Singapore PDPA Revises It’s Personal Data Protection Act

Singapore PDPA Revises It’s Personal Data Protection Act

The Personal Data Protection Commission (PDPC) has revised Chapter 6 (Organisations) and Chapter 15 (Access and Correction Obligations) of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act, or PDPA (the Guidelines).

Chapter 6 has been revised to provide clarity on the obligations of organisations and data intermediaries where personal data is transferred overseas.

 

  • Where an organisation engages a data intermediary to process personal data on its behalf and for its purposes, the organisation is responsible for complying with the Transfer Limitation Obligation, regardless of whether the personal data is transferred by the organisation to an overseas data intermediary, or transferred overseas by the data intermediary in Singapore.
  • The onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary to ensure it is capable of doing so.

 

Chapter 15 has been revised to provide clarity on access requests to personal data received by organisations.

 

The PDPC has also introduced a new chapter on “Cloud Services” in the Guidelines on the PDPA for selected topics to provide clarity on the responsibilities of organisations using cloud services to process personal data in the cloud and the responsibilities of cloud service providers (CSPs) when processing personal data on behalf and for the purposes of organisations.

 

  • Where organisations need not accede to an access request Generally, an organisation must respond to an access request by providing access to the personal data requested, or by informing the individual of a rejection of the access request where it has valid grounds not to provide access. The Guidelines clarify that organisations are not required to accede to a request
    • if an exception (as set out in the Fifth Schedule of the PDPA) from the access requirement applies;
    • if applicant has not paid the fee for services provided to the applicant to enable the organisation to respond to the applicant’s request, provided the organisation has provided the applicant a written estimate of the fee; or
    • if any of the grounds in Section 21(3) of the PDPA are applicable such as where the provision of the personal data or other information could reasonably be expected to threaten the safety or physical or mental health of an individual other than the requesting individual, or to cause immediate or grave harm to the safety or physical or mental health of the requesting individual.
    • Access requests relating to legal proceedings Where personal data has been collected for the purpose of prosecution and investigations, etc, organisations are not required to accede to the access request pursuant to an exemption under the PDPA. Access need not be provided in respect of a document related to a prosecution if all proceedings related to the prosecution have not been completed.The Guidelines clarify that where personal data has been collected prior to the commencement of prosecution and investigations but is nevertheless relevant to the proceedings, an individual should obtain access through criminal and civil discovery avenues rather than through an access request under the PDPA. The PDPA does not affect discovery obligations under law that parties to a legal dispute may have (e.g., pursuant to any order of court).

Obligations 

 

    • Obligations of the organisation
      • When using cloud services, the organisation is responsible for complying with all obligations under the PDPA in respect of personal data processed by the CSP on its behalf and for its purposes.
      • As mentioned above, the organization that engages a CSP as a data intermediary to provide cloud services is also responsible for complying with the Transfer Limitation Obligation with respect to any overseas transfer of personal data in using the CSP’s cloud services, regardless of whether the CSP is located in Singapore or overseas.
    • Obligations of the CSP

 

      • Where the CSP is processing personal data on behalf and for the purposes of another organisation pursuant to a written contract, the CSP is considered a “data intermediary” and subject to the Protection and Retention Limitation Obligations under the PDPA in respect of the personal data that it processes or hosts for the organisation in data centres outside Singapore.
      • The CSP, as an organisation in its own right, remains responsible for complying with all data protection provisions in respect of its own activities which do not constitute processing of personal data under the contract.

 

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

Japan APPI Collection Transfer and Storage of Personal Data

Japan APPI Collection Transfer and Storage of Personal Data

Your Questions Answered

 

Is the Japan APPI data protection laws  ahead or behind of the international curve?

 

The key legislation governing personal information and data in Japan is the Act on the Protection of Personal Information (57/2003).

The latest amendment to the act, which came into effect on 30 May 2017, has been updated to reflect modern society and international data protection laws, which includes the establishment of the Personal Information Protection Commission (PPC) as Japan’s privacy commissioner and the introduction of certain restrictions on the transfer of personal data outside Japan.

Through the detailed guidelines issued by the PPC, Japan’s national data protection laws have, to some extent, caught up with the international curve. Based on the amendments to the act, Japan will have a comparable level of data protection to that of the European Union.

 

Are any changes to existing data protection legislation proposed or expected in the near future?

 

Other than the recent amendment, there are no proposed or expected changes.

 

Legal framework

 

Legislation

What legislation governs the collection, storage and use of personal data?

 

The key legislation governing the collection, storage and use of personal information in Japan is the Act on the Protection of Personal Information. The act provides the general rules concerning the protection of personal information in the private sector and regulates the handling of personal information.

Scope and jurisdiction

 

Who falls within the scope of the legislation?

 

The Act on the Protection of Personal Information applies to ‘business operators handling personal information’ – defined in the act as any person using a personal information database for business (for further details please see the following question). The act does not apply to:

  • state organisations;
  • local governments;
  • incorporated administrative and similar agencies; and
  • local independent administrative institutions.

A foreign entity may comprise a ‘business operator handling personal information’ under the act if it collects and handles personal information in Japan. Further, even if a foreign entity has no existence within Japan and does not collect or handle personal data in Japan, some provisions of the act apply to such a foreign entity when it provides goods or services to individuals in Japan and acquires the personal information of such individuals.

 

What kind of data falls within the scope of the legislation?

 

The Act on the Protection of Personal Information applies to three categories of information and data, each of which is governed by different rules:

  • ‘Personal information’ – information about a living individual that falls under any of the following items:
  • information containing name, date of birth or other descriptions whereby a specific individual can be identified (including information that allows easy reference to other information that would thereby enable identification of the individual); or
  • information containing an individual identification code, which is a code, including characters, numerical characters and marks, that can be used to identify the specific individual and which is specified in a cabinet order (eg, biometric identifiers such as fingerprint data or face recognition data, passport or driving licence numbers).
  • Personal data’ – personal information contained within a personal information database. A ‘personal information database’ is a collection of information, including:
  • a collection of information systematically arranged in such a way that enables specific personal information to be retrieved from it by a computer; and
  • any other collection of information designated by the cabinet order as being systematically arranged in such a way that enables specific personal information to be easily retrieved from it (i.e, if the personal information is organised according to certain rules or if a table of contents, index or other arrangement aids retrieval of the personal information).
  • Retained personal data’ – personal data that a business operator governed by the act has the authority to:
  • disclose;
  • correct;
  • add to or subtract from;
  • discontinue the use of;
  • erase; or
  • discontinue the provision of to a third party.

