GDPR Legitimate Interests Accountability and Transparency Explained

GDPR Legitimate Interests Accountability and Transparency Explained

The GDPR significantly alters the balance of obligations, responsibilities and liabilities for controllers and processors of data. It mandates that a processor must have a lawful basis for the processing of data. However There are some poignant changes, particularly when looking to rely on legitimate interests as the lawful basis upon which a processor intends to process data.

 

The background

 

The GDPR also introduced new accountability and transparency requirements, meaning that processors must be able to show that they have a lawful basis for each processing operation, and must inform individuals which lawful basis if being relied upon. Furthermore, under GDPR the interpretation of legitimate interests is now broader, encompassing the interests of any third party, including wider societal benefits.

Legitimate interests is the most flexible lawful basis for processing. However, when choosing to rely on this basis it is important to be aware of the extra responsibilities in considering and protecting people’s rights and interests. A legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal interests.

 

The development

 

The Information Commissioner’s Office (ICO) has issued draft guidance to assist organisations in identifying if a legitimate interest is the most appropriate basis, and if so how to ensure compliance with the terms of the GDPR. The ICO confirms its interpretation of the GDPR and provides a general recommended approach to ensure compliance.

Legitimate interests is likely to be the most appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Legitimate interests should be avoided in situations where personal data is being used in a way that data subjects would not understand or reasonably expect.

The ICO outlines that, as per the GDPR, when relying on legitimate interests as a lawful basis for processing, a processor must be able to:

  • identify a legitimate interest (Purpose);
  • show that the processing is necessary in order to achieve it (Necessity); and
  • balance it against the individual interests, rights and freedoms of the data subjects (Balance).

The ICO recommends that if you want to rely on legitimate interests in practice, then a three-part test should be undertaken to establish whether or not this is the most practical and applicable basis; the ICO refers to this as a Legitimate Interests Assessment (LIA). This is a light touch risk assessment based on the context and circumstances of the processing of data. In addition to this, recording the LIA will also help to ensure compliance with accountability obligations under Articles 5(2) and 24.

The test outlines firstly that you identify a purpose for the processing (i.e. what is the legitimate interest). Things to consider include the reason for the processing, such as:

  • what  is trying to be achieved?
  • who benefits?
  • what would the impact be if the processing did not go ahead?

Secondly, apply the necessity test. Things to consider here include:

  • whether or not the processing actually helps to further the interest?
  • is it reasonable?
  • is there a less intrusive way to achieve the same result?

Thirdly, you must balance the necessity of processing the data against the impact of the processing on the data subjects. The following should be considered:

  • the nature of the relationship with the data subject
  • is the data particularly sensitive?
  • would it be expected for the data to be used in this way?
  • what’s the possible impact?
  • would a data subject object or find the processing too intrusive?

The ICO further outlines that legitimate interests can be relied upon across a variety of situations, including processing employee or client data, intra-group transfers, marketing activities, B2B contacts, processing of children’s personal data (although special care should be taken here) and the disclosure of data to third parties.

 

Why is this important?

 

Although legitimate interests is not a new concept under the GDPR, the new requirements for processors are key to using this basis as the lawful basis for processing. Accountability and transparency requirements mean that processors need to be more pro-active when it comes to recording the reliance on legitimate interests as a lawful basis for processing.

 

Any practical tips?

 

Organisations must understand and be prepared to justify their legitimate interests as a lawful basis for processing personal data. In order to comply with the GDPR’s new obligations regarding transparency and accountability, it is good practice to establish a process that, when followed, documents an organisation’s assessment of a legitimate interest.

In addition, remember that you must tell data subjects the purpose for processing their personal data and explain to them the basis for relying upon legitimate interests. Hence why building out your privacy policy is key in order to ensure that your legitimate interests justification is clear on existing processing activities and also why you need to revisit your privacy policy as and when new business activities emerge which also seek to rely on this basis for lawful processing.

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

Brexit uncertain times What to do Next ?

Brexit uncertain times What to do Next ?

Whilst the threat of a no-deal Brexit has been averted for now, the future is by no means certain. We have highlighted some of the key issues for UK-based organisations, and the EEA organisations that do business with them, in these uncertain Brexit times.

 

A further ‘extension to Article 50’ has been granted until 31 January 2020, again delaying the UK’s exit from the European Union. The future is, however, by no means certain.A range of potential scenarios could still play out, including that:

  • the current deal on the table may be passed by Parliament following scrutiny (or maybe not…);
  • we could get to the end of the transitional period with no agreement having been reached on the UK’s future relationship with the EU, and the UK could still lapse into a “no-deal” Brexit scenario (or maybe not…); or
  • now that a general election is scheduled for 12 December 2019, there could be a change of government with a whole different Brexit agenda (or maybe not…).

Below are some of the key issues that are likely to be most relevant for many UK-based organisations, and the EEA organisations that do business with them, in these uncertain times.

 

Brexit Deal

 

If a Brexit deal is reached, it’s business as usual, right? Well – yes and no. The deal currently being discussed is only in relation to the terms of the UK’s withdrawal from the European Union.After that, a deal still needs to be reached as to the UK’s future relationship with the EU (and other trading partners). During the period when such future deal is being negotiated, transitional arrangements would apply to effectively maintain the status quo for a specific period.

However, if by the end of that transitional period a future deal has not been reached (and the transitional period is not extended), the UK could still lapse into a “no-deal” Brexit scenario. Therefore, despite the recent extension agreed and in circumstances of a Brexit deal, no-deal Brexit remains a possibility and may need to be planned for either way.

 

No-Deal Brexit

 

Legal framework

 

It is intended that the UK data protection law that will apply from the date of the UK’s exit from the European Union (“Exit Date”) will essentially be a “copied and pasted” version of the EU GDPR that applies immediately before Exit Date. However, certain amendments are required (as well as to the UK Data Protection Act 2018 and ePrivacy regulations) so that the UK’s legal framework for data protection and ePrivacy can continue to function in the event of Brexit. These amendments are contained in the Data Protection, Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019. (We refer to this new UK law below as the “UK GDPR”.)

 

The European Data Protection Board (EDPB), UK Information Commissioner’s Office (ICO) and certain other supervisory authorities (such as the CNIL in France) have issued guidance on how to deal with a no-deal Brexit scenario. This does not address all the complexities arising out of a no-deal Brexit, but it does at least provide an indication of the sorts of compliance issues that the regulators are focusing on when it comes to data protection and Brexit.

