s costs are a charge against any
compensation 4. No applications made since 1 April 2013 have yet
been accepted
74
Taiwan• APEC (as Chinese Taipei); not ASEAN or OECD• Current protections
– Explicit Civil Code protection (s195(1))– Evolving constitutional protections (significant cases)
• Computer Processed Personal Data Protection Act 1995 (CPPDPA) – was in force until October 2012– Scope limited: public sector + 8 industry sectors
– No single oversight body, left to sectoral Ministries
– Little enforcement [U32]– One of the less successful ‘North Asian civil law’ Acts
75
Taiwan - New Act (Overview)
New Personal Data Protection Act (PDPA)• Enacted 05/10, in force in October 2012
– Rules (by Min. Justice) have been finalised by Executive Yuan
– A 6 (sensitive info.) and A 54 (notification) to be held back until amended (Bill to do so is before Executive Yuan)
• Comprehensive of all sectors• No DPA - Still Ministry-based enforcement
– Did not work with previous Act; but Ministry of Justice will now coordinate, and this is expected to work better
• Stronger Principles: Notice; sensitive data; narrow mandatory data breach notification
• Much stronger enforcement: Representative actionsResult: Raises Taiwan closer to international standards
76
Taiwan - Principles• New Act covers all basic principles; Additions:• Restrictive grounds for using sensitive data• Notice required for collection from 3rd parties (before use) as
well as from data subjects• Opt-out required for direct marketing uses• Cessation of processing where purpose of use complete• Mandatory data breach notification (A 12)
– Notice to affected persons (not to Ministry); Rules define method– Only where a breach of the Act is involved (weakness)
• Weaknesses in Principles– Over-broad exceptions for secondary use, access– Security principle is ill-defined, with no stated standard
• Conclusion: Modest strengthening, far short of Korea
77
Taiwan - Enforcement (1)• Individual rights to damages for breaches
– Strict liability on public agencies (A 28); procedure is under State Compensation Act
– Private sector has onus to show no wilful or negligent acts (A 29); procedure is under Civil Code
• Class actions are by defined representative NGOs – Allowed once they have 20 claimants– Mass claims are capped at US6.7M damages
• No transparency requirements – No annual reports, reporting of complaints, fines etc
• Offences and administrative penalties extensive– Enforced by Ministries responsible for each sector
78
Taiwan - Enforcement (2)• Ministry enforcement of current Act
– Enforcement actions are almost entirely lacking– No agencies saw this as a core role– New Act identifies MOJ as responsible for coordinating enforcement
• Enforcement of current Act in the Courts (since 1995)– 3 actions for damages successful (from 40)
• Largest award A$2,700 (insurance Co. disclosure)
– 100 criminal prosecutions, 60% convictions, usually as a lesser offence
• Enforcement by Financial Supervisory Commission (FSC)– Privacy enforcement actions against banks, insurers and insurance
brokers, based on its own regulations, with fines up to A$130,00– Only lesser fines are possible when it proceeds under the DP Act
Taiwan – Data exports1. No specific extra-territoriality provisions with one exception
– Applies to ‘collection, processing or use’ outside Taiwan of data of Taiwanese nationals (A 51)
– Does this only apply to companies otherwise subject to the Act?
