CURRENTLY SPEAKING DATA PRIVACY LAWS Asia Update EP&B Webinar Series 1
Welcome Welcome CURRENTLY SPEAKING You are on mute A link to a recording of the webinar will be available We can take questions by using the chat function, we will respond to your questions by email after the Scott Thiel Partner webinar Bridging Borders Webinar Series 2
Speakers CURRENTLY SPEAKING Hong Kong Australia Peter Jones Scott Thiel Partner, Sydney Partner, Hong Kong Scott Thiel Partner EP&B Webinar Series 3
Agenda Welcome CURRENTLY SPEAKING 1. Current threat environment 2. Regulatory frameworks of countries in the Asia Pacific region Scott Thiel Partner 3. Key challenges and practical issues for multinational business 4. Asia Pacfic enforcement conclusions Bridging Borders Webinar Series 4
Current Threat Environment Welcome CURRENTLY SPEAKING High profile examples of data breaches 2011 - Sony's PlayStation Network attack 2013 - Breach of information held by Adobe and theft of Acrobat source code Scott Thiel Partner Data security is a concern in many countries in the Asia-Pacific region, e.g.: 2013 - Online accounts of staff and students of the University of Hong Kong have been attacked by hackers Peter Jones 2014 - PayPal flaw discovered by tests Partner 2014 - BIGGEST-ever breach of private security in South Korea Bridging Borders Webinar Series 5
Welcome Current Threat Environment Asia Pacific as a region is 2 times more likely to be targeted! CURRENTLY SPEAKING According to the FireEye Blog, the TOP 10 most targeted countries in Asia in 2013 are: 1. South Korea Peter Jones Partner 2. Japan 3. Taiwan 4. Thailand 5. Hong Kong 6. The Philippines 7. India 8. Australia 9. Pakistan 10. Singapore Bridging Borders Webinar Series 6 6
Welcome Current Threat Environment Data Breaches exposed weak defences of organisations in the Asia CURRENTLY SPEAKING Pacific region Data Breaches may have a Global Impact Peter Jones Partner Companies, banks, governments, etc. are all trying to bolster data security Asia Pacific countries are fighting back! Bridging Borders Webinar Series 7
Current Threat Environment - Welcome Strategic Importance CURRENTLY SPEAKING Diverse and evolving legal and regulatory landscape Exponential growth of information Peter Jones Partner Growing protection challenge Corporate requirements and privacy collide Data and information breaches/disputes - High cost of mistakes Bridging Borders Webinar Series 8
Asian Data Privacy Regimes At-A-Glance Welcome Before (2011) At 2014 CURRENTLY SPEAKING Scott Thiel Partner Bridging Borders Webinar Series 9
Data Protection: Regional temp CURRENTLY SPEAKING Asia-Pac region – a rapidly maturing DP landscape • New laws – Malaysia, Philippines, Singapore • Recent laws – South Korea • Updates - Australia, Hong Kong, Taiwan, Vietnam Peter Jones Partner • Update scheduled - Indonesia • Major changes expected – PRC, India (Justice (Shah's report*) 10
Welcome Data Protection: Regional temp CURRENTLY SPEAKING Jurisdiction DP Law? Collection Transfer Criminal / Fines / Prison? Overall DP Restrictions Restrictions Admin Liability Risk Level Australia China Hong Kong Peter Jones Partner Indonesia Korea New Zealand Philippines Singapore Taiwan Thailand Vietnam Bridging Borders Webinar Series 11
Welcome But the devil is in the detail CURRENTLY SPEAKING Direct Marketing Industry v Omnibus Laws Regulator Powers - Hong Kong focus - China, Thailand, India - Broad, HK, Sing, Malaysia - DNC – Aus, Singapore - Singapore/Malaysia - Recommend – Philippines - Overlapping – SK Scott Thiel Partner Third Party Correction Breach Notification Obligation Data Protection - No: India, HK - Sing and Malaysia position in Asia Pac - Yes: Indonesia, Taiwan, SK Offences: max. jail terms - HK – 5 years - Sing – 2 years - Malaysia – 3 years Scope of Application of Laws - Holistic – HK, SK, Aus, Taiwan Territorial Scope - Public sector exclusion – Sing, Malaysia Extra-terr. approach of Sing, Malaysia - Sector exemption – Philippines Bridging Borders Webinar Series 12 12