 

International data transfers

 

The GDPR prohibits the transfer of personal data outside the EEA unless to countries or international organisations that the EU Commission has determined have an equivalent protection pertaining to the personal data or a ‘safeguard’ or ‘derogation’ otherwise applies. From the Exit Date, there will be two sets of rules to consider in the following scenarios:

  1. first, the UK rules on transferring personal data out of the UK (as set out in the UK GDPR); and
  2. second, the EU rules on personal data being transferred from the EEA to the UK.

 

Transfers from the UK to the EEA

 

The UK Government has previously confirmed that it will continue to permit personal data to flow freely from the UK to the EEA and all other countries deemed adequate by the European Commission at the time of Brexit.

 

Transfers from the UK to the US under EU-US Privacy Shield

 

A ‘safeguard’ that may be used in relation to transfers of personal data to the US, is where the transfer of personal data is to a recipient that has self-certified under the Privacy Shield framework, that their processing of personal data is in conformity with GDPR equivalent standards.

In relation to the Privacy Shield framework, the U.S. Department of Commerce has confirmed that businesses currently relying on Privacy Shield to receive personal data from the UK will still be able to do so, provided they continue to meet the annual certification requirements and update their relevant policies. This will involve updating the public commitment to comply with the Privacy Shield (i.e. the privacy shield policy) to state expressly that the commitment extends to personal data received from the UK in reliance on the Privacy Shield.

Further, if a business intends to receive HR data from the UK in reliance on Privacy Shield, it must also specifically update its HR privacy policy in the same way.

 

Transfers from the EEA to the UK

 

If the UK becomes a “third country” under EU GDPR (which it will in the event of a no-deal Brexit), the following options may be available to data exporters in EEA jurisdictions that want to compliantly transfer personal data to the UK:

  • an adequacy decision from the European Commission;
  • binding corporate rules (“BCRs”);
  • standard contractual clauses;
  • approved codes of conduct or approved certification mechanisms; or
  • certain specified derogations, such as explicit data subject consent.

The most favourable position for the UK would be for the EU Commission to grant the UK an “adequacy decision” that would give it a “whitelisting” such that personal data could be transferred to the UK from the EEA without any additional measures being needed. However, the EU has said that it will not grant an adequacy decision for the UK before Brexit happens. The process of granting adequacy is not quick, so it may take some time after the Exit Date before such a decision may be granted.

BCRs only apply to transfers within a group of companies, so could not be used to transfer personal data between independent service providers and their customers, for example. These also tend to be costly to prepare and finalise and can take many months, or even years, to be approved by the regulators.

There are currently no approved codes of conduct and certification mechanisms, so this is not currently an option.However, work is underway in certain industries to develop such instruments. For example, The UK Data and Marketing Association (DMA) is working with its European trade association, FEDMA, to develop a European Direct Marketing Code of Conduct.

That leaves standard contractual clauses as the only option for many businesses. This is by no means a perfect solution as there are not currently specific forms of clauses dealing with every data flow scenario that may be relevant to no-deal Brexit, e.g. EEA processor to UK sub-processor, or EEA processor to UK controller.

 

Lead supervisory authority

 

If the lead authority under EU GDPR is currently the UK ICO, either the relevant group will not be able to benefit from the ‘lead supervisory authority’ / ‘one-stop-shop’ mechanism under the GDPR or, the group will need to restructure to move the personal data processing decision making to an establishment of the group within the EU. The supervisory authority for that location may then be found to be the new lead.

 

Representatives

 

EEA representatives

Due to the extra-territorial effect of the EU GDPR, businesses that do not have any establishments, for example offices or branches, in the EEA will be caught by the EU GDPR if they either:

  • target individuals in the EEA with goods or services; or
  • monitor the behaviour of individuals in the EEA so far as the behaviour happens in the EEA.

This means that they will need to consider appointing a representative inside the EEA, unless certain exceptions apply.

The representative can be an individual, a company or an organisation established in the EEA provided they can represent the business regarding its obligations under the EU GDPR.

 

UK representatives

 

The UK government intends that, after Brexit, UK GDPR will require a controller or processor established outside the UK but that comes within the territorial scope of the UK GDPR to appoint a UK representative.

 

Miscellaneous updates to policies, procedures and documentation

 

As mentioned above, from the Exit Date, UK-established businesses that target or monitor the behaviour data subjects in the EU may have to comply with two versions of the GDPR in relation to the same processing activity: the UK GDPR and the EU GDPR.

As a result of these changes, businesses will need to review their current policies, operational procedures and documentation and ensure that these refer to updated data protection and ePrivacy legislation as required. This is likely to include reviewing privacy noticesrecords of processing and data protection impact assessments (DPIAs), which may require updating to reflect changes regarding UK-EEA transfers, references to ‘Union law’ (or similar) and to identify an EEA and/or UK representative (if required).

 

What should businesses think about doing next?

 

  • Identify all personal data transfers out of or into the UK (and if so, where to/from) – the key transfers being those:
    • from the EEA to the UK and out of the UK again to other ‘third countries’ (in particular, where contracts prohibit data transfers outside the EEA); and
    • from the UK to the EEA.
  • Decide which lawful transfer mechanisms to use after the Exit Date.
  • Implement the chosen transfer mechanism so that it is applicable and effective as of the Exit Date – this may require amendments to existing data processing or data transfer agreements.
  • Update your privacy notice(s) and other internal documentation concerning your international data transfers.
  • If relying on the Privacy Shield framework for transfers of personal data to the US, ensure that the US business continues to meet the annual certification requirements and update relevant policies.
  • Continue to comply with GDPR standards – equivalent standards will apply post-Brexit in any event.
  • Consider if you will be caught by the extra-territorial scope of the EU GDPR and the UK GDPR in the event of Brexit.
  • If needed, appoint a representative in the EEA – in practice, the easiest way to do this may be under a service contract that provides the necessary mandate and agreed allocation of liability.
  • If needed, appoint a representative in the UK.
  • Ensure the representative’s details are easily accessible to the relevant supervisory authority (or authorities) – although there is no requirement to notify them of the representative’s appointment.
  • Update your privacy notice(s) and other internal documentation with details of the identity and contact details of the representative(s).
  • Consider whether an alternative lead EU data protection authority (other than the UK ICO) may still be possible through a group restructure.
  • Review (and if needed, update) your policies, operational procedures and documentation in relation to compliance with updated UK data protection and ePrivacy legislation.

 

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

DPIA When introducing AI

DPIA When introducing AI

DPIAs and AI

Under Article 35(1) of the GDPR, organisations are required to carry out a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.

Article 35(3) of the GDPR sets out three types of processing which will always require a DPIA:

  • systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual;
  • large scale processing of special category data; or
  • systematic monitoring of a publicly accessible area on a large scale.