2. Data exports: Default position is ‘no limitations’– Restrictions at option of relevant Ministry (A 21)– One ground: receiving country lacks adequate protections– Until prohibited, no restriction on cloud processing
3. Special controller/processor provisions– Anyone retained to process personal data is ‘one and the
same as the retaining agency’ (A 4) – Controller must exercise careful monitoring over processor
(Enforcement Rules, A 8) – failure to do so will be a breach
Taiwan – Data exports (2)
4. Data subject can enforce controller/processor contracts against processor if expressed for benefit– Assumed so, as a civil law jurisdiction (no privity bar)
5. Controller is vicariously liable for processor’s acts (A 4)– Controller is responsible for all exercise of rights by data
subject (Enforcement Rules, A 8)
6. No outsourcing exemption– Data imported into Taiwan is subject to its Act
81
ASEAN - New growth area
82
ASEAN & privacy commitments• Association of South East Asian Nations (ASEAN) has 11 members
– 7 also in APEC: Singapore, Malaysia, Philippines, Vietnam, Brunei, Indonesia, Thailand (4 are not: Cambodia, Laos, Myanmar, Timor-Leste)
• ASEAN Human Rights Declaration (Dec 2012)– First human rights instrument many ASEAN countries have entered– Similar terms to International Covenant on Civil and Political Rights (ICCPR)– A21: ‘Every person has the right to be free from arbitrary interference with
his or her privacy, family, home or correspondence including personal data’
• Committed to establish ASEAN Economic Community by 2015– Harmonised e-commerce framework includes in its targets adoption of best
practice on data protection (no commitment to legislate)– Did adopt harmonised e-commerce laws in 8 countries in 5 years
• ASEAN may become a significant driver of privacy law developments, but:
– Only private-sector-wide law yet fully implemented is in Singapore– Minority of fully democratic members means privacy laws governing the
public sector are unlikely (except Philippines, Indonesia and Thailand)
83
ASEAN: Order of consideration
1. Malaysia: Bill (with DPA) enacted 2010, not yet in force,
2. Thailand: Bill (with DPA) since 2009, before Cabinet
3. Indonesia: new Regulation under IT law; Draft Bill?
4. Philippines: Bill (with DPA) passed 2012; not effectively in force
Not covered in presentation:
5. Singapore: Bill (with DPA) enacted 2012, in force
6. Vietnam: e-commerce & consumer laws, in force
7. Other countries: Brunei and Lao may be developing Bills
85
Malaysia• Malaysia legislated in 2010, but not yet in force
– Personal Data Protection Act covers private sector only– Only data in ‘commercial transactions’ (broadly defined)– Principles are EU-flavoured, with weaknesses– ‘Whitelist’ approach to data exports, with over-broad exceptions– Commissioner lacks independence for international accreditation– No effective enforcement by DPA, only prosecutions for offences– Result: A weak model for other ASEAN nations
• Current position on bringing into force– New Personal Data Protection Department established 2012– Regulations and guidelines drafting ‘90% complete’– No decision whether a Commissioner will be appointed, but July
2013 rumour of imminent appointment [U55]– Minister announced intention to bring in force 16 August 2013 for all
new data collection, + existing data required to comply in 3 months
86
Malaysia – Privacy principles• Requires consent to processing of data
– Processing (collection, use and disclosure) must be directly related to a lawful activity of user and not excessive; Many exceptions (s6(2), s39, s40, s45)
– Allows withdrawal of consent to processing (s38, s42)
• Other non-OECD principles include written notice (s7), retention limitations (s10), opt-out from direct marketing
• Weaknesses of principles in the Bill– vague security principle;
– notice of intention to disclose can circumvent limitations;
– broad and discretionary exemptions
Overall, principles are EU-influenced, somewhat weak
Malaysia – Data exports (1)1. Extra-territoriality – Some limited operation
– No application to any processing outside Malaysia– Exception if data is to be re-imported into Malaysia (s3(2)): Indirect
protection for Malaysians whose data is processed in overseas clouds?
– Otherwise, Act applies to anyone who is ‘established in Malaysia’ or uses equipment in Malaysia for processing data (except transit) (s2)
2. Data exports - ‘Border control’ with numerous exceptions– ‘White list’ - exports prohibited unless Minister (on advice of
Commissioner) determines a place provides either (a) a law substantially similar ‘or that serves the same purpose’ or (b) provides at least equivalent protection (s129)
– usual exceptions (as in Directive A26) – + Exception (3)(f): reasonable precautions + due diligence to ensure
overseas processing would not breach the Act (if in Malaysia)
Malaysia – Data exports (2)3. Special controller/ processor rules
— ‘data processor’ processes solely on behalf of someone else; ‘data user’ is anyone else doing, controlling or authorising processing (s4)
— Only a ‘data user’ is liable for breaches of Data Protection Principles
4. Data subject cannot enforce controller/processor contract against processor • privity of contract restrictions on 3rd P benefit contracts apply
5. If s129(3)(f) due diligence applies, then no liability on controller irrespective of breaches by processor— no vicarious liability, weakest protection
6. [If processing is in Malaysia] Outsourcing exemption?— The Malaysian processor will not be a ‘data user’, so no application• Any use of equipment in Malaysia for processing attracts operation of
Act (s2(3)(b)) – Foreign controller may be (in theory) subject to Act
89
Malaysia – DPA• Personal Data Protection Commissioner
– Not appointed after nearly 2 years, possibly may not be [U36]– Can the Act function with no Commissioner, only prosecutions?