The cabinet order specifies certain data that is excluded from the definition of ‘retained personal data’ – namely because knowledge of it would be harmful to the public, another interest or because it will be erased within six months.

In addition, the act contains provisions regarding the processing method and handling of anonymised processed information, which is defined as ‘information about an individual obtained by processing personal information so as not to identify the specific individual’, and not to restore such personal information. Pursuant to the act and the Rules of Personal Information Protection Commission, anonymised processed information is not deemed ‘personal information’. As a result, handling anonymised processed information is not subject to the restrictions for personal information or personal data.

 

Are data owners required to register with the relevant authority before processing data?

 

No such requirement exists.

 

Is information regarding registered data owners publicly available?

 

Not applicable.

 

Is there a requirement to appoint a data protection officer?

 

There is no legal requirement to appoint a data protection officer under the Act on the Protection of Personal Information and applicable guidelines. However, business operators governed by the act must take security control measures concerning personal data and the appointment of a data protection officer is provided as an example of ‘organisational measures’, which is one of the security control measures provided for by some guidelines.

Enforcement

 

Which body is responsible for enforcing data protection legislation and what are its powers?

 

Under the amended Act on the Protection of Personal Information, the Personal Information Protection Commission (PPC) is responsible for its enforcement in the private sector. The PPC can request reports and issue recommendations and orders, as well as conduct on-the-spot inspections.

Non-compliance with a request or violation of an order, can result in fines, imprisonment or both.

 

Collection and storage of data

 

Collection and management

 

In what circumstances can personal data be collected, stored and processed?

 

Processing A business operator governed by the Act on the Protection of Personal Information must specify the purpose of use for personal information it handles (to the extent possible) and comply with the following rules:

  • it must not change the purpose of use beyond a scope which has a reasonably substantial relationship with the original purpose of use; and
  • it must not use the personal information beyond the scope necessary to achieve the purpose of use, without obtaining the individual’s prior consent.

 

Collection

 

The following restrictions apply to the collection of personal information by business operators governed by the Act on the Protection of Personal Information:

  • proper acquisition – a business operator must not acquire personal information by deception or other wrongful means;
  • notice of purpose of use at time of acquisition – once a business operator has acquired personal information, it must notify the individual of or publicly announce the purpose of use, unless it has already been publicly announced or one of the following applies:
  • such notification or public announcement would likely cause harm to the life, body, property, rights or interests of an individual or third party;
  • such notification would likely harm the business operator’s rights or legitimate interests;
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and the notification or public announcement of the purpose of use would likely impede the execution of such affairs; or
  • the purpose of use is evident from the circumstances around the collection of the personal information.

The guidelines issued by the Personal Information Protection Commission (PPC) include examples of how business operators can make such public announcement – namely, by posting it on their websites or displaying it in an easily viewable location within their places of business.

Business operators must not obtain sensitive information without the individual’s prior consent. Sensitive information means personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damage as a result of a crime, or other descriptions described by the cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantage to the principal.

 

Storage

 

Business operators governed by the Act on the Protection of Personal Information must take security control measures in regards to personal data. The act imposes a broadly stated obligation on business operators to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”. The act provides no concrete measures to satisfy this requirement. However, it is generally understood that such security control measures include:

  • organisational measures;
  • employee-related measures (eg, personnel training);
  • physical measures; and
  • technical measures.

Specific actions to be taken for each type of measure are stipulated in the various guidelines issued by the PPC.

 

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

 

Business operators governed by the act must endeavour to delete personal data without delay when its use is no longer required.

 

Do individuals have a right to access personal information about them that is held by an organisation?

 

A business operator governed by the Act on the Protection of Personal Information must make the following details accessible to individuals whose personal data it retains:

  • its name;
  • the purpose of use (except in specified circumstances);
  • the procedures for requesting correction, cessation of use, sharing or deletion of the retained personal data, as well as the procedures for other requests; and
  • other matters as specified by cabinet order that are necessary to ensure the proper handling of the retained personal data.

In addition, business operators governed by the act must disclose any relevant personal data without delay if:

  • an individual requests that the business operator disclose whether it has retained any personal data that could lead to the individual’s identification; or
  • an individual requests notification that the business operator holds no such personal data.

 

Do individuals have a right to request deletion of their data?

 

If an individual requests that a business operator governed by the Act on the Protection of Personal Information correct, expand or delete his or her retained personal data because it is inaccurate, the business operator must investigate the issue without delay. Based on the investigation results, the business operator must correct, expand or delete the personal data and notify the individual of its response to the request.

In addition, if an individual requests that a business operator stop using or disclosing retained personal data on the basis that it is violating the Act on the Protection of Personal Information, the business operator must stop using or disclosing the personal data if the request is reasonable.

Consent obligations

 

Is consent required before processing personal data?

 

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot handle personal information for reasons beyond the scope necessary to achieve the purpose of use without obtaining the individual’s prior consent.

As a general rule, business operators governed by the act may not provide such information to a third party without obtaining the individual’s prior opt-in consent.

 

If consent is not provided, are there other circumstances in which data processing is permitted?

 

Exceptions to the general rules above apply if:

  • the handling of personal information is required by laws and regulations;
  • the handling of personal information is necessary to protect an individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal information is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; or
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

 

What information must be provided to individuals when personal data is collected?

 

As a general rule, once a business operator governed by the Act on the Protection of Personal Information has acquired personal information, it must notify the individual of or publicly announce the purpose of use.

 

Data security and breach notification

 

Security obligations

 

Are there specific security obligations that must be complied with?

 

Business operators governed by the Act on the Protection of Personal Information have a broad obligation to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”.

 

Breach notification

 

Are data owners/processors required to notify individuals in the event of a breach?