 

A DPIA should be undertaken by organisations at the early stages of development of any project which involves AI and should feature the following:

 

  1. A systematic description of the processing activity: data flows and the stages at which AI and automated decisions may affect individuals should be outlined. The ICO suggests that, due to the complexity of AI systems, organisations maintain two versions of the DPIA. The first would be a thorough technical description for specialist audiences and the second, a high-level description of the processing and an explanation of the logic of how the personal data inputs relate to the outputs affecting individuals. The DPIA should also set out the roles and obligations of data controllers and processors. If the AI system is outsourced to an external provider, the organisations should assess whether they are joint controllers, and if so, collaborate in the DPIA process as appropriate.
  2. Assessment of necessity and proportionality: the use of AI for processing personal data needs to be based on a legitimate purpose. Organisations need to demonstrate that the processing of personal data by an AI system is a proportionate activity. Here, organisations should undertake a balancing exercise between the interests of the organisation and the rights and freedoms of individuals. In particular, organisations need to consider any detriment to individuals that could follow from bias or inaccuracy in the algorithms and data sets being used.
  3. Identifying risks to rights and freedoms: organisations should consider other relevant legal frameworks beyond data protection. For example, AI may result in discrimination based upon historical patterns in data, which could fall foul of equality  legislation.
  4. Measures to address the risks: data protection officers and other information governance professionals should be involved in AI projects as early as possible to ensure that risks can be identified and addressed early in the AI system life-cycle. The DPIA should include any safeguards put in place to mitigate the identified risks and it should document the residual levels of risk posed by the processing. These risks must be referred to the ICO for prior consultation if they remain high.
  5. DPIA – a ‘living’ document: while DPIAs must be carried out before the processing of personal data begins, they should be considered a ‘live’ document. DPIAs should be subject to regular review and re-assessment if the nature, scope, context or purpose of the processing changes.

 

Comment

 

As AI becomes increasingly prevalent, regulators are continuing to perform a balancing act, ensuring compliance with data protection laws without stifling innovation. The interaction between AI and the GDPR engages a number of complex legal issues. It comes as no surprise that the ICO listed AI as one of its three strategic priorities.

The ICO blog provides useful guidance for organisations when conducting a DPIA for projects involving AI. The ICO plans to publish its final consultation paper on the AI Auditing Framework no later than January 2020. Keep an eye on this blog for news on the final consultation paper!

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

EDPB Updates its guidelines on the contractual lawful basis for processing for online services

EDPB Updates its guidelines on the contractual lawful basis for processing for online services

 

The European Data Protection Board (EDPB) met for its fourteenth plenary session on 8 and 9 October 2019.

One of the key developments was the adoption of the final version of its guidelines on the contractual lawful basis for the processing of personal data in the context of online services under Article 6(1)(b) of the General Data Protection Regulation (GDPR), more commonly known as ‘performance of a contract’ legal basis.

 

Scope of the guidelines

 

EDPB notes that the guidelines relate to the applicability of Article 6(1)(b) to the processing of personal data in the context of contracts for online services. Online services are any information society services, also defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. This definition extends to the fields of social media and e-commerce. It also covers services that are not paid for directly by the recipients, such as online services funded through advertising.

Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data where either of the two conditions are met:

(1) the processing is necessary for the performance of a contract with a data subject or

(2) the processing is necessary for pre-contractual steps at the request of a data subject.

The EDPB clarifies that the previous guidance published by the Article 29 Working Party remains relevant, and any processing of personal data must comply with the GDPR as a whole.

 

Processing necessary for the performance of a contract with the data subject

 

Necessity is a prerequisite for reliance on Article 6(1)(b). EDPB reminds controllers that the concept of necessity involves consideration of the fundamental right to privacy and protection of personal data under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

The data processing must be necessary for the performance of a contract with the data subject. EDPB notes that if there are less intrusive alternatives compared to other options for achieving the same goal, the processing is not “necessary”. As such, EDPB clarifies that Article 6(1)(b) will not cover processing which is useful but not objectively necessary.

EDPB recommends that controllers carry out an assessment of whether Article 6(1)(b) is applicable by asking the following questions:

  1. What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
  2. What is the exact rationale of the contract (that is, its substance and fundamental object)?
  3. What are the essential elements of the contract?
  4. What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?

 

Processing necessary for pre-contractual steps at the request of a data subject

 

The second part of Article 6(1)(b) GDPR covers the processing of personal data necessary for taking pre-contractual steps prior to entering into a contract with the data subject. This addresses the situation where processing personal data is necessary to facilitate the actual entering into a contract. EDPB clarifies that this provision would not cover unsolicited marketing or other processing which is carried out on the initiative of the data controller or at the request of a third party.

 

Termination of contract

 

EDPB notes that where Article 6(1)(b) is used as the legal basis for the processing of personal data, the controller should anticipate what happens when the contract is terminated.

Upon termination, as a general rule, the processing of personal data will no longer be necessary for the performance of the contract. As such, the controller will need to stop processing. While EDPB recognises that “it is generally unfair to swap to a new legal basis when the original basis ceases to exist”, there are instances when this may apply if there is a legal obligation to retain certain records.

Applicability of Article 6(1)(b) in specific situations

 

The guidelines also address the applicability of Article 6(1)(b) in specific situations, such as processing for service improvement, fraud prevention, online behavioral advertising, and personalisation of content.

Processing for service improvement is unlikely to satisfy the necessity threshold. Similarly, processing for fraud prevention will also be unnecessary, but could be carried out under another basis, such as legal obligation or legitimate interest.

Personalisation of content may, in some instances, be necessary, depending on whether the personalisation of the content is objectively necessary for the purpose of the underlying contract.

Comment

The basis for processing personal data must rest on one of the six legal bases provided for in Article 6(1)(a) – (f) of the GDPR. These guidelines are a welcome clarification on the correct practice for circumstances in which it is appropriate to use Article 6(1)(b) as the lawful basis for processing personal data. We expect EDPB will publish further guidelines in the future to address other lawful bases for processing personal data to correct overly broad application of the Article 6(1) legal bases. In the meantime, keep an eye on our blog for updates.

 

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

CCPA Under 50 Days to go

CCPA Under 50 Days to go

Despite the fact that the CCPA compliance deadline has been looming for over a year now, many companies remain unprepared. Fortunately, businesses that have yet to begin their CCPA compliance efforts can still achieve compliance in a timely manner. Efforts, however, must begin now. For starters, and as further outlined below, businesses must recognize that compliance requires more than simply revising their online privacy policy. Similar to the GDPR, the foundation of the CCPA is built on individual rights that extend well beyond a company providing sufficient notice to the public of its privacy practices.