• Fails all tests of independence (but only covers private sector)– Can be sacked at will by Minister (s54)– Minister determines remuneration (s57)– Minister can give Commissioner ‘directions of a general character’ consistent
with Act (s59)
• Functions (s48), include:– To investigate complaints and issue enforcement notices– To advise the Minister on data protection policy– To advise which other countries provide substantially similar protection to
Malaysia
• Registration– Minister may require registration of specific classes of data users (as may
HK Commissioner)
90
Malaysia – Enforcement• Any breach of a Principle is an offence (s5(2)), prosecuted by decision
of the Public Prosecutor, before Supreme Court– Unusual to have offences as the principal form of enforcement – Other offences for 3rd parties collecting, or disclosing without consent, data
held by a data user (s130)
• If Commissioner finds contravention of Act is continuing or likely to be repeated, can issue enforcement notice (s108)
– Offence for data user to fail to comply– No remedies where breaches are unlikely to recur– Same defects as Hong Kong and pre-2011 UK– Rights of appeal by either party to Appeal Tribunal (Pt VII)
• Commissioner has no power to award damages or role of conciliating• No individual rights to seek compensation or proceed in court
Enforcement is likely to deliver minimal benefits to consumers, because neither individuals nor the Commissioner can take effective action – weakest enforcement in Asia (Japan excepted)
91
Thailand• APEC and ASEAN member, not OECD• Current protections
– Constitutional protection since 2007 of ‘a person's family rights, dignity, reputation, and the right of privacy’
– Official Information Act, 1997• Only covers State agencies (unusual in APEC)• Administered by 32 person Official Information Commission
(OIC) and the Office of the OIC• Limits personal data collection and retention; limits disclosure;
requires security; provides access and correction rights (most elements of information privacy)
• Statistics to 2005 show 880 appeals (to OIC or Information Disclosure Tribunal) from 1300 complaints against government at all levels
– Some industry sectoral requirements (eg telecomms)
92
Thailand – Principles (2012 Bill)• Personal Data Protection Bill 2012
– Bill forwarded by Council of State to Cabinet in 2009, but did not progress
– New Shinawatra government (2011) did not include it in its legislative program, but it was apparently still the basis for drafting of the 2012 Bill
– August 2012: Cabinet approved Bill going to Coordinating Committee of Parliament, which is to forward it to Parliament
• Principles (only covers private sector; not so in 2009 draft)– All basic principles are included– General principle of no processing (‘collected, used or disclosed’)
without consent, and right to revoke consent– Strict limits on collection by surveillance/ observation– Broad sensitive information restrictions, but must be prescribed in
Regulations– Deletion/de-identification required after use complete
Thailand – Data exports• Data exports
– ‘Border control’ approach: exports limited to countries with ‘laws [no] less stringent’, plus usual exceptions
– Will this appear in the final Bill?
93
94
Thailand – Enforcement
Not certain that all these details are in the 2012 Bill•Committee on Data Protection to oversee Act
– 14 members, majority of officials: criticism within Thailand for insufficient independence
– Director of Office of the Official Information Commission is member and provides secretariat (s7) which deals with data users and the public (s15)
– Board advises PM on policy, making of regulations, criteria for marks or standards etc
– Board sets Codes of Ethics for data controllers
•Personal Data Inspection Board/Committees to handle disputes– Board may appoint many Committees to mediate disputes– If mediation fails, Committees can make orders including remedial
actions and injunctions (monetary remedies may be via Courts)– Administrative fines and criminal penalties possible– Vicarious liability of directors etc unless they prove no knowledge
95
Indonesia
• Information and Electronic Transactions Law 2008– Highest form of Indonesian legislation– A26 requires consent for use of any person’s personal data
‘by use of electronic media’– ‘Elucidation’ implies rights of access and correction– A26(2) Courts can award compensation for breaches (No
cases yet)
• Regulation on the Operation of Electronic Systems and Transactions (2012) A15 expands A26 of Law– 2nd highest form of Indonesian legislation– Scope may apply to both private and public sectors– A15(1) amounts to a concise data privacy code [U57]– A15(2) adds a data breach notification requirement
[U57]
Indonesia - Enforcement
• Breaches of A15 can result in administrative sanctions (fines)
• A26 of 2008 law provded right to sue for compensation (under Civil Code)
96
Indonesia – Comprehensive law?