 

Notifying individuals when a security breach has occurred is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the Personal Information Protection Commission (PPC) provide that it is preferable to notify the individual of the fact of the incident or make the fact readily available for affected individuals in order to prevent secondary damage or recurrence of the incident. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the Financial Services Agency (FSA) state that if a personal information breach occurs, the business operator handling the personal information should immediately provide notice to the relevant individuals of the facts around the breach.

 

Are data owners/processors required to notify the regulator in the event of a breach?

 

This is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the PPC provide that, as a general rule, a business operator handling personal information should strive to immediately notify the PPC of incidents of data security breach and the preventive measures taken. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the FSA state that if a personal information breach occurs, the business operator handling the personal information should immediately report the breach to the FSA and promptly make a public announcement addressing – among other things – the facts around the breach and the measures to be taken to prevent a recurrence.

 

Electronic marketing and internet use

 

Electronic marketing

 

Are there rules specifically governing unsolicited electronic marketing (spam)?

 

The Act on Specified Commercial Transactions (57/1975) prohibits companies from advertising their sales terms by email without the customer’s prior request or consent. Further, the Act on the Regulation of Transmission of Specified Electronic Mail (26/2002) regulates the transmission of emails as a means of advertisement of sales activities. Under this act, in principle companies must not transmit such emails without the customer’s prior request or consent.

Therefore, sending unsolicited email marketing messages (ie, spam) is prohibited by the Act on Specified Commercial Transactions and the Act on the Regulation of Transmission of Specified Electronic Mail.

 

Cookies

 

Are there rules governing the use of cookies?

 

There are no special rules regarding the use of cookies or similar technologies.

 

Data transfer and third parties

 

Cross-border data transfer

 

What rules govern the transfer of data outside your jurisdiction?

 

In principle, the Act on the Protection of Personal Information restricts the provision of personal data to third parties in a foreign country without the subject individual’s prior consent.

The exceptions to the above restriction include the following:

  • With respect to a third party that is a recipient of personal data, the prior consent requirement does not apply to the transfer of personal data to such operators with a management system conforming to the standards set out in the Personal Information Protection Commission (PPC) rules. The PPC rules provide two categories of exempt recipient operators:
  • a recipient operator, together with another operator that is the transfer of personal data to such recipient operator, ensures compliance with the Act on the Protection of Personal Information by taking appropriate and reasonable measures between the transfer operator; and
    • a recipient operator that has obtained recognition based on an international framework concerning the handling of personal information (e.g, recognition by the APEC Cross-Border Privacy Rules).
    • With respect to a foreign country where a recipient is located, the prior consent requirement does not apply to countries that are specified in the PPC rules as having a system for the protection of personal information equivalent to that required under Japanese law. Nonetheless, as of 1 October 2018, no such country has been specified by the PPC rules; however, it is anticipated that EU member states will be made exempt later in 2018.

 

Are there restrictions on the geographic transfer of data?

 

The Act on the Protection of Personal Information and most guidelines include no restrictions on the geographic transfer of data. However, the guidelines regarding medical information systems provide that medical information systems (e.g, servers including medical information) and medical data should be located in an area where Japanese laws can be enforced.

 

Third parties

 

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

 

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot provide personal information to a third party without obtaining the individual’s prior opt-in consent.

In addition, the Act on the Protection of Personal Information requires business operators providing personal data to third parties to record:

  • the date on which the data was provided;
  • the third party’s name; and
  • the matters specified in the PPC rules.

Conversely, if a business operator receives such personal data from a third party, it must confirm:

  • the third party’s name and address;
  • the representative’s name; and
  • how the third party obtained the personal data.

In addition, the business operator must record the date on which the information was provided and any matters regarding such confirmation, as well as the matters specified by the PPC rules.

 

Exceptions

 

Exceptions to the general rule above apply if:

  • the handling of personal data is required under laws and regulations;
  • the handling of personal data is necessary for the protection of the individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal data is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; and
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

 

The following exceptions also apply:

 

  • A business operator governed by the Act on the Protection of Personal Information can provide personal data (excluding sensitive information) to a third party (excluding those located outside Japan) without obtaining the individual’s prior consent if it notifies the individual in advance of the following information or makes such information readily available to the individual. In addition, it must also notify the PPC of all of the following information:
  • the fact that providing the personal data to a third party falls under the purpose of use;
  • the personal data that will be provided to the third party;
  • the means or methods of providing the personal data to the third party;
  • the fact that the provision of the personal data – which will lead to the identification of the individual by a third party – will be discontinued on the individual’s request to opt out; and
  • the way in which an individual can make an opt-out request.
  • Business operators are prohibited from providing sensitive information to third parties using the opt-out option.
  • If the personal data is to be transferred as a result of a merger, acquisition or similar succession transaction, the recipient does not constitute a third party.
  • If the personal data is to be transferred as a result of a third-party service provider’s commissioning of a business operator for all or part of the processing of the personal data that is necessary to achieve the purpose of use, and the service provider does not process the data for its own purpose of use, such service provider does not constitute a third party.
  • A business operator governed by the Act on the Protection of Personal Information can use the personal information jointly with another individual or entity without the individual’s prior consent if it notifies the individual of the following information or ensures that such information is made readily available to the individual, in advance:
  • the fact that the personal data may be shared with and used jointly by specific individuals or entities;
  • the personal data that will be jointly used;
  • the scope of the joint users;
  • the purpose for which the personal data will be used; and
  • the name of the joint user responsible for the management of the personal data (either an individual or a business operator).

 

Penalties and compensation

 

Penalties

 

What are the potential penalties for non-compliance with data protection provisions?

 

Under the Act on the Protection of Personal Information, the Personal Information Protection Commission (PPC) may request reports on the handling of personal information and may issue recommendations or corrective orders if a business operator governed by the act breaches an individual’s privacy and violates the act.

Before issuing a corrective order, the PPC may take an incremental approach and instruct, advise and make recommendations to business operators governed by the act. A breach of a corrective order is a criminal offence and the person responsible is punishable by imprisonment with work for a maximum of six months, a maximum fine of Y300,000 or both. The business operator will also be subject to a maximum fine of Y300,000.

 

Compensation

 

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

 

If an individual’s privacy is violated due to a business operator governed by the act’s data breach or non-compliance with data protection provisions, the individual may file a tort or breach of contract claim for compensation against the business operator.