 

CCPA Compliance Checklist

 

Although the final regulations have yet to be promulgated, the general requirements of the CCPA are sufficiently evident to enable businesses to prepare to comply with the final regulations when the Cal AG issues them, which will likely occur this fall. Accordingly, businesses should take the following steps to comply with the CCPA in advance of the January 1, 2020 deadline:

  • Confirm That Your Business is Subject to the CCPA. Entities must determine whether they are considered a “business” subject to the CCPA. For-profit companies should keep in mind that their subsidiaries and affiliates might also be considered separate businesses with independent obligations to comply with the CCPA.
  • Determine Whether Your Business Depends on the Sale, sharing or Purchase of Personal Information. Businesses will need to assess whether, and to what extent their disclosures of personal information to third parties falls under the broad definition of the “sale” of data. As defined to include any disclosure of data to a third party for “valuable consideration,” the concept of selling data under the CCPA may encompass seemingly routine data transfers that do not include direct monetary compensation.
  • Confirm “Reasonable Security.” Evaluate cybersecurity practices consistent with industry recognized standards (with prudent consideration given to the use of encryption, multi-factor authentication, and the Center for Internet Security’s Critical Security Controls).
  • Map How Your Business Collects, Shares and Sells Personal Information. Businesses will need to identify and track internal data flows, storage and transfers (including to service providers) in order to meet their CCPA obligations. Many businesses will reconsider their approach to personal data by building processes that foster privacy by design and by default, by anonymizing data sets when possible, and by taking their data retention and destruction policies more seriously.
  • Revise Privacy Policies. Revise both external and internal policies to properly reflect the personal information processing activities required to be disclosed under the CCPA and to express the new rights and mechanisms available to Californians to exercise those rights.
  • Enable Consumer Opt-Out of Sale of Personal Information (when applicable). Create a separate web page to enable California residents the ability to exercise their opt-out rights to the extent the business sells their personal information.
  • Facilitate Receipt of and Response to Consumer Requests. Develop mechanisms for accepting, tracking and verifying consumer requests, and honoring their exercise of access, deletion and opt-out rights. Companies that already comply with the GDPR will be able to leverage many of those processes.
  • Evaluate Third-Party and Service-Provider Arrangements. Businesses should assess the nature of personal data shared with service providers and other third parties, ensure proper vendor risk management processes are in place, and revise agreements as necessary to take CCPA requirements into account. The age-old saying remains true: a company can outsource a capability, but it cannot outsource a responsibility.
  • Implement Training Program. Ensure employees who are responsible for handling consumer inquiries understand and are trained to handle those requests in a timely, consistent and proper fashion.

 

What’s Next? CCPA Developments, Key Dates and Status

 

If you’ve found it hard to keep up with the current state of play of the CCPA, you’re not alone. The CCPA was signed into law on June 28, 2018 and becomes operative on January 1, 2020. At that point, businesses will be expected to provide information to consumers regarding their data privacy practices going back to January 1, 2019. As a result, businesses will need to ensure that their information retention policies extend back at least a year to ensure their ability to comply. However, the Cal AG will not begin initiating enforcement actions until six months after the final regulations are published, or July 1, 2020, whichever is sooner.

Businesses that are racing to prepare for compliance are not alone in the CCPA ecosystem, as the executive and legislative branches of the California government are also working to finalize the law and implement regulations. Specifics regarding certain obligations and requirements remain in flux, and the Cal AG has been charged with adopting regulations to clarify numerous requirements under the CCPA between now and July 1, 2020.

Prior Amendments: The California legislature continues to amend the CCPA to address various concerns from industry, clarify ambiguous provisions, and clean up sloppy language that reflects how hastily the CCPA was drafted, introduced and adopted. Since the law was initially passed, the CCPA has been amended once through SB-1121. SB-1121 addressed several areas of the CCPA. Specifically, the key amendments:

  • Imposed a deadline of July 1, 2020, on the Cal AG to adopt regulations furthering the purpose of the CCPA, and limits enforcement by the Cal AG until six months thereafter or July 1, 2020, whichever is sooner.
  • Prohibited or limited the application of the CCPA requirements to data covered by GLBA, the California Financial Information Privacy Act, HIPAA and the California Confidentiality of Medical Information Act, and entities covered by HIPAA and the California Confidentiality of Medical Information Act (to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information).
  • Clarified that the definition of “personal information” only applies to information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
  • Removed the requirement that a consumer give the Cal AG notice within 30 days that an action has been filed prior to continuing to pursue the action. The Cal AG’s right to prohibit the private action was also removed.

Pending Amendments: In addition, six amendments have been approved by the California legislature and await the governor’s likely approval by October 13, 2019. The amendments clarify critical ambiguities in the statute (but leave many others unresolved) as follows:

  • Data BrokersAB 1202 would require “data brokers”—defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship ─ to register with the Cal AG for publication on the Cal AG’s website. Entities regulated by the GLBA, FCRA or the California Insurance Information and Privacy Act are excluded from this provision.
  • Employee Coverage Limitation and Training. Notably, AB 25 provides that, until January 1, 2021, personal information that is collected by a business in the course of a person “acting as a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or contractor of that business,” will not be subject to the CCPA requirements, except the CCPA’s provisions requiring notice prior to collection and providing a right to bring a private right of action based on a data breach. Among other things, AB 25 also expands the scope of information and rights that personnel responsible for handling privacy inquiries need to be trained on, and provides that businesses may require consumers to submit requests through an online account the consumer maintains with the business.
  • Vehicle Information Exemption and Deletion ExceptionAB 1146 provides for an exemption from the “right to opt out, for vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.” AB 1146 also provides for an additional exception to a consumer deletion request for “personal information that is necessary for the business to maintain in order to fulfill the terms of a written warranty or product recall conducted in accordance with federal law.”
  • Definition Amendments (Personal Information and Publicly Available Information)AB 874 amends the definition of “publicly available information” to remove a condition related to government use, further clarifying that it is not personal information. AB 874 also amends the definition of “personal information” to insert “reasonably” in front of “capable of being associated with” to provide additional contours around the broad definition of “personal information.”
  • Personal Information and DiscriminationAB 1355 provides for a host of amendments and revisions to the CCPA. Among other things, AB 1355 clarifies that:
    • the standard for determining if a business may discriminate against a consumer for exercising their rights under the CCPA is if the differential treatment is reasonably related to value provided to the business by the consumer’s data.
    • de-identified data is excluded from the definition of personal information.
    • a privacy policy must also describe consumer rights of deletion and access, instead of just describing consumer rights to understand collection, disclosure and sale activities, and discrimination prohibitions. In addition, a privacy policy need only identify that a consumer has a
  • Disclosure MethodsAB 1564 provides that “a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests for information required to be disclosed” rather than a toll-free phone number. In addition, if the business maintains an internet website, the business is only required to make the internet website address available to consumers to submit requests for information required to be disclosed.