• Other Ministries may now be working on comprehensive laws
• Draft Personal Data Bill 2007– Task of Minister of Administrative Reform since 2007– Also has task of creating a National ID Card– Draft existed (2008) but never submitted to Parliament– Proposed Principles influenced by OECD, EU and APEC– Covers basic principles plus data retention limits– Role and independence of Privacy Commissioner not settled
97
99
Philippines• APEC and ASEAN Member, not OECD• Very limited rights until 2012
– Some constitutional protections in theory– Right of ‘Habeas data’ (constitutional right of access and correction)
adopted by Supreme Court (2008) - No known uses as yet– Electronic Commerce Act (2000) s3(e) general principles – not used
• Data Privacy Act 2012 now enacted, but not effective – Previous House and Senate Bills ‘reconciled’ by bicameral
committee mid-June, then enacted by both houses before they rose– Resulting reconciled Bill was largely similar to previous House Bill– Aquino signed on 15 August 2012, so became law 30 August– BUT National Privacy Commission (NPC) is not yet appointed– NPC must make Implementing Rules & Regulations IIRRs) within 90
days of appointment– ‘Existing industries [etc] affected’ are given 1 year transition from
date of IRR (s42)
100
Philippines – Principles
• Covers both public and private sectors, all data
• Collection limited to ‘not excessive’ data (not ‘minimal’)
• Subsequent use/disclosure requires consent (express/implied) or a broad exception requiring balancing of necessary interests of controller/ 3rd P against constitutional rights of data subject (ie weak protection)
• Processing of sensitive data generally prohibited, and very broadly defined - much stricter than elsewhere
• Data breach notifications to both Commission & individuals
• Deletion or blocking of data required after use completed
All OECD basic principles covered; Strong influence of EU Directive throughout - except data exports
101
Philippines – Enforcement• National Privacy Commission (NPC)
– Within the Office of the President; Commissioner + 2 Deputies– Oversight and coordination role in both sectors; advice, codes etc
• Civil actions, orders and compensation– NPC has strong powers to investigate complaints– Can ‘adjudicate’ and ‘award indemnity’ (compensatory damages)– Can ban processing, temporarily or permanently– Specific power to publicise the sanctions it has used– Actions for damages (‘restitution’) under Civil Code possible, but only as a
consequence of a criminal breach
• Criminal penalties– NPC can recommend prosecutions– Many criminal penalties for breaches of principles, including unauthorised
processing
• Privacy Codes– NPC can approve or reject Codes, but consequences are uncertain
Potentially one of the strongest ranges of enforcement measures
102
Philippines – Data exports (1)1. Some extra-territorial application (s5)
– Covers acts done outside Phil concerning (a) Phil citizen or resident; or (b)/(c) many different links with Phil
– Scope includes all controllers and processors using equipment located in Phil. or maintaining office etc in Phil. (s4)
2. No express data export limitations (s9A ‘Accountability’ )– Makes controller ‘responsible’ for international transfers, ‘subject
to cross-border arrangements and cooperation’; – Also ‘accountable for complying with the … Act’ and for ‘using
contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a3rd party’
3. Special controller / processor rules (s12)– Controller is responsible for complying with the Act; – Processor is also required to comply with the Act
103
Philippines – Data exports (2)
4. Data subject can enforce any controller/processor contract if there is one stated to be for his/her benefit
5. Vicarious liability of controller for breaches by processor is unclear (s12)
6. [Cloud processing in Philippines] Outsourcing exemption explicitly provided– excludes all personal information originally collected from