 

Cyber security

 

Cyber security legislation, regulation and enforcement

 

Has legislation been introduced in your jurisdiction that specifically covers cyber crime and/or cyber security?

 

Several laws cover different types of cyber crime and cybersecurity, such as:

  • the Penal Code (45/1907), which was amended in 2011 to regulate ‘illegal programming’, including malware (Articles 168-2 and 168-3);
  • the Act on the Prohibition of Unauthorised Computer Access (128/1999), which was enacted in 1999 and amended in 2012 to include phishing and the unauthorised obtainment of identifying information (eg, passwords); and
  • the Unfair Competition Prevention Act (47/1993), which prohibits unauthorised access to trade secrets and was amended in 2015 to strengthen penalties.

 

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

 

The Basic Act on Cyber security (104/2014) was enacted in November 2014 to promote and enhance cybersecurity in Japan. The act sets out an overall national cybersecurity policy and the roles and responsibilities of the national and local governments. The act also provides that cyber businesses and infrastructure-related businesses should endeavour to take voluntary measures to enhance cybersecurity and cooperate with the government in implementing the relevant measures (Article 7).

 

Which cyber activities are criminalised in your jurisdiction?

 

The following cyber activities are criminalised in Japan, among others:

 

  • the creation, provision, release, acquisition and storage of malware with the intention of applying or using such malware in the electronic device of another person or entity (Articles 168-2 and 168-3 of the Penal Code);
  • phishing and the unauthorised obtainment of identifying information (eg, passwords and fingerprint data) via online access (Articles 2, 3, 4 and 7 of the Act on the Prohibition of Unauthorised Computer Access);
  • Unauthorised online access of computer systems or networks (Articles 2 and 3 of the Act on the Prohibition of Unauthorised Computer Access); and
  • the unauthorised acquisition, use or disclosure of trade secrets (including those that are electronically stored) in a physical or electronic manner with the intention of acquiring an illicit gain or causing injury to the owner (Article 2 of the Unfair Competition Prevention Act).

 

Which authorities are responsible for enforcing cybersecurity rules?

 

The Basic Act on Cyber security designates the Cyber security Strategic Headquarters as the control body to promote national cybersecurity strategy and the National Centre of Incident Readiness and Strategy for Cyber security as its secretariat.

With respect to cyber crime, the National Police Agency and the Prosecutor’s Office are responsible for enforcing the applicable laws.

 

Cyber security best practice and reporting

 

Can companies obtain insurance for cyber security breaches and is it common to do so?

 

Yes, but it is uncommon, especially for small and medium-sized companies.

 

Are companies required to keep records of cyber crime threats, attacks and breaches?

 

There is no such legal obligation. However, the Act on the Prohibition of Unauthorised Computer Access provides that an administrator of computer systems or networks should endeavour to consistently check the integrity of its access control functions (Article 8). Therefore, it can be construed that companies endeavour to keep such records to properly control their computer systems.

 

Are companies required to report cyber crime threats, attacks and breaches to the relevant authorities?

 

There is no such legal obligation. If cyber crime entails a personal data breach, the company will be required to report it to the competent minister in accordance with the applicable guidelines.

 

Are companies required to report cyber crime threats, attacks and breaches publicly?

 

There is no such legal obligation. If cyber crime entails a personal data breach, the company will be required to report it to the individuals concerned in accordance with the applicable guidelines.

 

Criminal sanctions and penalties

 

What are the potential criminal sanctions for cyber crime?

 

Criminal sanctions for the major types of cyber crime in Japan are as follows:

 

  • The creation, provision or release of malware can result in imprisonment with work for a maximum of three years or a maximum fine of Y500,000 (Article 168-2 of the Penal Code).
  • The acquisition or storage of malware can result in imprisonment with work for a maximum of two years or a maximum fine of Y300,000 (Article 168-3 of the Penal Code).
  • Phishing and the unauthorised obtainment of identifying information via an online system can result in imprisonment with work for a maximum of one year or a maximum fine of Y500,000 (Article 12 of the Act on the Prohibition of Unauthorised Computer Access).
  • Unauthorised online access of computer systems or networks can result in imprisonment with work for a maximum of three years or a maximum fine of Y1 million (Article 11 of the Act on the Prohibition of Unauthorised Computer Access).
  • The unauthorised acquisition, use or disclosure of a trade secret can result in imprisonment with work for a maximum of 10 years, a maximum fine of Y20 million or both (Article 21 of the Unfair Competition Prevention Act).

 

What penalties may be imposed for failure to comply with cybersecurity regulations?

 

There are no such penalties. However, if such failure also falls under non-compliance with data protection provisions, the relevant minister may issue recommendations and corrective orders and a breach of such corrective orders is a criminal offence.

Relentless Privacy and Compliance Services Ltd provides organisations with local and Global data privacy consultancy ensuring your organisation remains compliant wherever your operational data processing takes place.

Data Privacy Strategy Has to Go Global

Data Privacy Strategy Has to Go Global

No Global privacy professional can be unaware of the EU General Data Protection Regulation (GDPR) and the gold standard that it has set on data protection as a core compliance requirement.

GDPR is now influencing laws in other parts of the world and there are an increasing number of new laws in the wings that copy aspects of GDPR.

California has recently announced a GDPR style law, The California Consumer Privacy Act of 2018, and Brazil, Bahrain, India, Kenya and South Africa are all implementing similar legislation granting enhanced rights to individuals and holding businesses more accountable

It is no surprise that legislators are bringing in laws and regulations that give greater power to individuals over their personal data given the marketworthy value in personal information and the increasing use of technology to profile individuals and their habits in the digital world.

Whilst GDPR seems to set the standard, we should not forget that history plays a large part in the spread of privacy laws given that countries like France, Spain, Portugal and the British Isles have been so influential in other parts of the world for hundreds of years.

The Data Protection laws in South Africa, the Middle East, Canada and much of Asia are heavily influenced as a result of the British Commonwealth and former British rule.

It is no surprise that the new Brazilian law looks similar to the GDPR data protection law and equally that the laws in other parts of South America are based on Spanish data protection law. Similarly data protection laws in North Africa and in certain parts of Asia are heavily influenced by French privacy principles.