 

Conclusion

 

With the holiday season approaching, the number of productive business days between now and January 1, 2020 is rapidly decreasing. Businesses that have not already begun compliance would do well to begin preparations immediately.

To the extent a business already has implemented certain processes under the GDPR, it should leverage those procedures (and the accompanying lessons learned) as tailored to the specific requirements for, and demands of, California residents. For example, data mapping exercises and records of processing completed under the GDPR can provide a business with a head start in identifying the categories of information it collects, the purposes for which that data may be disclosed, the security and retention relating to that data, and the third parties to which such personal information is disclosed. In addition, mechanisms implemented to receive and process data subject requests could be used for the same activity under the CCPA. Obviously, there will be some tweaking necessary to ensure that the consumer rights being identified are consistent with the rights provided to consumers under the CCPA (and not the GDPR), but GDPR-compliant businesses will not need to create a compliance program from the ground up. In contrast, companies that have not suffered through GDPR growing pains will find the CCPA to be more of a challenge.

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

Singapore PDPA Revises It’s Personal Data Protection Act

Singapore PDPA Revises It’s Personal Data Protection Act

The Personal Data Protection Commission (PDPC) has revised Chapter 6 (Organisations) and Chapter 15 (Access and Correction Obligations) of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act, or PDPA (the Guidelines).

Chapter 6 has been revised to provide clarity on the obligations of organisations and data intermediaries where personal data is transferred overseas.

 

  • Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation, regardless of whether the personal data is transferred by the organisation to an overseas data intermediary, or transferred overseas by the data intermediary in Singapore.
  • The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure it is capable of doing so.

 

Chapter 15 has been revised to provide clarity on access requests to personal data received by organisations.

 

The PDPC has also introduced a new chapter on “Cloud Services” in the Guidelines on the PDPA for selected topics to provide clarity on the responsibilities of organisations using cloud services to process personal data in the cloud and the responsibilities of cloud service providers (CSPs) when processing personal data on behalf and for the purposes of organisations.

 

  • Where organisations need not accede to an access request Generally, an organisation must respond to an access request by providing access to the personal data requested, or by informing the individual of a rejection of the access request where it has valid grounds not to provide access. The Guidelines clarify that organisations are not required to accede to a request
    • if an exception (as set out in the Fifth Schedule of the PDPA) from the access requirement applies;
    • if applicant has not paid the fee for services provided to the applicant to enable the organisation to respond to the applicant’s request, provided the organisation has provided the applicant a written estimate of the fee; or
    • if any of the grounds in Section 21(3) of the PDPA are applicable such as where the provision of the personal data or other information could reasonably be expected to threaten the safety or physical or mental health of an individual other than the requesting individual, or to cause immediate or grave harm to the safety or physical or mental health of the requesting individual.
    • Access requests relating to legal proceedings Where personal data has been collected for the purpose of prosecution and investigations, etc, organisations are not required to accede to the access request pursuant to an exemption under the PDPA. Access need not be provided in respect of a document related to a prosecution if all proceedings related to the prosecution have not been completed.The Guidelines clarify that where personal data has been collected prior to the commencement of prosecution and investigations but is nevertheless relevant to the proceedings, an individual should obtain access through criminal and civil discovery avenues rather than through an access request under the PDPA. The PDPA does not affect discovery obligations under law that parties to a legal dispute may have (e.g., pursuant to any order of court).

Obligations 

 

    • Obligations of the organisation
      • When using cloud services, the organisation is responsible for complying with all obligations under the PDPA in respect of personal data processed by the CSP on its behalf and for its purposes.
      • As mentioned above, the organization that engages a CSP as a data intermediary to provide cloud services is also responsible for complying with the Transfer Limitation Obligation with respect to any overseas transfer of personal data in using the CSP’s cloud services, regardless of whether the CSP is located in Singapore or overseas.
    • Obligations of the CSP

 

      • Where the CSP is processing personal data on behalf and for the purposes of another organisation pursuant to a written contract, the CSP is considered a “data intermediary” and subject to the Protection and Retention Limitation Obligations under the PDPA in respect of the personal data that it processes or hosts for the organisation in data centres outside Singapore.
      • The CSP, as an organisation in its own right, remains responsible for complying with all data protection provisions in respect of its own activities which do not constitute processing of personal data under the contract.

 

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

Japan APPI Collection Transfer and Storage of Personal Data

Japan APPI Collection Transfer and Storage of Personal Data

Your Questions Answered

 

Is the Japan APPI data protection laws  ahead or behind of the international curve?

 

The key legislation governing personal information and data in Japan is the Act on the Protection of Personal Information (57/2003).

The latest amendment to the act, which came into effect on 30 May 2017, has been updated to reflect modern society and international data protection laws, which includes the establishment of the Personal Information Protection Commission (PPC) as Japan’s privacy commissioner and the introduction of certain restrictions on the transfer of personal data outside Japan.

Through the detailed guidelines issued by the PPC, Japan’s national data protection laws have, to some extent, caught up with the international curve. Based on the amendments to the act, Japan will have a comparable level of data protection to that of the European Union.

 

Are any changes to existing data protection legislation proposed or expected in the near future?

 

Other than the recent amendment, there are no proposed or expected changes.

 

Legal framework

 

Legislation

What legislation governs the collection, storage and use of personal data?

 

The key legislation governing the collection, storage and use of personal information in Japan is the Act on the Protection of Personal Information. The act provides the general rules concerning the protection of personal information in the private sector and regulates the handling of personal information.

Scope and jurisdiction

 

Who falls within the scope of the legislation?

 

The Act on the Protection of Personal Information applies to ‘business operators handling personal information’ – defined in the act as any person using a personal information database for business (for further details please see the following question). The act does not apply to:

  • state organisations;
  • local governments;
  • incorporated administrative and similar agencies; and
  • local independent administrative institutions.

A foreign entity may comprise a ‘business operator handling personal information’ under the act if it collects and handles personal information in Japan. Further, even if a foreign entity has no existence within Japan and does not collect or handle personal data in Japan, some provisions of the act apply to such a foreign entity when it provides goods or services to individuals in Japan and acquires the personal information of such individuals.

 

What kind of data falls within the scope of the legislation?