Welcome A Brief Survey: China CURRENTLY SPEAKING Current Legal Regime: Combination of various non-DP specific laws (criminal law, civil law, tort law, constitution) with limited legal effect Major Recent Developments: • Decision of the Standing Committee of the National People's Congress for Enhancing the protection of Internet based Scott Thiel Partner Information: – • Applies to "Internet service providers and other enterprises or public institutions" • Enshrines principle of legality, legitimacy and necessity • Need to specify the purpose, manner and extent information collection • Obtain the consent of the target persons • Take technical and any other necessary measures to protect the security of personal information • Data correction obligations • Meaningful sanctions Bridging Borders Webinar Series 13
A Brief Survey: China Welcome CURRENTLY SPEAKING Major Recent Developments: • Information Security Technology - Guide for Personal Information Protection within Public and Commercial Information Systems published on 1 February 2013 • Issued by the MIIT Scott Thiel • Applies to private sector use of "information Systems" Partner • Not Legally Binding however…… • Prohibits extraterritorial transfer without express consent • Imposes security obligations • Chinese Supreme People's Court has recently released the Provisions of the Supreme People's Court on Issues Concerning the Application of Law in Hearing Civil Dispute Cases Involving the Infringement of Personal Rights and Interests through the Internet Bridging Borders Webinar Series 14
Welcome A Brief Survey: Hong Kong CURRENTLY SPEAKING Regime Personal Data (Privacy) Ordinance ("PDPO") Registration No requirement O Collection & Notification + Consent (for new purpose) of Data Subject O Processing New Consent requirements for direct marketing commence 1 April 2013 Scott Thiel Partner Transfer Currently no restriction O Changes on the way Security All practicable steps to protect personal data O Where 3 rd party processor is engaged contractual / other means required for security and period of retention Breach No requirement O Notification DP Officer No requirement O Bridging Borders Webinar Series 15
Welcome A Brief Survey: Hong Kong CURRENTLY SPEAKING Regime Personal Data (Privacy) Ordinance ("PDPO") Enforcement O Enforcement notices with criminal consequences for non- compliance Sanction O Fines, criminal convictions and jail sentences Scott Thiel Partner Redress O Private Civil Proceedings Marketing O Notification Activities Statement of gain Free opt-out channel Consent from Data Subject Online O PDPO also applies to online processing Privacy Cookies – use and effect of non-compliance communicated to Data Subject Bridging Borders Webinar Series 16
A Brief Survey: Hong Kong - Aegon Welcome Direct … CURRENTLY SPEAKING "If the contraventions shown in this case were committed today, the corporate data user at fault would be held criminally liable to a fine and imprisonment …." Scott Thiel Partner Alan Chiang – Privacy Commissioner Bridging Borders Webinar Series 17
A Brief Survey: Indonesia Welcome CURRENTLY SPEAKING Regime Law No. 11 of 2008 regarding Electronic Information and Transaction and Government Regulation No. 82 of 2012 regarding Provision of Electronic System and Transaction Registration No requirement O Collection & Consent / other conditions met O Processing Data center – more heavily regulated Peter Jones Partner Transfer Data user required to explain control and possession of O transmitted information Security Data user guarantees protection of personal information O Telecom service provider responsible for data storage Breach Required in writing - failure to protect personal data O Notification Report to authority - failure/ disturbance of protection system DP Officer O No requirement Bridging Borders Webinar Series 18
A Brief Survey: Indonesia Welcome CURRENTLY SPEAKING Regime Law No. 11 of 2008 regarding Electronic Information and Transaction and Government Regulation No. 82 of 2012 regarding Provision of Electronic System and Transaction Enforcement Imposed under various regulations O & Sanctions Imprisonment and fines Administrative sanctions (e.g. warning and fines) Peter Jones Cancellation of approval/ registration Partner Redress Private Civil Proceedings O Marketing No specific regulations O Activities Mostly protected by IP laws Online No specific regulations O Privacy Obtain cookies/ location data by unlawful access – imprisonment and fine Bridging Borders Webinar Series 19
Recommend
More recommend