residents of foreign jurisdictions in accordance with their laws, being processed in Phil. (s4(f))
– Intended to exempt all outsourced processing– May fail to exempt call centres operated from the Philippines
104
South Asia
105
India
India in 1857 – ‘The Great Rebellion’
106
India - Prior to 2011• India’s pre-2011 piecemeal privacy protections still operate
– For details see on my home page 'The Illusion of Personal Data Protection in Indian Law’ (2011) 1 (1): 47-69 International Data Privacy Law
• Indian Constitution implies privacy right– A 21 protection of ‘personal liberty’ is the basis– Mainly used to limit search and surveillance– Naz Foundation Case (2009) extends previous case by holding
unconstitutional legislation criminalising homosexuality, based on autonomy
– Supreme Court could, but has not, • expanded this right to ‘informational self-determination’• Forced the government to legislate, as it did with the Right to Information
• Right to Information Acts– Right of access to own file in all public sectors– Supreme Court ordered Parliament to legislate
107
India – pre-2011 (2)• Credit Information (Companies) Regulation Act 2005
– Establishes extensive credit surveillance system– Has basic privacy principles, and more (in theory)– No Reserve Bank enforcement, law ignored by industry and government
• Consumer Disputes Redressal Commissions– Established under Consumer Protection Law 1986– Allows complaints about unfair/deficient practices/services – National Commission used complaint about mass disclosure of subscriber
information to force Telemarketing legislation (Nivedita Sharma Case)
• Unique ID number system (‘Aadhaar’)– Allocation of 1.2BN ID numbers by 2015 planned; over 600M issued– Is overshadowing developments in data protection– Unique Identification Authority of India (UIDAI) Bill before Lok Sabha– Report of Lok Sabha Finance committee Dec 2011 very critical– For details see on my home page ‘India’s National ID System: Danger Grows
in a Privacy Vacuum’, Computer Law & Security Report, 2010– Only one of many extensive government surveillance systems
108
India – Self-regulation• Data Security Council of India (DSCI)
– Established by NASSCOM (industry association for information processing) 2007
– DSCI’s Framework for Data Protection 2009 aims to reassure overseas data sources that Indian outsourcing providers observe proper security, integrity etc procedures
– DSCI’s dispute resolution mechanism does NOT deal with complaints by data subjects, only by overseas data sources
– DSCI may provide indirect data protection benefits, but is not data protection self regulation, as it ignores data subjects
• NASSCOM operates register of IT sector employees– it only has 25% coverage of industry workers as yet for its
‘security checks’ of employees
109
India - The U-turns of 2011 • Twice sought an ‘adequacy assessment’ from EU
– 2009/10 and 2012/13: No announced results– To protect Indian outsourcing (BPO) from Europe
• April 2011: Rules made under s43A of the IT Act 2000 to add a whole data privacy code– Possibly ultra vires (the Rules are not about ‘security
practices’) or even unconstitutional (nature of Tribunal)– But it is prudent to assume validity until challenged
• August 2011: ‘Press Note’ attempts to change Rules– It says Rules 5 and 6 (most Principles) do not apply to data
processed in India on behalf of overseas data controllers– All four propositions in the Press Note are arguably incorrect– The prudent course is to follow the Rules, until Court clarifies
110
India - Principles in 2011 Rules, applied to an Indian data subject
NOTE: My interpretation has changed – Summary at [U64] is preferable to older articles at [46] and [50] (some errors based on draft Rules)
•Application of Rules to data collected from a consumer in India
1.All basic OECD principles + retention limits are provided – Collection of person data requires written consent of the ‘provider’.