Global data protection principles are also based upon the OECD Guidelines on Data Protection which were first published in 1980 and then updated in 2013 and which contain fair processing principals and guidance in international data transfers which have influenced data protection laws around the world including the US/EU Privacy Shield.

In addition the Council of Europe Convention 108 is yet another international accord that has countries such as Russia and Mauritius as members and which again encapsulates guiding principles on the protection of personal data, very much in line with GDPR.

The result of the globalisation of data protection rules must mean that multinationals are more likely to adopt a more “one size fits all’ approach and it would seem that right now the GDPR coupled with the new law in California is going to set the standard

Developing a Global Data Privacy strategy that encompasses data protection laws across the organizational  operations footprint is vital to for an organization to remain compliant and have knowledgeable staff that are well trained and have the internal and external policies  that are published and adhered to.

Place your Global Data Protection   with Relentless Privacy and Compliance Services the Data privacy partner of choice.

Malaysia Personal Data Protection Act (PDPA) Your Guide Part Two

Malaysia Personal Data Protection Act (PDPA) Your Guide Part Two

In part One of Malaysia Personal Data Protection Act (PDPA) Your Guide we discussed the structure of the PDPA. Here in part two we explain the operational mechanics of the PDPA.

 

Collection and Processing

 

Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the processing (which includes collection and disclosure) of his or her personal data. Where consent is required from a data subject under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and maintained properly by the data user.

Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data disclosures to third parties.

On December 23, 2015, the Commissioner published the Personal Data Protection Standard 2015 (“Standards”), which set out the Commission’s minimum requirements for processing personal data. The Standards include the following:

  • Security Standard For Personal Data Processed Electronically
  • Security Standard For Personal Data Processed Non-Electronically
  • Retention Standard For Personal Data Processed Electronically And Non-Electronically
  • Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically

 

International Transfers

 

Under the PDPA, a data user may not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been specified by the Minister. However, there are exceptions to this restriction, including the following:

  • The data subject has given his or her consent to the transfer.
  • The transfer is necessary for the performance of a contract between the data subject and the data user.
  • The data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA.
  • The transfer is necessary to protect the data subject’s vital interests.

In 2017, the Commissioner published a draft Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia) Order 2017 to obtain public feedback on the proposed jurisdictions to which personal data from Malaysia may be transferred. As of December 26, 2018, the Minister has yet to approve the safe harbor jurisdictions. Once approved, a data user may transfer personal data to these safe harbour jurisdictions without having to rely on the data subject’s consent or other prescribed exceptions under the PDPA.

 

Data Security

 

Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards.

In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

 

Data Breach Notification

 

There is no requirement under the PDPA for data users to notify authorities regarding data breaches in Malaysia. However, news reports dated October 5, 2018 suggest that Malaysia’s laws could be updated, as early as the middle of 2019, to include data breach notification requirements modelled after those under the European Union’s General Data Protection Regulation (GDPR), including requiring providing notice to government authorities.

 

Enforcement

 

Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor and supervise compliance with the provisions of the PDPA. Under the Personal Data Protection Regulations 2013, the Commissioner has the power to inspect the systems used in personal data processing and the data user is required, at all reasonable times, to make the systems available for inspection by the Commissioner or any inspection officer. The Commissioner or the inspection officers may require the production of the following during inspection:

  • The record of the consent from a data subject maintained in respect of the processing of that data subject’s personal data by the data user
  • The record of required written notices issued by the data user to the data subject
  • The list of personal data disclosures to third parties
  • The security policy developed and implemented by the data user
  • The record of compliance with data retention requirements
  • The record of compliance with data integrity requirements, and
  • Such other related information which the Commissioner or any inspection officer deems necessary

Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal liability. The prescribed penalties include fines, imprisonment or both. Directors, CEOs, managers or other similar officers will have joint and several liability for non-compliance by the body corporate, subject to a due diligence defence.

However, there is no express right under the PDPA allowing aggrieved data subjects to pursue a civil claim against data users for breaches of the PDPA.

 

Electronic marketing

 

The PDPA applies to electronic marketing activities that involve the processing of personal data for the purposes of commercial transactions. There are no specific provisions in the PDPA that deal with electronic marketing. However, the PDPA provides that a data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his or her personal data for direct marketing purposes. ‘Direct marketing’ means the communication by whatever means of any advertising or marketing material that is directed to individuals.

 

Online Privacy 

There are no provisions in the PDPA that specifically address the issue of online privacy (including cookies and location data). However, any electronic processing of personal data in Malaysia will be subject to the PDPA and the Commissioner may issue further guidance on this issue in the future.

Malaysia Personal Data Protection Act (PDPA) Your Guide Part Two

Malaysia Personal Data Protection Act ( PDPA) Your Guide Part One

 

The Law

 

Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.

 

Definitions

 

Definition of personal data

 

‘Personal data’ means any information in respect of commercial transactions that is:

  • Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose
  • Recorded with the intention that it should wholly or partly be processed by means of such equipment, or
  • Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and, in each case

…that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.

Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.

 

Definition of sensitive personal data

 

‘Sensitive personal data’ means any personal data consisting of information as to the physical or mental health or condition of a data subject, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him or her of any offence or any other personal data as the Minister of Communications and Multimedia (Minister) may determine by published order. Other than the categories of sensitive personal data listed above, the Minister has not published any other types of personal data to be sensitive personal data as of December 26, 2018.

 

Authority

 

Pursuant to the PDPA, a Personal Data Protection Commissioner (Commissioner) has been appointed to implement the PDPA’s provisions. The Commissioner will be advised by a Personal Data Protection Advisory Committee who will be appointed by the Minister, and will consist of one Chairman, three members from the public sector, and at least seven, but no more than eleven other members. The appointment of the Personal Data Protection Advisory Committee will not exceed a term of three years; however, members can be appointed for two successive terms.

The Commissioner’s decisions can be appealed through the Personal Data Protection Appeal Tribunal. The following are examples of such  appeals

  • Decisions relating to the registration of data users under Part II Division 2 of the PDPA
  • The refusal of the Commissioner to register a code of practice under Section 23(5) of the PDPA
  • The service of an enforcement notice under Section 108 of the PDPA
  • The refusal of the Commissioner to vary or cancel an enforcement notice under Section 109 of the PDPA, or
  • The refusal of the Commissioner to conduct or continue an investigation that is based on a complaint under Part VIII of the PDPA.