 

The Act on the Protection of Personal Information applies to three categories of information and data, each of which is governed by different rules:

  • ‘Personal information’ – information about a living individual that falls under any of the following items:
  • information containing name, date of birth or other descriptions whereby a specific individual can be identified (including information that allows easy reference to other information that would thereby enable identification of the individual); or
  • information containing an individual identification code, which is a code, including characters, numerical characters and marks, that can be used to identify the specific individual and which is specified in a cabinet order (eg, biometric identifiers such as fingerprint data or face recognition data, passport or driving licence numbers).
  • Personal data’ – personal information contained within a personal information database. A ‘personal information database’ is a collection of information, including:
  • a collection of information systematically arranged in such a way that enables specific personal information to be retrieved from it by a computer; and
  • any other collection of information designated by the cabinet order as being systematically arranged in such a way that enables specific personal information to be easily retrieved from it (i.e, if the personal information is organised according to certain rules or if a table of contents, index or other arrangement aids retrieval of the personal information).
  • Retained personal data’ – personal data that a business operator governed by the act has the authority to:
  • disclose;
  • correct;
  • add to or subtract from;
  • discontinue the use of;
  • erase; or
  • discontinue the provision of to a third party.

The cabinet order specifies certain data that is excluded from the definition of ‘retained personal data’ – namely because knowledge of it would be harmful to the public, another interest or because it will be erased within six months.

In addition, the act contains provisions regarding the processing method and handling of anonymised processed information, which is defined as ‘information about an individual obtained by processing personal information so as not to identify the specific individual’, and not to restore such personal information. Pursuant to the act and the Rules of Personal Information Protection Commission, anonymised processed information is not deemed ‘personal information’. As a result, handling anonymised processed information is not subject to the restrictions for personal information or personal data.

 

Are data owners required to register with the relevant authority before processing data?

 

No such requirement exists.

 

Is information regarding registered data owners publicly available?

 

Not applicable.

 

Is there a requirement to appoint a data protection officer?

 

There is no legal requirement to appoint a data protection officer under the Act on the Protection of Personal Information and applicable guidelines. However, business operators governed by the act must take security control measures concerning personal data and the appointment of a data protection officer is provided as an example of ‘organisational measures’, which is one of the security control measures provided for by some guidelines.

Enforcement

 

Which body is responsible for enforcing data protection legislation and what are its powers?

 

Under the amended Act on the Protection of Personal Information, the Personal Information Protection Commission (PPC) is responsible for its enforcement in the private sector. The PPC can request reports and issue recommendations and orders, as well as conduct on-the-spot inspections.

Non-compliance with a request or violation of an order, can result in fines, imprisonment or both.

 

Collection and storage of data

 

Collection and management

 

In what circumstances can personal data be collected, stored and processed?

 

Processing A business operator governed by the Act on the Protection of Personal Information must specify the purpose of use for personal information it handles (to the extent possible) and comply with the following rules:

  • it must not change the purpose of use beyond a scope which has a reasonably substantial relationship with the original purpose of use; and
  • it must not use the personal information beyond the scope necessary to achieve the purpose of use, without obtaining the individual’s prior consent.

 

Collection

 

The following restrictions apply to the collection of personal information by business operators governed by the Act on the Protection of Personal Information:

  • proper acquisition – a business operator must not acquire personal information by deception or other wrongful means;
  • notice of purpose of use at time of acquisition – once a business operator has acquired personal information, it must notify the individual of or publicly announce the purpose of use, unless it has already been publicly announced or one of the following applies:
  • such notification or public announcement would likely cause harm to the life, body, property, rights or interests of an individual or third party;
  • such notification would likely harm the business operator’s rights or legitimate interests;
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and the notification or public announcement of the purpose of use would likely impede the execution of such affairs; or
  • the purpose of use is evident from the circumstances around the collection of the personal information.

The guidelines issued by the Personal Information Protection Commission (PPC) include examples of how business operators can make such public announcement – namely, by posting it on their websites or displaying it in an easily viewable location within their places of business.

Business operators must not obtain sensitive information without the individual’s prior consent. Sensitive information means personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damage as a result of a crime, or other descriptions described by the cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantage to the principal.

 

Storage

 

Business operators governed by the Act on the Protection of Personal Information must take security control measures in regards to personal data. The act imposes a broadly stated obligation on business operators to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”. The act provides no concrete measures to satisfy this requirement. However, it is generally understood that such security control measures include:

  • organisational measures;
  • employee-related measures (eg, personnel training);
  • physical measures; and
  • technical measures.

Specific actions to be taken for each type of measure are stipulated in the various guidelines issued by the PPC.

 

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

 

Business operators governed by the act must endeavour to delete personal data without delay when its use is no longer required.

 

Do individuals have a right to access personal information about them that is held by an organisation?

 

A business operator governed by the Act on the Protection of Personal Information must make the following details accessible to individuals whose personal data it retains:

  • its name;
  • the purpose of use (except in specified circumstances);
  • the procedures for requesting correction, cessation of use, sharing or deletion of the retained personal data, as well as the procedures for other requests; and
  • other matters as specified by cabinet order that are necessary to ensure the proper handling of the retained personal data.

In addition, business operators governed by the act must disclose any relevant personal data without delay if:

  • an individual requests that the business operator disclose whether it has retained any personal data that could lead to the individual’s identification; or
  • an individual requests notification that the business operator holds no such personal data.

 

Do individuals have a right to request deletion of their data?

 

If an individual requests that a business operator governed by the Act on the Protection of Personal Information correct, expand or delete his or her retained personal data because it is inaccurate, the business operator must investigate the issue without delay. Based on the investigation results, the business operator must correct, expand or delete the personal data and notify the individual of its response to the request.

In addition, if an individual requests that a business operator stop using or disclosing retained personal data on the basis that it is violating the Act on the Protection of Personal Information, the business operator must stop using or disclosing the personal data if the request is reasonable.

Consent obligations

 

Is consent required before processing personal data?

 

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot handle personal information for reasons beyond the scope necessary to achieve the purpose of use without obtaining the individual’s prior consent.

As a general rule, business operators governed by the act may not provide such information to a third party without obtaining the individual’s prior opt-in consent.

 

If consent is not provided, are there other circumstances in which data processing is permitted?

 

Exceptions to the general rules above apply if:

  • the handling of personal information is required by laws and regulations;
  • the handling of personal information is necessary to protect an individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal information is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; or
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

 

What information must be provided to individuals when personal data is collected?

 

As a general rule, once a business operator governed by the Act on the Protection of Personal Information has acquired personal information, it must notify the individual of or publicly announce the purpose of use.

 

Data security and breach notification

 

Security obligations

 

Are there specific security obligations that must be complied with?

 

Business operators governed by the Act on the Protection of Personal Information have a broad obligation to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”.

 

Breach notification

 

Are data owners/processors required to notify individuals in the event of a breach?