– Compliance requires a Privacy Policy
2.BUT ‘sensitive personal data’ is defined much more narrowly than ‘personal data’, and half the Rules only apply to ‘sensitive’ data
3.ALSO some rules only apply to benefit the ‘provider’ of the data; so will not apply to data collected from third parties in India; but rules will apply when the ‘provider’ is also the data subject
4.Uncertain whether consumers can claim compensation under s43A
5.Uncertain whether the Rules are intra vires s43A
Conclusion: Very questionable whether the Rules provide any or most normal data protection principles for transactions within India
India - Principles in 2011 Rules, applied to foreign outsourcing
Application of Rules to data collected from foreign controller
1.The foreign consumer (data subject) is not the provider, so the rules that only apply to providers will not apply to them
– Indian processor must only comply with non-disclosure, security and deletion rules
2.The result is much the same irrespective of whether the ‘Press Note’ has legal effect (my view is that it does not)
3.Does this stop the Indian Rules from being ‘adequate’?– Could argue that the other protections are provided under EU law– Uncertain: This would be a new form of adequacy, ‘for Europeans only’
4.Many other potential defects in relation to outsourcing:– Narrow definition of ‘sensitive personal data’– Uncertain application of s43A to benefit consumers
Result: s43A and Rules are so confusing, result is difficult to predict
111
Additional complication concerning call centres in India
• Where the ‘provider’ to a call centre / ‘help desk’ opera is the overseas data subject, the exemptions favouring foreign controllers will not apply
• It is necessary (and OK) for the foreign client (ie outsourcer) to collect consents in advance from data subjects, or for the Indian company to collect verbal consents, in order to comply with the Rules • but they may have to tell their customers why (Rule 5(3))
– The complex and uncertain operation of the Rules cannot be assisting India’s competition with the Philippines in attracting outsourced processing
112
113
India – Data exports (1)1. Extra-territorial reach?
– Whole Rules do not have extra-territorial reach; s75(2) applies only if a contravention ‘involves a computer [or] network located in India’
– BUT Rule 6(4) requires foreign 3rd P receiving data from Indian company ‘shall not disclose it further’, even in the that country
2. Data export limitations (Rule 7)– ‘Border control’ approach: overseas recipient must ‘ensure the same
level of data protection’ as the Rules require;
– Transfer must also be pursuant to a contract with the provider, or with the consent of the data subject
3. No special rules for controller/processors transfers– BUT for ‘same level of protection’, processor need only observe use
limitation, security and data retention Rules
114
India – Data exports (2)
4. Controller/processor contracts cannot protect Indian data subject under Indian law– Indian contract law generally requires privity of contract; will
not allow ‘third party beneficiaries’ to enforce
5. Indian controller is not liable for breaches by foreign processor
115
India - Enforcement of Rules
• Enforcement of s43A Rules is via special system– Adjudicating Officers (AO) at first instance – Appeal to Cyber Appellate Tribunal (CAT)– But how do AO or CAT investigate complaints?– No DPA in IT Act
• AO or CAT can award compensation (unlimited)– But damage must result from intentional or negligent act
– No other remedies available– No examples yet of compensation under s43A
• Result?: Untested and imperfect, but plausible
116
India - A comprehensive privacy law?
• ‘Group of Experts’ (Chair A P Shah) reported Oct 2012 to Planning Commission, recommending elements of a draft Bill
• In 2011, two versions of a Bill drafted by a high-level Inter-Departmental Committee were leaked
• No Bill has yet been endorsed by the Government• E.g. Key elements of leaked draft Privacy Bill (April 2011)
– 3 person Data Protection Authority of India (DPAI)– Covers public sectors as well as private sector– Creates tort of interference with privacy + data privacy– Very strong EU-influenced Principles, well beyond OECD– Data exports: border control – ‘adequate level of protection’– Creates Register of all Data Controllers!– Strong enforcement powers via DPAI and CAT– BUT limits its protection to Indian citizens (?)
• The ‘Group of Experts’ recommendations improved on this
117
India - TOC of draft Privacy Bill 2011
There is also a later version from September 2011
India – Uncertainty in 2013
• EU ‘adequacy’ remains unresolved– EU has obtained another expert report– India attempting to use free trade negotiations to
obtain ‘data secure status’– Indian civil society groups lobby EU to deny
adequacy etc until a data privacy law is passed
• Dept of Personnel & Training (DoPT) has carriage of Privacy Bill originating from 2011– Revised draft has gone to the Union Law Ministry,
after which it will go to Cabinet– Have the Shah Committee proposal had effect?