If a data user is not satisfied with a decision of the Personal Data Protection Advisory Committee, the data user may proceed to file a judicial review of the decision in the Malaysian High Courts.

 

Which Organisations are Required to Register

 

Currently, the PDPA requires the following classes of data users to register under the PDPA:

 

  1. Communications
    • A licensee under the Communications and Multimedia Act 1998
    • A licensee under the Postal Services Act 2012
  2. Banking and financial institution
    • A licensed bank and licensed investment bank under the Financial Services Act 2013
    • A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
    • A development financial institution under the Development Financial Institution Act 2002
  3. Insurance
    • A licensed insurer under the Financial Services Act 2013
    • A licensed takaful operator under the Islamic Financial Services Act 2013
    • A licensed international takaful operator under the Islamic Financial Services Act 2013
  4. Health
    • A licensee under the Private Healthcare Facilities and Services Act 1998
    • A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998
    • A body corporate registered under the Registration of Pharmacists Act 1951
  5. Tourism and hospitality
    • A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992
    • A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992
  6. Transportation
    • Certain named transportation services providers
  7. Education
    • A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
    • A private school or private educational institution registered under the Education Act 1996
  8. Direct selling
    • A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993
  9. Services
    • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961 carrying on business as follows:
      • legal
      • audit
      • accountancy
      • engineering
      •  architecture
    • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961
    • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981
  10. Real estate
    • A licensed housing developer under the Housing Development (Control and Licensing) Act 1966
    • A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah
    • A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak
  11. Utilities
    • Certain named utilities services providers
  12. Pawnbroker
    • A licensee under the Pawnbrokers Act 1972
  13. Moneylender
    • A licensee under the Moneylenders Act 1951

Certificates of registration are valid for at least one year, after which data users must renew registrations and may not continue to process personal data.

Data users are also required to display their certificate of registration at a conspicuous place at their principal place of business, and a copy of the certificate at each branch, where applicable.

The Commissioner may designate a body as a data user forum for a class of data users. Data user forums can prepare codes of practice to govern compliance with the PDPA, which can be registered with the Commissioner. Once registered, all data users must comply with the provisions of the code, and non-compliance violates the PDPA. As of December 26, 2018, the Commissioner has published several codes of practice, including for the banking and financial sector, the aviation sector, the utilities sector and the insurance and takaful industry in Malaysia.

 

Do I Need to Appoint a Data Protection Officer

 

Currently, Malaysian law does not require that data users appoint a data protection officer.

 

Tune in for Part Two to follow 

 

Find Out More

Data Privacy in Asia Philippines DPA

Data Privacy in Asia Philippines DPA

 

While the GDPR may be the most extensive and revolutionary privacy law the world has seen thus far, the EU is not the only one implementing stricter data privacy requirements. More and more countries around the globe are also enacting regulations to protect the personal information of their citizens. Today, we want to look specifically at the Philippines and its Data Privacy Act of 2012 (DPA).

 

The purpose of the Act is “to protect the fundamental human right to privacy of communication while ensuring the free flow of information to promote innovation and growth.” In conjunction with the passing of this Act, the Philippine government also established the National Privacy Commission (NPC) to monitor and enforce the law. In September of 2016, the NPC released the final rules and regulations for DPA implementation, mandating companies to register as a personal data processing system by September 9, 2017.

 

Who does the DPA apply to?

 

The DPA applies to both individuals and legal entities (or both data controllers and data processors, as defined by the GDPR). Like the GDPR, organisations outside of Philippines who process the personal data of Philippines citizens or residents must also comply with the DPA. The DPA covers businesses within the Republic of the Philippines and organisations with offices in the Philippines. But unlike the GDPR, it also includes those who use equipment located in the Philippines.

 

What does the DPA consider to be personal information?

 

This Act protects individuals from the unauthorised processing of their personal information (i.e., data that is not publicly available and personally identifiable information (PII)). The DPA defines sensitive personal information as any data concerning:

  • An individual’s race, ethnic origin, marital status, age, colour, and religious, philosophical or political affiliations;
  • An individual’s health, education, genetic or sexual life, or any proceeding for any offence committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  • Information issued by government agencies particular to an individual, which includes social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  • Information specifically established by an executive order or an act of Congress to be kept classified.

 

What are the lawful bases for processing under the DPA?

 

The Act requires organisations to have a specific and legitimate purpose for the processing of every category of data, just like the GDPR.  Consent is another vital part of the legal collection of data, and customers must be fully aware of how and why their data will be used when asked for consent. However, consent is not always required for processing; some of these scenarios include the enforcement of a contract, the protection of vital interests, and the response to a national emergency.

 

What individual rights are given to Philippines’ citizens and residents?

 

The law provides data subjects rights concerning their personal information, such as notice, access, accuracy, and transparency. These include the Right to Dispute, the Right to Erasure, and the Right to Data Portability, which sound very similar to some individual rights found in the GDPR (check out our white paper to see how they align).

  • The Right to Dispute. This right provides data subjects with the ability to contest inaccurate data with the data controller and to request for the information to be corrected.
  • The Right to Erasure or Blocking. According to the regulation, data subjects can “suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller.” To exercise this right, the data subject must have substantial proof that the data is incomplete, outdated, or false, or was unlawfully obtained. This right also states that data subjects will be compensated for any resulting damages.
  • The Right to Data Portability. Data subjects have the right to request their personal information from the data controller as long as the data was processed electronically.

 

What are the penalties for non-compliance with the DPA?

 

The DPA includes various penalties for individuals and organisations that are found non-compliant, many of which include imprisonment. Data controllers are held accountable for the following: processing unauthorised data, negligent access, illegal disposal, concealment of breaches or intentional breaches, and the unauthorised or malicious disclosure of data.

The repercussions of these violations (or a combination of them) can range from an imprisonment sentence of three to six years as well as a monetary fine of $20,000-$100,000 (one million Filipino pesos to five million Filipino pesos). The maximum fine is imposed when data breaches involve the information of 100 or more individuals.