 

Notifying individuals when a security breach has occurred is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the Personal Information Protection Commission (PPC) provide that it is preferable to notify the individual of the fact of the incident or make the fact readily available for affected individuals in order to prevent secondary damage or recurrence of the incident. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the Financial Services Agency (FSA) state that if a personal information breach occurs, the business operator handling the personal information should immediately provide notice to the relevant individuals of the facts around the breach.

 

Are data owners/processors required to notify the regulator in the event of a breach?

 

This is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the PPC provide that, as a general rule, a business operator handling personal information should strive to immediately notify the PPC of incidents of data security breach and the preventive measures taken. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the FSA state that if a personal information breach occurs, the business operator handling the personal information should immediately report the breach to the FSA and promptly make a public announcement addressing – among other things – the facts around the breach and the measures to be taken to prevent a recurrence.

 

Electronic marketing and internet use

 

Electronic marketing

 

Are there rules specifically governing unsolicited electronic marketing (spam)?

 

The Act on Specified Commercial Transactions (57/1975) prohibits companies from advertising their sales terms by email without the customer’s prior request or consent. Further, the Act on the Regulation of Transmission of Specified Electronic Mail (26/2002) regulates the transmission of emails as a means of advertisement of sales activities. Under this act, in principle companies must not transmit such emails without the customer’s prior request or consent.

Therefore, sending unsolicited email marketing messages (ie, spam) is prohibited by the Act on Specified Commercial Transactions and the Act on the Regulation of Transmission of Specified Electronic Mail.

 

Cookies

 

Are there rules governing the use of cookies?

 

There are no special rules regarding the use of cookies or similar technologies.

 

Data transfer and third parties

 

Cross-border data transfer

 

What rules govern the transfer of data outside your jurisdiction?

 

In principle, the Act on the Protection of Personal Information restricts the provision of personal data to third parties in a foreign country without the subject individual’s prior consent.

The exceptions to the above restriction include the following:

  • With respect to a third party that is a recipient of personal data, the prior consent requirement does not apply to the transfer of personal data to such operators with a management system conforming to the standards set out in the Personal Information Protection Commission (PPC) rules. The PPC rules provide two categories of exempt recipient operators:
  • a recipient operator, together with another operator that is the transfer of personal data to such recipient operator, ensures compliance with the Act on the Protection of Personal Information by taking appropriate and reasonable measures between the transfer operator; and
    • a recipient operator that has obtained recognition based on an international framework concerning the handling of personal information (e.g, recognition by the APEC Cross-Border Privacy Rules).
    • With respect to a foreign country where a recipient is located, the prior consent requirement does not apply to countries that are specified in the PPC rules as having a system for the protection of personal information equivalent to that required under Japanese law. Nonetheless, as of 1 October 2018, no such country has been specified by the PPC rules; however, it is anticipated that EU member states will be made exempt later in 2018.

 

Are there restrictions on the geographic transfer of data?

 

The Act on the Protection of Personal Information and most guidelines include no restrictions on the geographic transfer of data. However, the guidelines regarding medical information systems provide that medical information systems (e.g, servers including medical information) and medical data should be located in an area where Japanese laws can be enforced.

 

Third parties

 

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

 

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot provide personal information to a third party without obtaining the individual’s prior opt-in consent.

In addition, the Act on the Protection of Personal Information requires business operators providing personal data to third parties to record:

  • the date on which the data was provided;
  • the third party’s name; and
  • the matters specified in the PPC rules.

Conversely, if a business operator receives such personal data from a third party, it must confirm:

  • the third party’s name and address;
  • the representative’s name; and
  • how the third party obtained the personal data.

In addition, the business operator must record the date on which the information was provided and any matters regarding such confirmation, as well as the matters specified by the PPC rules.

 

Exceptions

 

Exceptions to the general rule above apply if:

  • the handling of personal data is required under laws and regulations;
  • the handling of personal data is necessary for the protection of the individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal data is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; and
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

 

The following exceptions also apply:

 

  • A business operator governed by the Act on the Protection of Personal Information can provide personal data (excluding sensitive information) to a third party (excluding those located outside Japan) without obtaining the individual’s prior consent if it notifies the individual in advance of the following information or makes such information readily available to the individual. In addition, it must also notify the PPC of all of the following information:
  • the fact that providing the personal data to a third party falls under the purpose of use;
  • the personal data that will be provided to the third party;
  • the means or methods of providing the personal data to the third party;
  • the fact that the provision of the personal data – which will lead to the identification of the individual by a third party – will be discontinued on the individual’s request to opt out; and
  • the way in which an individual can make an opt-out request.
  • Business operators are prohibited from providing sensitive information to third parties using the opt-out option.
  • If the personal data is to be transferred as a result of a merger, acquisition or similar succession transaction, the recipient does not constitute a third party.
  • If the personal data is to be transferred as a result of a third-party service provider’s commissioning of a business operator for all or part of the processing of the personal data that is necessary to achieve the purpose of use, and the service provider does not process the data for its own purpose of use, such service provider does not constitute a third party.
  • A business operator governed by the Act on the Protection of Personal Information can use the personal information jointly with another individual or entity without the individual’s prior consent if it notifies the individual of the following information or ensures that such information is made readily available to the individual, in advance:
  • the fact that the personal data may be shared with and used jointly by specific individuals or entities;
  • the personal data that will be jointly used;
  • the scope of the joint users;
  • the purpose for which the personal data will be used; and
  • the name of the joint user responsible for the management of the personal data (either an individual or a business operator).

 

Penalties and compensation

 

Penalties

 

What are the potential penalties for non-compliance with data protection provisions?

 

Under the Act on the Protection of Personal Information, the Personal Information Protection Commission (PPC) may request reports on the handling of personal information and may issue recommendations or corrective orders if a business operator governed by the act breaches an individual’s privacy and violates the act.

Before issuing a corrective order, the PPC may take an incremental approach and instruct, advise and make recommendations to business operators governed by the act. A breach of a corrective order is a criminal offence and the person responsible is punishable by imprisonment with work for a maximum of six months, a maximum fine of Y300,000 or both. The business operator will also be subject to a maximum fine of Y300,000.

 

Compensation

 

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

 

If an individual’s privacy is violated due to a business operator governed by the act’s data breach or non-compliance with data protection provisions, the individual may file a tort or breach of contract claim for compensation against the business operator.

 

Cyber security

 

Cyber security legislation, regulation and enforcement

 

Has legislation been introduced in your jurisdiction that specifically covers cyber crime and/or cyber security?