118
119
The rest of South Asia/SAARC
• Nepal – has a public sector data protection law within its Right to Information Act 2007
• Bangladesh, Pakistan, Sri Lanka, Nepal etc– No private sector data privacy initiatives– Development of digital ID cards, as in India– Often influenced by Indian developments
• No SAARC initiatives– ‘South Asian Area of Regional Cooperation’– Unlike ASEAN, no interest shown in data privacy as yet
• As with India, outsourcing may become a factor
International agreements and data export restrictions
affecting Asia
121
APEC Privacy Framework - Failure or promise?
• APEC (Asia-Pacific Economic Cooperation) grouping of of 21 economies (Chile to Singapore) has 1/2 world trade and GDP
• A regional agreement was logical:– To create a minimum privacy standard
– To help ensure free flow of personal data
• Developed by APEC ECSG Privacy Sub-group (2003-05)
– Business orgs included, consumer NGOs excluded
• APEC Ministers announce Framework (2004), finalised it 2005
Question: After 8 years, what has the Framework achieved?– In influencing more countries to protect privacy?
• Need to compare with the effect of European standards
– In developing effective means of regional personal data flows?• Need to consider APEC’s CBPR proposals
122
APEC Framework's 9 Privacy Principles
I Preventing HarmII NoticeIII Collection limitationIV Uses of personal informationV ChoiceVI Integrity of Personal InformationVII Security SafeguardsVIII Access and CorrectionIX Accountability (includes due diligence in transfers)
Generally ‘OECD Lite’, a slightly weaker version of the OECD Guidelines, plus principles I and V which add nothing of value, and IX which is a dangerous substitute for any real controls on data exports
123
APEC implementation standards
• Framework Part IV(A): ‘Domestic Implementation’– non-prescriptive in the extreme
• Any form of regulation is OK– Legislation not required or even recommended– Choice of remedies supported
• No central enforcement body required– But CBPR scheme assume one or more ‘government enforcement
entities’
• No accountability for implementation of the APEC Framework– Few Individual Action Plans yet online 8 years after agreed
Weaker than any other international privacy instrument– Part IV exhorts APEC members to implement the Framework
without requiring or proposing any particular means of doing so, or any means of assessing whether they have done so
124
APEC’s nascent CBPR (1)• APEC finalised its CBPR system in Sept 2011, endorsed by leaders• Joint Oversight Panel (JoP) established Moscow 2012
– At least 4 APEC ‘economies’ meeting criteria to participate in CBPR must agree to form JoP: US (chair), Taiwan, Mexico and Canada (reserve) have agreed. (How do they meet the criteria?)
– JoP then assesses Accountability Agent (AA) applications– Waters: Sceptical that countries with privacy laws, DPAs and cross-border
legislative requirements will see any advantage in participating (Membership bears this out)
• Stewart: explains steps companies must then take– Company does self-assessment against APEC standards– Company assessed (and assisted) by an Accountability Agent (separate
APEC recognition process)– If ‘APEC-compliant’, added to directory– AAs and/or DPAs enforce compliance with APEC standards– Companies get periodically re-assessed for compliance
125
APEC’s nascent CBPR (2)• Waters: ‘business case … to seek certification under
the CBPR system remains elusive’– Application process is onerous, involving ‘registration’
requirements Asia-Pacific laws avoid; costs are unknown– Benefits in countries with privacy laws elusive– Sceptical of possibility of ‘interoperability’ with EU CBPR or
Trustmark schemes, as JoP is unlikely to be competent to assess (Stewart sees this as a step toward ‘global solutions’).
• APEC approval of TRUSTe as first AA (2013)– Critics say breach of its own standards damages credibility
• IBM USA first company accredited by TRUSTe (2013)
APEC’s nascent CBPR (3)• Factors favouring APEC CBPR
– Other countries will join (Mexico and Japan next)– EU and APEC exploring CBPR/BCR interoperability – USA is willing to fund any country willing to develop CBPR
• Factors against APEC CBPR– It only assists with data imports from some APEC countries– APEC countries with data export restrictions have to find ways
to reconcile APEC CBPR with their laws – Business case for companies to invest in getting CBPR
accreditation is not clear. Will any but US companies do so?– Low standard of APEC Framework, and credibility loss with
TRUSTe AA accreditation may damage prospects of EU (or other) interoperability
Conclusion: Viability of APEC CBPR still unknown126