 

How can Philippine businesses comply with the GDPR?

 

Organizations that already comply with the Data Privacy Act (DPA) will find it easier to abide by the GDPR due to the similarity in statutes between the two. The data protection officers of Philippine companies complying with the DPA already have the tools they need to perform GDPR compliant roles efficiently.

 

The GDPR, much like the DPA, puts a high value on requiring the consent of users regarding the gathering of their information. The following guidelines have been set under the GDPR for the acquisition of user data:

 

  • Give concise, transparent, intelligible, and easily accessible forms when asking users to agree to privacy terms and conditions or data collection and processing
  • Must disclose the purpose or legal grounds for data processing, the categories of personal data collected, possible recipients of the data, and how long the data will be restored
  • Have an age-verification process to identify users under the age of 16 and then obtaining the consent of their parents before processing the minor’s personal information

 

An easy way for organisations to meet the terms of these guidelines is by having cookie banners, consent management, and internal privacy tools on their respective websites and/or web forms.

The GDPR also has provisions stating that users can opt out of automated processing which includes profiling. Similar to the DPA, companies are required by the GDPR to have someone review data handling procedures.

 

Moreover, under the GDPR when there is a data breach or knowledge of a data breach, the organization is required to report this within 72 hours to the appropriate agencies.

 

What are the consequences for failing to comply with the GDPR?

 

Companies that fail to comply with the GDPR’s guidelines could be fined between €10 million (US$11.74 million) and €20 million (US$23.48 million) The severity of the fines will depend on the seriousness of the breach, if a breach was committed, as well as on how seriously the company has been complying with the GDPR.

 

What should our next steps be to align with the DPA?

 

Organizations conducting businesses in the Philippines or who process that data of Philippines citizens and residents should take the following steps to meet DPA requirements:

 

  • Conduct a Data Privacy Impact Assessment (DPIA), a full review of your organisation’s data, collection procedures, processing activities, and data centres.
  • Appoint a Data Protection Officer (DPO), the person responsible for ensuring data processing remains in accordance with the regulation.
  • Register with the NPC. The following documentation is necessary for the registration of private entities: a certificate of the appointment of a DPO and a certified copy of any of the following documents: certificate of registration or license to operate.
  • Create a Privacy Management Program Manual to inform all departments and employees of the requirements of the DPA and the directives of the NPC.
  • Implement privacy and data protection measures and ensure that breach notification procedures are routinely tested.

 

As more and more countries adopt stronger privacy regulations, compliance with them is becoming a basic requirement for U.S. companies doing business around the world. However, after a quick look at the requirements of the DPA, you may have noticed some similarities between the DPA and the EU’s GDPR. While compliance with these regulations is certainly not an easy feat, their alignment in certain areas makes compliance with both regulations simpler.

Relentless Privacy and Compliance  Cover all Data privacy regulations in the Asia Region and in particular GDPR for Philippines outsourced service providers processing EU Data Subjects data

 

FIND OUT MORE

 

The Malaysian Personal Data Protection Act “the act”

The Malaysian Personal Data Protection Act “the act”

The Malaysian Personal Data Protection Act 2010 (“the Act”) was written into law  on 15 November 2013. “The Act” mandates that businesses in Malaysia assume additional responsibilities and requirements when it comes to the processing of personal data of their employees, suppliers, and customers. This article provides an overview of  the key issues to note under the Act.

The Malaysian Personal Data Protection Act 2010 (“the Act”) applies to any person who processes and has control over or authorizes the processing of any “personal data” in respect of commercial transactions known as the  (“data user”). The Act also applies to persons not established in Malaysia (for example: international organisations), if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.

 

Certain classes of data users (eg: licensed insurers; legal, auditing, accounting, engineering and architecture firms; housing developers; medical and dental clinics) are required to register themselves with the Department of Personal Data Protection.

 

HOW IS  PERSONAL DATA DETERMINED UNDER THE ACT ?

 

Predominantly, “personal data” covered by the Act is information that relates to a data subject who is identifiable from that information being processed or collected. This broad definition will cover data types  such as names, contact details, national registration identity card numbers, and passport numbers. Personal data also includes any sensitive personal data such as the physical or mental health information of the data subject, his/ her  political opinions and religious beliefs, and criminal convictions among others. 

 

WHAT IS REQUIRED BY THE ACT?

 

Under the Act, data users are required to adhere to  the 7 Personal Data Protection Principles. 

 

  1. General: Personal data can only be processed with the data subject’s consent.
  2. Notice and Choice: Data subjects must be informed by written notice of, among  other things, the type of data being collected and the purpose, its sources, the right to request access and correction, and the  choices and means by which the data subject can limit the processing of their personal data.
  3. Disclosure: Personal data may not be disclosed without the data subject’s consent for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user.
  4. Security: Data users must take practical steps to protect the personal data from any loss, misuse, modification or unauthorized access or disclosure, alteration or destruction.
  5. Retention: Personal data shall not be kept longer than is necessary for the fulfillment of its purpose.
  6. Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date.
  7. Access: Data subjects must be given access to their personal data and be able to correct any personal data that is inaccurate, incomplete, misleading or not up to date.

 

Maximum fines for various offences under the Act range from RM100,000 to RM500,000 per offence. On conviction, offenders may also be liable to imprisonment.

 

What steps can a business take to help achieve compliance 

 

If your organization is a data user under the Act, you should start considering the following actions:

 

  1. Conduct an audit to identify: 

(a) the types of personal data being collected and processed; 

b) the purposes personal data is being collected; 

(c) third parties to whom personal data is being disclosed; 

(d) how data subjects are being notified of the data processing

 

  1. Have a privacy  framework in place to ensure compliance with the Act. Appropriate policies and procedures regarding the collection, processing, retention and disclosure of personal data must be implemented. Where possible, appoint a team to manage issues relating to personal data and compliance with the Act.

 

  1. Be mindful that even if you have an existing global privacy policy in place, it may need to be reviewed and customized to match the Malaysian requirements. (For example, the Act requires personal data notices to be issued in both English and Malay).

 

  1. Key personnel must be trained on the application  of the Act. Compliance with the Act is not possible if employees do not understand the purpose of the Act or what they are required to do.