 

Several laws cover different types of cyber crime and cybersecurity, such as:

  • the Penal Code (45/1907), which was amended in 2011 to regulate ‘illegal programming’, including malware (Articles 168-2 and 168-3);
  • the Act on the Prohibition of Unauthorised Computer Access (128/1999), which was enacted in 1999 and amended in 2012 to include phishing and the unauthorised obtainment of identifying information (eg, passwords); and
  • the Unfair Competition Prevention Act (47/1993), which prohibits unauthorised access to trade secrets and was amended in 2015 to strengthen penalties.

 

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

 

The Basic Act on Cyber security (104/2014) was enacted in November 2014 to promote and enhance cybersecurity in Japan. The act sets out an overall national cybersecurity policy and the roles and responsibilities of the national and local governments. The act also provides that cyber businesses and infrastructure-related businesses should endeavour to take voluntary measures to enhance cybersecurity and cooperate with the government in implementing the relevant measures (Article 7).

 

Which cyber activities are criminalised in your jurisdiction?

 

The following cyber activities are criminalised in Japan, among others:

 

  • the creation, provision, release, acquisition and storage of malware with the intention of applying or using such malware in the electronic device of another person or entity (Articles 168-2 and 168-3 of the Penal Code);
  • phishing and the unauthorised obtainment of identifying information (eg, passwords and fingerprint data) via online access (Articles 2, 3, 4 and 7 of the Act on the Prohibition of Unauthorised Computer Access);
  • Unauthorised online access of computer systems or networks (Articles 2 and 3 of the Act on the Prohibition of Unauthorised Computer Access); and
  • the unauthorised acquisition, use or disclosure of trade secrets (including those that are electronically stored) in a physical or electronic manner with the intention of acquiring an illicit gain or causing injury to the owner (Article 2 of the Unfair Competition Prevention Act).

 

Which authorities are responsible for enforcing cybersecurity rules?

 

The Basic Act on Cyber security designates the Cyber security Strategic Headquarters as the control body to promote national cybersecurity strategy and the National Centre of Incident Readiness and Strategy for Cyber security as its secretariat.

With respect to cyber crime, the National Police Agency and the Prosecutor’s Office are responsible for enforcing the applicable laws.

 

Cyber security best practice and reporting

 

Can companies obtain insurance for cyber security breaches and is it common to do so?

 

Yes, but it is uncommon, especially for small and medium-sized companies.

 

Are companies required to keep records of cyber crime threats, attacks and breaches?

 

There is no such legal obligation. However, the Act on the Prohibition of Unauthorised Computer Access provides that an administrator of computer systems or networks should endeavour to consistently check the integrity of its access control functions (Article 8). Therefore, it can be construed that companies endeavour to keep such records to properly control their computer systems.

 

Are companies required to report cyber crime threats, attacks and breaches to the relevant authorities?

 

There is no such legal obligation. If cyber crime entails a personal data breach, the company will be required to report it to the competent minister in accordance with the applicable guidelines.

 

Are companies required to report cyber crime threats, attacks and breaches publicly?

 

There is no such legal obligation. If cyber crime entails a personal data breach, the company will be required to report it to the individuals concerned in accordance with the applicable guidelines.

 

Criminal sanctions and penalties

 

What are the potential criminal sanctions for cyber crime?

 

Criminal sanctions for the major types of cyber crime in Japan are as follows:

 

  • The creation, provision or release of malware can result in imprisonment with work for a maximum of three years or a maximum fine of Y500,000 (Article 168-2 of the Penal Code).
  • The acquisition or storage of malware can result in imprisonment with work for a maximum of two years or a maximum fine of Y300,000 (Article 168-3 of the Penal Code).
  • Phishing and the unauthorised obtainment of identifying information via an online system can result in imprisonment with work for a maximum of one year or a maximum fine of Y500,000 (Article 12 of the Act on the Prohibition of Unauthorised Computer Access).
  • Unauthorised online access of computer systems or networks can result in imprisonment with work for a maximum of three years or a maximum fine of Y1 million (Article 11 of the Act on the Prohibition of Unauthorised Computer Access).
  • The unauthorised acquisition, use or disclosure of a trade secret can result in imprisonment with work for a maximum of 10 years, a maximum fine of Y20 million or both (Article 21 of the Unfair Competition Prevention Act).

 

What penalties may be imposed for failure to comply with cybersecurity regulations?

 

There are no such penalties. However, if such failure also falls under non-compliance with data protection provisions, the relevant minister may issue recommendations and corrective orders and a breach of such corrective orders is a criminal offence.

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

Data Privacy Strategy Has to Go Global

Data Privacy Strategy Has to Go Global

No Global privacy professional can be unaware of the EU General Data Protection Regulation (GDPR) and the gold standard that it has set on data protection as a core compliance requirement.

GDPR is now influencing laws in other parts of the world and there are an increasing number of new laws in the wings that copy aspects of GDPR.

California has recently announced a GDPR style law, The California Consumer Privacy Act of 2018, and Brazil, Bahrain, India, Kenya and South Africa are all implementing similar legislation granting enhanced rights to individuals and holding businesses more accountable

It is no surprise that legislators are bringing in laws and regulations that give greater power to individuals over their personal data given the marketworthy value in personal information and the increasing use of technology to profile individuals and their habits in the digital world.

Whilst GDPR seems to set the standard, we should not forget that history plays a large part in the spread of privacy laws given that countries like France, Spain, Portugal and the British Isles have been so influential in other parts of the world for hundreds of years.

The Data Protection laws in South Africa, the Middle East, Canada and much of Asia are heavily influenced as a result of the British Commonwealth and former British rule.

It is no surprise that the new Brazilian law looks similar to the GDPR data protection law and equally that the laws in other parts of South America are based on Spanish data protection law. Similarly data protection laws in North Africa and in certain parts of Asia are heavily influenced by French privacy principles.

Global data protection principles are also based upon the OECD Guidelines on Data Protection which were first published in 1980 and then updated in 2013 and which contain fair processing principals and guidance in international data transfers which have influenced data protection laws around the world including the US/EU Privacy Shield.

In addition the Council of Europe Convention 108 is yet another international accord that has countries such as Russia and Mauritius as members and which again encapsulates guiding principles on the protection of personal data, very much in line with GDPR.

The result of the globalisation of data protection rules must mean that multinationals are more likely to adopt a more “one size fits all’ approach and it would seem that right now the GDPR coupled with the new law in California is going to set the standard

Developing a Global Data Privacy strategy that encompasses data protection laws across the organizational  operations footprint is vital to for an organization to remain compliant and have knowledgeable staff that are well trained and have the internal and external policies  that are published and adhered to.

Place your Global Data Protection   with Relentless Privacy and Compliance Services the Data privacy partner of choice.