 

  1. Board level commitment . Given the severe consequences for non-compliance, it is imperative that senior management sets the tone and “buy in” the importance of complying with the Act.

 

  1. Have a system in place to continuously monitor compliance with your personal data policies and procedures, so that any gaps can be identified and addressed quickly.

 

While the additional obligations and responsibilities under the Act may appear troublesome to some, the Act is the right step towards bringing Malaysia’s personal data protection laws in line with the rest of the world as well as boosting investor confidence.

Learn More

 

 

What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and the Cross-Border Privacy Rules? And Who has signed up to it 

 

 

The APEC Privacy Framework is a set of principles and implementation requirements that were created in order to be an enabler to effective privacy protections that avoid barriers to information flows which are so vital in the global data exchanges , and ensure ongoing  trade and economic growth in the Asia Pacific Economic Cooperation region of 27 countries. The APEC Privacy Framework set in motion the process of creating the APEC Cross-Border Privacy Rules system.

 

The CBPR ( Cross-Border Privacy Rules system.) system has now been formally joined by the United States, Canada, Japan and Mexico, with more nations soon to follow. The CBPR program is comparable  to the EU-U.S. Privacy Shield in that they both provide a means for self-assessment, compliance review, recognition/acceptance and dispute resolution/enforcement. Both systems require the designation by each country of a data protection authority (the U.S. enforcement authority is the Federal Trade Commission).

 

Unlike the GDPR, which is a directly pertinent  regulation, the CBPR system does not replace or alter   a members country’s domestic laws and regulations. Where there are no evidence of  applicable domestic privacy protection requirements in a country, the CBPR system is intended to provide a minimum level of data protection.

 

The privacy enforcement authorities of a country that takes part in the system should have the ability to take enforcement actions under applicable domestic laws and regulations that have the effect of protecting personal information consistent with the CBPR program requirements. 

 

As trade and cross border data agreements  exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.

 

Relentless Global Privacy Services  helps clients meet the tough world of privacy regulations

 

 

Lets take a deep dive into the framework and how it compares to the GDPR

 

 

 

APEC Privacy Framework (or CBPRs)

GDPR

PurposeTo develop effective privacy protections that avoid barriers to information flows, and ensure continued trade, and economic growth in the APEC region.To enable to free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Material scopeApplies to persons or organizations in the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information.Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Territorial scopeApplies to the same extent that the laws of each member country apply.Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
Personal informationPersonal information means any information about an identified or identifiable individual. (same)Personal data means any information relating to an identified or identifiable natural person.
Data controllerPersonal information controller means a person or organization who controls the collection, holding, processing or use of personal information.Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processorsAPEC Privacy Framework and CBPRs do not apply to processors, only controllers.Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Publicly available informationThe APEC Privacy Framework has limited application to publicly available information. Notice and choice requirements, in particular, often are superfluous where the information is already publicly available, and the personal information controller does not collect the information directly from the individual concerned.The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Permitted member country variations (derogations)Economies implementing the framework at a domestic level may adopt suitable exceptions to scope that suit their particular domestic circumstances. 

The framework is not intended to impede governmental activities authorized by law when taken to protect national security, public safety, national sovereignty or other public policy.

Member States have discretion in a number of subject areas including: Supervisory Authority; Sanctions; Demonstrating Compliance; Data Protection Officers; Archiving and Research; Third Country Transfers; Sensitive personal data and exceptions; Criminal Convictions; Rights and Remedies; Processing of Children’s Personal Data by Online Services; Freedom of Expression in the Media; Processing of Data; Restrictions; Rules surrounding Churches and Religious Associations.

Exceptions to general GDPR applicability also exist for national security, public safety, and police powers.

Preventing harm principleRecognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information.Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Notice

Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information. All reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of collection of personal information. Otherwise, such notice should be provided as soon after as is practicable.

It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information.

Where personal information is not obtained directly from the individual, but from a third party, it may not be practicable to give notice at or before the time of collection of the information.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.

Collection limitationThe collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Use limitationPersonal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes except: a) with the consent of the individual whose personal information is collected; b) when necessary to provide a service or product requested by the individual; or, c) by the authority of law and other legal instruments, proclamations and pronouncements of legal effectPersonal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Choice and consentWhere appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information.Permits the use of health-related personal data with explicit consent from the subject, unless reliance on consent is prohibited by EU or member state law. “Explicit consent” must meet a higher standard than consent for the processing of other forms of personal data — an individual must be clearly informed of the use of their data and take an affirmative action to demonstrate their consent.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data integrityPersonal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use.Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Security safeguardsPersonal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment.Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Access and correctionIndividuals should be able to obtain from the personal information controller confirmation of whether or not the personal information controller holds personal information about them, and have access to information held about them, challenge the accuracy of information relating to them, have the information rectified, completed, amended or deleted. All of the above rights subject to a balancing of of the burden or expense of compliance, legal or security reasons, the protection of commercial information, the protection of the privacy rights of persons other than the affected individual.The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and to access to the personal data and information about the processing including: what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
AccountabilityA personal information controller should be accountable for complying with measures that give effect to the Principles stated above.The controller shall be responsible for, and be able to demonstrate compliance with, the principles of the processing of personal data under the GDPR.
Transfer of personal data to another person or countryWhen personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data.

Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by a binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.

Breach definitionThere is no specified definition of breach under the APEC Privacy Framework or CBPRs.Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Breach notificationThe APEC Privacy Framework does not directly address breach, but the principles support notification.

The Cross-Border Privacy Rules (CBPR) to which APEC economies must bind themselves to join, require that member countries impose rules requiring that data controllers contractually protect data by requiring notification to themselves by data processors, agents, contractors or other service providers.

The CBPRs do not require that member countries impose mandatory notification of breach to privacy enforcement authorities or data subjects.

The GDPR requires assessment of data incidents and prompt notification of breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
Breach mitigation(see above)

The APEC Privacy Framework requires that appropriate safeguards.

The CBPRs require the applicant country to describe how it enforces a requirement to have technical (authentication and access control, encryption, firewalls and intrusion detection, audit logging, monitoring, etc.) and administrative (training, policies, enforcement, etc.)

Safeguards.

Notification to data subjects is not required if:

the controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or 

the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

it would involve disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.